Thread: Shuffling at sites
View Single Post
  #41  
Old 10-03-2007, 12:36 PM
aerobatic aerobatic is offline
Junior Member
  
Join Date: Oct 2007
Posts: 11
Default Re: Shuffling at sites
i know i left some typos in my msg, but i assure you im not clueless on rngs. my background includes rng and system security work. i dont claim to be an expert, but some 'experts' on this site are anything but.

the main weakness of an rng is in keeping the seed secure. similarly, the weakness of using real world data to seed an rng (or even, an sha-1 hash function) is that the real world data must be kept safe from tampering.

For instance, using thermal noise from a sensor to generate randomness falls apart if the location of the sensor is discovered and the ambient temperature can be affected. mess with the air conditioning in the room where that sensor is located, or mess with the cooling or heating in the location and you might influence the thermal noise.

there are those that think pointing a web cam at a lava lamp gives true random numbers, or pointing a solar telescope at sunspot activity. google both f those if you dont believe me. all are genuinely truly random, but all are influencable and capable of being affected by outside influence. if you put your mind to modifying the parameters by which they work, you can influence their results and make them much less random than their optimum operation. its theoretically possible (but impractical). much the same as its theoretically possible to predict the outcome of a prng, but extremely impractical and unlikely)

the weakness of using 'real world' data to reseed an rng (frequently) is that this is the weakest point in the system and the place most likely to be compromised in the event of a security breach.

the prng itself, if continuously cycled, and if the seed is secure, is quite safe and certainly random enough to be used for shuffling cards with complete randomness. to put it in context, its far far more random than a dealer's shuffle in a poker room. and if mapped from the large rng seed down into a shuffled deck of 52 playing cards, it will be practically impossible that anyone outside could discern the sequence of cards to follow. the well known case of a mistaken implementation of ages ago was not a rng issue, but a system implementation issue. any company that has presented their rng for audit by a recognised rng auditor will be properly scrutinised, in both operation and security of the rng as well as the system implementation.

im not saying the pokerstars rng is in any way insecure. im sure its as secure as most other poker room's rng's and that people here shouldnt be misled into believing that a prng is insecure and a rng based on hashing of realworld data is somehow more secure.
Reply With Quote