Re: Good random number source in oracle

On 23 Apr 2001 15:29:17 GMT, hjp_at_enkur.wsr.ac.at (Peter J. Holzer) wrote:

>dbms_random.initialize is called with a value computed from sysdate.
>Of course this isn't very random, so if somebody knows the algorithm and
>the (approximate) time when a password was created, he can easily
>compute the password. So I am looking for values which can be used as
>"real" random number sources, I.e. values which change often and cannot
>be guessed with sufficient accuracy from the outside. Things like number
>of sessions, bytes read or written since last startup, etc.

Hmmm, I thought if you hashed the number of seconds since midnight you'd have a good seed start. With your own "secret" hash function, of course.

But I suppose you could use the SCN. A good source is one of the V$ views, V$LOGHIST from memory. Might be a diff name in your particular version of Oracle.

Do a
SELECT NAME FROM V$FIXED_TABLE WHERE NAME LIKE 'V$LOG%'; logged in as SYS, to get all the log related views. Check their contents for the one with the right stuff. No one can find those values without logging in (they are not visible outside current memory), which defeats the purpose of trying to break in by analyzing time of creation of the uid and brute-forcing around it. They will be stored in database data files eventually. But if you're concerned about that, then you have a much bigger security problem than just finding a good random seed number!

Just a way, there might be others.

Cheers
Nuno Souto
nsouto_at_bigpond.net.au.nospam
http://www.users.bigpond.net.au/the_Den/index.html Received on Tue Apr 24 2001 - 06:08:43 CDT