Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Good random number source in oracle
On 23 Apr 2001 15:29:17 GMT, hjp_at_enkur.wsr.ac.at (Peter J. Holzer) wrote:
>dbms_random.initialize is called with a value computed from sysdate.
>Of course this isn't very random, so if somebody knows the algorithm and
>the (approximate) time when a password was created, he can easily
>compute the password. So I am looking for values which can be used as
>"real" random number sources, I.e. values which change often and cannot
>be guessed with sufficient accuracy from the outside. Things like number
>of sessions, bytes read or written since last startup, etc.
Hmmm, I thought if you hashed the number of seconds since midnight you'd have a good seed start. With your own "secret" hash function, of course.
But I suppose you could use the SCN. A good source is one of the V$ views, V$LOGHIST from memory. Might be a diff name in your particular version of Oracle.
Do a
SELECT NAME FROM V$FIXED_TABLE WHERE NAME LIKE 'V$LOG%';
logged in as SYS, to get all the log related views. Check their
contents for the one with the right stuff. No one can find those
values without logging in (they are not visible outside current
memory), which defeats the purpose of trying to break in by analyzing
time of creation of the uid and brute-forcing around it. They will be
stored in database data files eventually. But if you're concerned
about that, then you have a much bigger security problem than just
finding a good random seed number!
Just a way, there might be others.
Cheers
Nuno Souto
nsouto_at_bigpond.net.au.nospam
http://www.users.bigpond.net.au/the_Den/index.html
Received on Tue Apr 24 2001 - 06:08:43 CDT