Before responding directly to your question, I would like to establish some parallels that will help in understanding the answer.
First, evaluate the sequences below and their corresponding formulas:
01010101010101010101010101 f(X) = NOT X
AAAAAAAAAAAAAAAAAAAAAAAAAA f(X) = "A"
ABCDEFGHIJKLMNOPQRSTUVWXYZ f(X) = CHAR(ASCII(X) + 1)
Without much work, we have come to the conclusion that the predictability (or deterministic definition) of these sequences is very high - or, conversely, that the entropy is very low.
But what is entropy? It is the measure of chaos in a system. The term was originally meant to describe thermodynamic systems, but the concept is also applicable to other domains - data, for example.
When we talk about the generation of random or random content by computers, we are talking about formulas that generate values that have a distribution similar to that found in a system with high entropy and continuous uniform distribution.
An example of continuous uniform distribution of easy viewing is white noise, where distribution is seemingly impossible to be described with a deterministic formula - but where we can use statistics to describe density. This is a white noise bitmap generated on Random.org:
Forcomparison,thisisthePHPrand()functionbitmapasdemonstratedbydeveloperBoAllenina2012postonhispersonalblogtitled Pseudo-random Vs. True random . Notice how easily you detect the generation pattern:
Whileinnaturesystemsloseorderandgainentropy,thereverseoccursindatasystems.Wheneveryou'generate'randomnumbers,youarestealingtheentropysystem,andenteringorder.
Asanexample,let'sassumethatIhavethefollowingrandomstringoflettersviaRandomStringGeneratorfromrandom.org:
ChaveJPVPUUWWJAZEEUMLXDVT
WhatIuseinasimpleencryptionformula,whereI'add'thevariationtotheletterAofeachpositionwhenapplyingtoaletterofmypayloadinthesameposition.
PayloadConteúdoencriptadoAAAAAAAAAAAAAAAAAAAAJPVPUUWWJAZEEUMLXDVTBBBBBBBBBBBBBBBBBBBBKQWQVVXXKBAFFVNMYEWU
Butnotethatifmypayloadisequaltoorgreaterthanthekey,Ihavezappedthesystementropy.So,assumethatIconcatenatemykey,forthefollowingpayload:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Myencryptedcontentwouldbe:
JPVPUUWWJAZEEUMLXDVTJPVPUUWWJAZEEUMLXDVT^^^^^^
SoIcaneasilydetectthereplayandpredicttherestofthesequence.
Fromthesecuritypointofview,saferandomfunctionsarethosethatperiodicallyrechargewithentropy,inordertopreventpredictability.
Youcanreloadentropyinseveralways;Thebestsourceofentropyistherealworld.Someexamples,whichcanbeusedtogetherwithapseudo-randomfunctionintheformofseeds:
- AccessTwittertrendingtopics.Getthelast128tweetsgenerated.Extractthedayandtimeofeach,converttoabytearray.
- Captureimagesfrom2ormorepublicwebcamsaroundtheworld.ExtracttheMD5fromallofthem.Converttoabytearray.
- Letyourcatwalkonthekeyboard.Convertthegeneratedcharacterstoabytearray.(Addahamstertothesystemformoredata.Preventabandonmentofsystemscopewithaboxaroundallthree.)
Eachoftheseexamplesprovidesdifferentsamplesizeandsamplerate.Themorerandomsourcedatayouinsertintoahybridsystemwithacoupledpseudo-randomgenerator,thesmallerthepatterndetectionchanges.
Theanswer,therefore,isnot:Youneedtoimportanentropyfromanexternalsystem.
Sources:
>
link
edit-disclaimer: Added the reference to the post where the image of the RAND()
function was removed.