[Esapi-user] question about secure usage of randomizer class in .NET version of ESAPI

Yi Li yi.li26 at gmail.com
Thu Oct 28 14:40:10 EDT 2010


greetings all:

I plan to use the randomizer class in .NET ESAPI and will appreciate if some
insight could be provided.

my objective:
 to generate random password in large batch 10 million plus with the
randomizer class. these passwords need to be practically unpredictable
(random).
my concern:
   The underlying service provider in use is Microsoft cryptographic
provider, which passes FIPS 140-2 validation.
   I plan to call the randomizer's method in a loop (10 million plus
iteration) to generate these password. As I understand, the randomness of
the random numbers depends on the initial state (seed) of the PRNG. So if I
call 10 millions plus iteration of the generator (which takes about 30
minutes to complete on my box), will this cause all these generated values
using the same initial state and thus compromise the randomness? if the
concern is valid, how should i use the randomizer so to achieve the
objective?
thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20101028/ea0ad35f/attachment.html 


More information about the Esapi-user mailing list