August 7th, 2007
Security of Ruby’s Kernel#rand
Last night I was at the Chicago Area Ruby Group, and there was a presentation by Trevor Turk on his El Dorado project. While he was showing us the code I saw the method that generates the application’s authentication token. I could not help but notice that the security of the authentication tokens depends greatly on the security of Ruby’s Kernel#rand method. Traditionally default rand functions are a bit light on security, and so I wondered if that was also true of Ruby’s Kernel#rand.
Only one way to find out! I downloaded a fresh copy of the source code for Ruby 1.8.6 and started poking around in random.c, where the function in question lives. My findings are mixed, and I have good news and bad news to report!