Using IPv6 as seed + time almost as good as TRNG?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I just figured out a way to create a RNG that may be almost as good as TRNG (true random number generator) and need some input to confirm/clarify.



What if I use the IPv6 address of a visitor as a seed + the time recorded when the visitor executes a particular action at my website to generate the random numbers?



IPv6 has about 340 trillion trillion trillion possible addresses.



And I increase the strength by repeating the same process with a 2nd visitor and do some logic between 1st visitor's RNG and 2nd visitor's RNG to arrive at a new RNG (say "1st New").



And I continue with the same process on 3rd visitor and do some logic between 3rd visitor's RNG and "1st New" to arrive at another new RNG (say "2nd New").



And I continue with the same on subsequent visitors until a certain duration is reached, to arrive at a final RNG (say "Final New").



Is this "Final New" almost as good as TRNG?
Or is it at least as good as CSPRNG?



For a hacker to successfully brute force my RNG, he needs to know the specific IP addresses of my visitors, at certain time period when a particular (unknown) action is executed, per each different visitor, for a duration of time, and the logic used in computing the RNG from one visitor with the next.










share|improve this question









New contributor




Dorky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • If you're looking for a non dedicated hardware TRNG, investigate haveged. It kinda builds upon internal system timings somewhat like your access times.
    – Paul Uszak
    1 hour ago














up vote
1
down vote

favorite












I just figured out a way to create a RNG that may be almost as good as TRNG (true random number generator) and need some input to confirm/clarify.



What if I use the IPv6 address of a visitor as a seed + the time recorded when the visitor executes a particular action at my website to generate the random numbers?



IPv6 has about 340 trillion trillion trillion possible addresses.



And I increase the strength by repeating the same process with a 2nd visitor and do some logic between 1st visitor's RNG and 2nd visitor's RNG to arrive at a new RNG (say "1st New").



And I continue with the same process on 3rd visitor and do some logic between 3rd visitor's RNG and "1st New" to arrive at another new RNG (say "2nd New").



And I continue with the same on subsequent visitors until a certain duration is reached, to arrive at a final RNG (say "Final New").



Is this "Final New" almost as good as TRNG?
Or is it at least as good as CSPRNG?



For a hacker to successfully brute force my RNG, he needs to know the specific IP addresses of my visitors, at certain time period when a particular (unknown) action is executed, per each different visitor, for a duration of time, and the logic used in computing the RNG from one visitor with the next.










share|improve this question









New contributor




Dorky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • If you're looking for a non dedicated hardware TRNG, investigate haveged. It kinda builds upon internal system timings somewhat like your access times.
    – Paul Uszak
    1 hour ago












up vote
1
down vote

favorite









up vote
1
down vote

favorite











I just figured out a way to create a RNG that may be almost as good as TRNG (true random number generator) and need some input to confirm/clarify.



What if I use the IPv6 address of a visitor as a seed + the time recorded when the visitor executes a particular action at my website to generate the random numbers?



IPv6 has about 340 trillion trillion trillion possible addresses.



And I increase the strength by repeating the same process with a 2nd visitor and do some logic between 1st visitor's RNG and 2nd visitor's RNG to arrive at a new RNG (say "1st New").



And I continue with the same process on 3rd visitor and do some logic between 3rd visitor's RNG and "1st New" to arrive at another new RNG (say "2nd New").



And I continue with the same on subsequent visitors until a certain duration is reached, to arrive at a final RNG (say "Final New").



Is this "Final New" almost as good as TRNG?
Or is it at least as good as CSPRNG?



For a hacker to successfully brute force my RNG, he needs to know the specific IP addresses of my visitors, at certain time period when a particular (unknown) action is executed, per each different visitor, for a duration of time, and the logic used in computing the RNG from one visitor with the next.










share|improve this question









New contributor




Dorky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











I just figured out a way to create a RNG that may be almost as good as TRNG (true random number generator) and need some input to confirm/clarify.



What if I use the IPv6 address of a visitor as a seed + the time recorded when the visitor executes a particular action at my website to generate the random numbers?



IPv6 has about 340 trillion trillion trillion possible addresses.



And I increase the strength by repeating the same process with a 2nd visitor and do some logic between 1st visitor's RNG and 2nd visitor's RNG to arrive at a new RNG (say "1st New").



And I continue with the same process on 3rd visitor and do some logic between 3rd visitor's RNG and "1st New" to arrive at another new RNG (say "2nd New").



And I continue with the same on subsequent visitors until a certain duration is reached, to arrive at a final RNG (say "Final New").



Is this "Final New" almost as good as TRNG?
Or is it at least as good as CSPRNG?



For a hacker to successfully brute force my RNG, he needs to know the specific IP addresses of my visitors, at certain time period when a particular (unknown) action is executed, per each different visitor, for a duration of time, and the logic used in computing the RNG from one visitor with the next.







randomness






share|improve this question









New contributor




Dorky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




Dorky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 3 hours ago









SEJPM♦

27.4k451130




27.4k451130






New contributor




Dorky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 4 hours ago









Dorky

243




243




New contributor




Dorky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Dorky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Dorky is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











  • If you're looking for a non dedicated hardware TRNG, investigate haveged. It kinda builds upon internal system timings somewhat like your access times.
    – Paul Uszak
    1 hour ago
















  • If you're looking for a non dedicated hardware TRNG, investigate haveged. It kinda builds upon internal system timings somewhat like your access times.
    – Paul Uszak
    1 hour ago















If you're looking for a non dedicated hardware TRNG, investigate haveged. It kinda builds upon internal system timings somewhat like your access times.
– Paul Uszak
1 hour ago




If you're looking for a non dedicated hardware TRNG, investigate haveged. It kinda builds upon internal system timings somewhat like your access times.
– Paul Uszak
1 hour ago










1 Answer
1






active

oldest

votes

















up vote
5
down vote














Is this "Final New" almost as good as TRNG [or CSPRNG]?




Assuming proper cryptographic techniques for entropy combination (eg Fortuna or at least hashing) are used for the combination of the "RNGs" the answer is no. If this kind of processing is not used, then the answer is an even bigger NO.



The reason here is relatively simple, the combination of IPv6 adress paired with the timing of the visit isn't actually a secret only known to you. Whoever hosts your VPS / your physical machine / provides you with internet connectivity or provides your ISP with internet connectivity can collect the very data you are considering random. And in cryptography the job of a TRNG / CSPRNG is to provide unpredictable random bytes, which is clearly violated here, because some or more of your network / system operators can predict the "random" bytes.



Additionally, while there are indeed $2^128$ IPv6 adresses, only a tiny fraction of these are used by actual end-users, so they're indeed not as unpredictable as assumed. Also because IPv6 has such a vast adress space, end-users tend to get static adresses (unlike with IPv4 where they are actually dynamic quite often) and so if you have a standard set of users, their IPv6 adresses won't give all that much unpredictability.



However, if you really want to use this idea, you can still measure this data (the IP + time pair and maybe also do this for IPv4?) and feed it to your operating system as additional entropy / seed data, which can't hurt security due to the way this data is used by the OS.






share|improve this answer






















    Your Answer




    StackExchange.ifUsing("editor", function ()
    return StackExchange.using("mathjaxEditing", function ()
    StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
    StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
    );
    );
    , "mathjax-editing");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "281"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );






    Dorky is a new contributor. Be nice, and check out our Code of Conduct.









     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63460%2fusing-ipv6-as-seed-time-almost-as-good-as-trng%23new-answer', 'question_page');

    );

    Post as a guest






























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    5
    down vote














    Is this "Final New" almost as good as TRNG [or CSPRNG]?




    Assuming proper cryptographic techniques for entropy combination (eg Fortuna or at least hashing) are used for the combination of the "RNGs" the answer is no. If this kind of processing is not used, then the answer is an even bigger NO.



    The reason here is relatively simple, the combination of IPv6 adress paired with the timing of the visit isn't actually a secret only known to you. Whoever hosts your VPS / your physical machine / provides you with internet connectivity or provides your ISP with internet connectivity can collect the very data you are considering random. And in cryptography the job of a TRNG / CSPRNG is to provide unpredictable random bytes, which is clearly violated here, because some or more of your network / system operators can predict the "random" bytes.



    Additionally, while there are indeed $2^128$ IPv6 adresses, only a tiny fraction of these are used by actual end-users, so they're indeed not as unpredictable as assumed. Also because IPv6 has such a vast adress space, end-users tend to get static adresses (unlike with IPv4 where they are actually dynamic quite often) and so if you have a standard set of users, their IPv6 adresses won't give all that much unpredictability.



    However, if you really want to use this idea, you can still measure this data (the IP + time pair and maybe also do this for IPv4?) and feed it to your operating system as additional entropy / seed data, which can't hurt security due to the way this data is used by the OS.






    share|improve this answer


























      up vote
      5
      down vote














      Is this "Final New" almost as good as TRNG [or CSPRNG]?




      Assuming proper cryptographic techniques for entropy combination (eg Fortuna or at least hashing) are used for the combination of the "RNGs" the answer is no. If this kind of processing is not used, then the answer is an even bigger NO.



      The reason here is relatively simple, the combination of IPv6 adress paired with the timing of the visit isn't actually a secret only known to you. Whoever hosts your VPS / your physical machine / provides you with internet connectivity or provides your ISP with internet connectivity can collect the very data you are considering random. And in cryptography the job of a TRNG / CSPRNG is to provide unpredictable random bytes, which is clearly violated here, because some or more of your network / system operators can predict the "random" bytes.



      Additionally, while there are indeed $2^128$ IPv6 adresses, only a tiny fraction of these are used by actual end-users, so they're indeed not as unpredictable as assumed. Also because IPv6 has such a vast adress space, end-users tend to get static adresses (unlike with IPv4 where they are actually dynamic quite often) and so if you have a standard set of users, their IPv6 adresses won't give all that much unpredictability.



      However, if you really want to use this idea, you can still measure this data (the IP + time pair and maybe also do this for IPv4?) and feed it to your operating system as additional entropy / seed data, which can't hurt security due to the way this data is used by the OS.






      share|improve this answer
























        up vote
        5
        down vote










        up vote
        5
        down vote










        Is this "Final New" almost as good as TRNG [or CSPRNG]?




        Assuming proper cryptographic techniques for entropy combination (eg Fortuna or at least hashing) are used for the combination of the "RNGs" the answer is no. If this kind of processing is not used, then the answer is an even bigger NO.



        The reason here is relatively simple, the combination of IPv6 adress paired with the timing of the visit isn't actually a secret only known to you. Whoever hosts your VPS / your physical machine / provides you with internet connectivity or provides your ISP with internet connectivity can collect the very data you are considering random. And in cryptography the job of a TRNG / CSPRNG is to provide unpredictable random bytes, which is clearly violated here, because some or more of your network / system operators can predict the "random" bytes.



        Additionally, while there are indeed $2^128$ IPv6 adresses, only a tiny fraction of these are used by actual end-users, so they're indeed not as unpredictable as assumed. Also because IPv6 has such a vast adress space, end-users tend to get static adresses (unlike with IPv4 where they are actually dynamic quite often) and so if you have a standard set of users, their IPv6 adresses won't give all that much unpredictability.



        However, if you really want to use this idea, you can still measure this data (the IP + time pair and maybe also do this for IPv4?) and feed it to your operating system as additional entropy / seed data, which can't hurt security due to the way this data is used by the OS.






        share|improve this answer















        Is this "Final New" almost as good as TRNG [or CSPRNG]?




        Assuming proper cryptographic techniques for entropy combination (eg Fortuna or at least hashing) are used for the combination of the "RNGs" the answer is no. If this kind of processing is not used, then the answer is an even bigger NO.



        The reason here is relatively simple, the combination of IPv6 adress paired with the timing of the visit isn't actually a secret only known to you. Whoever hosts your VPS / your physical machine / provides you with internet connectivity or provides your ISP with internet connectivity can collect the very data you are considering random. And in cryptography the job of a TRNG / CSPRNG is to provide unpredictable random bytes, which is clearly violated here, because some or more of your network / system operators can predict the "random" bytes.



        Additionally, while there are indeed $2^128$ IPv6 adresses, only a tiny fraction of these are used by actual end-users, so they're indeed not as unpredictable as assumed. Also because IPv6 has such a vast adress space, end-users tend to get static adresses (unlike with IPv4 where they are actually dynamic quite often) and so if you have a standard set of users, their IPv6 adresses won't give all that much unpredictability.



        However, if you really want to use this idea, you can still measure this data (the IP + time pair and maybe also do this for IPv4?) and feed it to your operating system as additional entropy / seed data, which can't hurt security due to the way this data is used by the OS.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited 1 hour ago









        Maarten Bodewes

        50.4k669184




        50.4k669184










        answered 2 hours ago









        SEJPM♦

        27.4k451130




        27.4k451130




















            Dorky is a new contributor. Be nice, and check out our Code of Conduct.









             

            draft saved


            draft discarded


















            Dorky is a new contributor. Be nice, and check out our Code of Conduct.












            Dorky is a new contributor. Be nice, and check out our Code of Conduct.











            Dorky is a new contributor. Be nice, and check out our Code of Conduct.













             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63460%2fusing-ipv6-as-seed-time-almost-as-good-as-trng%23new-answer', 'question_page');

            );

            Post as a guest













































































            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?