Before directly answering your question, I would like to establish some parallels that will help in understanding the answer.
First, evaluate the sequences below and their corresponding formulas:
01010101010101010101010101 f(X) = NOT X
AAAAAAAAAAAAAAAAAAAAAAAAAA f(X) = "A"
ABCDEFGHIJKLMNOPQRSTUVWXYZ f(X) = CHAR(ASCII(X) + 1)
Without much work, we come to the conclusion that the predictability (or deterministic definition) of these sequences is very high - or, conversely, that entropy is very low.
But what is entropy? It is the measure of chaos in a system. The term was originally created to describe thermodynamic systems, but the concept is also applicable to other domains - data, for example.
When we talk about the generation of random or random content by computers, we are talking about formulas that generate values that have a distribution similar to that found in a system with high entropy and continuous uniform distribution.
An example of easy-to-see uniform continuous distribution is white noise, where the distribution is seemingly impossible to describe with a deterministic formula - but where we can use statistics to describe density. This is a white noise bitmap generated in Random.org:
For comparison, this is the bit map of PHP’s Rand() function as demonstrated by developer Bo Allen in a 2012 post on his personal blog entitled Pseudo-Random vs. True Random. Note how easily you detect the generation pattern:
While in nature systems lose order and gain entropy, the reverse occurs in data systems. Whenever you 'generate' random numbers, you are stealing the entropy system, and entering order.
As an example, let’s assume that I have the following random string of letters via the Random.org Random String Generator:
Chave
JPVPUUWWJAZEEUMLXDVT
Which I use in a simple encryption formula, where I 'add' the variation relative to the letter A of each position when applying to a letter of my payload at the same position.
Payload Conteúdo encriptado
AAAAAAAAAAAAAAAAAAAA JPVPUUWWJAZEEUMLXDVT
BBBBBBBBBBBBBBBBBBBB KQWQVVXXKBAFFVNMYEWU
But note that if my payload is equal to or greater than the key, I will reset the system entropy. So, assume I concaten my key, for the following payload:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
My encrypted content would be:
JPVPUUWWJAZEEUMLXDVTJPVPUUWWJAZEEUMLXDVT
^^^ ^^^
I can easily detect the repetition and predict the rest of the sequence.
From a safety point of view, safe random functions are those that periodically recharge with entropy, in order to prevent predictability.
You can recharge entropy in many ways; The best source of entropy is the real world. Some examples, which can be used in conjunction with a pseudo-random function in the form of Seeds (seeds):
- Access the trending Topics from Twitter. Take the last 128 tweets generated. Extract the day and time of each, convert to a byte array.
- Capture images from 2 or more public webcams around the world. Extract MD5 from all. Convert to one byte array.
- Let your cat walk on the keyboard. Convert the generated characters to a bytearray. (Add a hamster to the system for more data. Prevent the abandonment of the system’s scope with a box around the three.)
Each of these examples provides different sample size and rate. The more random source data you enter into a hybrid system with a connected pseudo-random generator, the smaller the pattern detection changes.
The answer, therefore, is nay: You need to import entropy from an external system.
Sources:
http://www.random.org/strings/? num=10&Len=10&upperalpha=on&unique=on&format=html&rnd=new
http://boallen.com/random-numbers.html
Edit-Disclaimer: Added, directly in the text, the mention to the post where the function image RAND()
was withdrawn.
Please avoid long discussions in the comments; your talk was moved to the chat
– Maniero