Mike Griffiths

In computing terms nothing is truely random. A few people argue that nothing is really random as everything can be predicted somehow, where as others say that parts of nature are random – but maybe we just don’t fully understand it yet? Anyway, that’s all besides the point, we’re talking about how random things are calculated on a computer.

So, how could a computer ever make something random? It’s something you don’t really think about, you just assume it’s easy. Take a second, close your eyes, and think of a number between 1 and 10. The odds are you’ll have picked a number and not know why, but if you’ve ever seen Paul McKenna or any of that stuff on TV then you’ll know that you probably chose that number because you’ve seen it a few times subconsciously that day – you may have chosen 3 because you bought 3 bars of soap for £3.33 earlier that day – who knows? Computers don’t have a subconscious, so how do they do it?

Well, it’s all about time. Something that changes all the while is time, so it’s a perfect seeding point for a random calculation. Time is stored differently on different operating systems, but for ease of use let’s use the UNIX way of storing, that is a UNIX timestamp. A UNIX timestamp is calculated by working out how many seconds it has been since January 1st 1970. This seems quite perculiar to someone who hasn’t come across it before but when you take time to think about it it’s actually quite a novel idea. It makes calculating times and dates much easier from a programming perspective. Take for example that I want to add a day onto the current date, it’s easy, I just add 86,400 seconds onto the current UNIX timestamp. Now put that against the Windows method: 2009-10-02. I want to add a day onto it… I’ll have to work out the month, work out how many days there are in that month, check if the current day is the last day, if it is then I have to work out the next month and add that on, if it’s not the last day of the month then I can just add it on, I also have leap years to deal with, the last day of the year, etc. Far more confusing.

Let’s use PHP with our example from before:

echo rand(1,10);

This will print out a number between 1 and 10. Example output:

3

However, if I were to go into the code and get the algorithm used to generate that random string and ran the program at the EXACT same time then it would produce the same output, so this isn’t really random.

There are some websites out there to claim that they produce random numbers. The first hit on Google (at time of writing) for ‘random number generator’ claims to use atmospheric noise to seed it’s random number. This is probably one of the best methods I have come across as it is EXTREMELY hard to predict. But it is predictable.

To the average Joe this whole random business makes absolutely no odds whatsoever. But to security experts it’s a nightmare. Most security algorithms have some sort of random part to them to make them more secure. But if the random part can be calculated then this leaves their algorithms wide open, this is why a lot of the algorithms used in high-end security are never released.