![]() The entropy generated by Get-Random and RNGCryptoServiceProvider are both close enough to purely random data (entropy = 8) that they are both excellent candidates for generating random data. So who came out on top? No one! $AverageEntropyResults | Format-Table -AutoSize $AverageEntropyResults = New-Object PSObject -Property = $GetRandomAverage.AverageĬryptoRngAverage = $CryptoRngAverage.Average $CryptoRngAverage = $Results | measure -Average -Property CryptoRNGEntropy $GetRandomAverage = $Results | measure -Average -Property GetRandomEntropy New-Object PSObject -Property $Randomness $Randomness = Get-Entropy -Bytes $GetRandomBytesĬryptoRNGEntropy = Get-Entropy -Bytes $CryptoRNGBytes $CryptoRNGBytes = Get-RandomByte -Length $Length -Method CryptoRNG $GetRandomBytes = Get-RandomByte -Length $Length -Method GetRandom # Get-Random and RNGCryptoServiceProvider. Here is our test code: # Generate 0x1000 random bytes 100 times using If one method has an entropy that deviates greatly from the other, then we will have a clear winner in terms of randomness. To see which method generates data with a higher entropy, we’ll generate 4096 random bytes 100 times, compute the average entropy, and then compare the two averages. So now we have the components necessary to put Get-Random and RNGCryptoServiceProvider to the test. $RandomBytes = Get-Random -Minimum 0 -Maximum 256 Now, here’s a simple function that generates a byte array using either Get-Random or by using the RNGCryptoServiceProvider class. Get-Entropy takes a byte array and calculates its entropy. ![]() $Entropy += -$ByteProbability * ::Log($ByteProbability, 2) $ByteProbability = ($FrequencyTable$Byte])/$Bytes.Length This equation can be easily converted into a function in PowerShell. a sequence consisting of a single byte) and 8 (maximum entropy – i.e. It simply represents the sum of each byte frequency percentage scaled to a value between 0 (no entropy – i.e. Fortunately, we have the following handy formula:įor those who haven’t dealt with this kind of math for a while, don’t let this equation scare you. We need a way to quantify the randomness of a dataset. Now, if we’re going to test the randomness of data, eyeballing it will not suffice. The aggregate distribution of frequencies refers to the randomness of the data. You can see that the frequency diagram of the uncompressed kernel32.dll has many peaks and valleys, whereas, compared to the compressed and encrypted version, the distributions of bytes has “flattened”. The X-axis indicates a byte value 0-255 and the Y-axis indicates the percentage of occurrences for each byte. ![]() a frequency diagram of kernel32.dll as a compressed and encrypted zip file. For example, here’s a frequency diagram of an uncompressed kernel32.dll vs. How can we tell how “random” something is? It’s actually fairly easy to visualize by looking at a histogram of the frequency of which each byte in a sequence occurs. Apparently, this is even a hard problem for mathematicians and cryptographers on government standards boards. Let’s start by discussing randomness.įull disclosure: I am neither a cryptographer nor a mathematician, therefore, I am far from qualified to speak with sufficient authority on how to implement a proper pseudorandom number generator. Well, which one is stronger? The answer to that question depends on how one defines “cryptographically strong.” For the sake of simplicity, we will define “cryptographically strong” as data that is sufficiently random (i.e. Those who claim that Get-Random does not produce cryptographically strong random data advocate using the. Integrating into a script is left as an exercise for the reader.An ongoing argument I’ve seen in the PowerShell community is regarding the effectiveness of random numbers generated by the Get-Random cmdlet. Below is a bespoke solution that'll generate a random printable ASCII string using the system's cryptographic generator and a little bit of maths sample usage: ::GeneratePassword(64). Read-Host -Prompt "Click enter to answer works but requires importing System.Web. Write-Host "New password for all users: $unsecuredPwd" Get-ADUser $user | Set-AdUser -ChangePasswordAtLogon $true # Set option to change password at first logon Get-ADUser $user | Set-ADAccountPassword -NewPassword $password -Reset $users = Get-Content -Path 'G:\Shares\XXX\ResetPassword\UserList.txt' $password = ConvertTo-SecureString -AsPlainText $unsecuredPwd -Force $unsecuredPwd = ::GeneratePassword(10, 3) # Description: Enable accounts, reset passwords and set change password option at first logon. net method to generate a password: Add-Type -AssemblyName System.Web
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |