@sherzaad
Ohh union, seems like a more proper way to code than the way I did it. That said, no I would not concider Token.val a 64 bit random number.
The reason is that random() does not provide true random numbers. For a given seed the first call of random() will give the same "random" number every time, and the second time random() is called it will always give the same number as well. And with only 2^32 possible seeds, theres only that many amount of possible tokens.
An other way to explain my point would be to think of random as a cyclic (extremely long) list of numbers, and a call of random gives the next number in the list, but it always starts at the first place.
As the amount of possible lists is equal to the seed, this would be 2^32 lists. Meaning the first token wil only have 2^32 possible outcomes, after all, you are looking at the first two places in one of the lists.
@aarg
Require is a big word. I'm aiming to use wireless communication for sensors and controls. The communication is encrypted using AES. However to prevent capture and resend attacks I want to add a token to each message. So my communication protocol is basically:
- node 1: Request token (is plain text message)
- node 2: Send token in encrypted AES message (token is generated here)
- node 1: Send actual message with token to verify authenticity
As an attacker, using a 32 bit token means I could capture the encrypted token, and encrypted message, and request tokens as a fake slave untill the encrypted token I receive equals captured encrypted token. Then I could send back the actual encrypted message. With a 32 bit token, requesting at a rate of 1 request per ms, it would "only" take about 25 days for an attack. And that is when capturing a single packet. If you capture multiple encrypted token-encrypted message pairs, time would go down.
And yes, this is long enough for practical purpouses. And yes, it becomes not as simple after you call random a few times. And yes, theres also security by obscurity.
So require is the wrong word to use. But by now I'm invested and want to try to make it work, and overly secure. So I'd rather say that I'd like to have a 64 bit random number.