1. Technical Field
The present invention relates to an improved data processing system. More particularly, the present invention provides a method and system for a random number generator to provide security in a data processing system.
2. Description of Related Art
The worldwide network of computers commonly known as the xe2x80x9cInternetxe2x80x9d has seen explosive growth in the last several years. Mainly, this growth has been fueled by the introduction and widespread use of so-called xe2x80x9cweb browsers,xe2x80x9d which enable simple graphical user interface-based access to network servers, which support documents formatted as so-called xe2x80x9cweb pages.xe2x80x9d A browser is a program that is executed on a graphical user interface (GUI) in a client computer. The browser allows a user to seamlessly load documents from a server via the Internet and display them by means of the GUI. These documents are commonly formatted using markup language protocols, such as hypertext markup language (HTML).
The client and the web server typically communicate using hypertext transport protocol (HTTP). However, when a client is accessing sensitive information from a web server, a secure protocol may be used. Hypertext transport protocol secure is the protocol for accessing a secure Web server. Using HTTPS in the uniform resource locator (URL) instead of HTTP directs the message to a secure port number rather than the default Web port number of 80. The session is then managed by a security protocol. Secure sockets layer is the leading security protocol on the Internet. When a session is started in SSL, the browser sends its public key to the server so that the server can securely send a secret key to the browser. The browser and server exchange data via secret key encryption during that session.
However, HTTP is a stateless protocol. Therefore, every request from an HTTP client to an HTTP server is a new request and no state is maintained between requests. Conventionally, HTTP cookies are used to maintain a client-side state whereas sessions are used to manage the state information on the server side. A cookie is data created by a web server that is stored on a client computer. A cookie is used to keep track of a user""s patterns and preferences and, with the cooperation of the Web browser, is stored within the client computer. Cookies contain a range of URLs for which they are valid. When the browser encounters those URLs again, it sends the appropriate cookies to the Web server.
A session is used to track the activities of a user. For example, a session may be created to allow a user to add items to a xe2x80x9cshopping cartxe2x80x9d using a plurality of individual requests. A session may also allow a user to use a web interface to search a database. Web interfaces may also be used to control equipment from remote locations. As web interfaces become increasingly popular, the security of sessions used to manage multiple transactions by individual clients becomes exceedingly important. Normally, a session is created on the server side. To associate a session with a user, a random number, referred to as a session identification (ID), is generated and associated with the user. The session ID is sent back to the browser as a cookie or through a URL rewriting mechanism.
When an HTTP request is received, the server verifies if a session ID is present. If an ID is present, the related session data is retrieved and the request is processed based on the session data. However, the server cannot verify that the user submitting the request is the same user to whom the session ID was originally assigned. Hence, a security loophole exists where an unauthorized user may submit a valid session ID. The session ID may be obtained by repeatedly submitting requests with potential session identifications until access is granted. Alternatively, the ID may be xe2x80x9csniffedxe2x80x9d from the network by monitoring data traffic flow. The session ID may be obtained in this manner when a request is transmitted through an unsecure protocol, such as HTTP, as opposed to a secure protocol, such as HTTPS or SSL. In many web application server products, the security of session information is tied only to the randomness of the session ID under the assumption that the bit length of the number is high enough to prevent an unauthorized user from generating the same number in a short period of time. However, the likelihood of hijacking the session ID is not ruled out completely.
Random number generation is crucial to a data processing system which may include features such as, security, encryption, access control for software systems, authority certification, user authentication, security interfaces, copy protection, and the like. However, prior art random number generators contain inherent limitations. For example, prior art genuine random number generators may require external stimulation or use external stimulation, such as, for example, radioactive decay of rubidium, white noise generators, radio waves and the like. In addition, prior art random number generators that do not require external stimulation are pseudo-random. These pseudo-random number generators are mathematical based and may be predicted, repeating and are easy to break.
Therefore, it would be advantageous to have an improved method and apparatus for a genuine random number that overcomes the limitations of the prior art.
The present invention provides a method, system and computer readable instructions for generating a random number consisting of a plurality of binary bits. A race condition gate is set. An atomic lock is accessed wherein a first racer representing a first binary bit and a second racer representing a second binary bit race toward the atomic lock upon release of the race condition gate. A determination is made as to which of the first racer, representing the first binary bit, and the second racer, representing the second binary bit, gain access to the atomic lock earliest. The atomic lock is retrieved based on the determination of which racer gains access to the atomic lock earliest. A single binary value is then written to a data stream, the single binary value is based on which of the first racer and the second racer retrieves the atomic lock.