visual basic

介绍 (Introduction)

在使用我为客户端编写的Microsoft Access应用程序培训和指导新用户时，我的应用程序中发生了非常意外的情况。 这通常是一种情况，它会提示我找到我所引入但未被困的错误。 但是，这次的错误引起了惊叹和困惑的惊叹。 当然这不可能发生……但是我是一个见证人，不能否认自己的眼睛。

Accepting the possibility that it could happen and creating a do-over (with different key) patch was my highest priority. That patch allowed the application to continue with that day's production run. Disaster had been averted and I left the client's office shaking my head in disbelief. Time to put on my Computer Scientist cap. This is the story of my research and a warning or alert to all VB developers who use the PRNG features of the VB language.

接受可能发生的情况并创建重复（使用不同的密钥）补丁是我的最高优先事项。 该修补程序使应用程序可以继续进行当天的生产运行。 灾难已经避免了，我难以置信地离开了客户的办公室。 是时候戴上我的计算机科学家帽子了。 这是我的研究故事，对使用VB语言的PRNG功能的所有VB开发人员发出警告或警告。

PRNG is not a new Visual Basic statement, feature, referenced class, nor a new kind of potato chip. It is an acronym for Pseudo-Random Number Generator. I'll get to the details about PRNGs and VB PRNG features in a moment. Firstly, I should explain why a Microsoft Access business application needs to use PRNG features.

PRNG不是新的Visual Basic语句，功能，引用的类，也不是新型的薯片。 它是伪随机数生成器的缩写。 稍后我将详细介绍PRNG和VB PRNG功能。 首先，我应该解释为什么Microsoft Access业务应用程序需要使用PRNG功能。

应用程序 (The Application)

几年前，我们在此高管调查应用程序中添加了一项功能，该功能使被调查者可以通过其Internet浏览器在线回答调查问题。 最初，调查都是以典型的数据输入方式输入数据库应用程序的所有纸质答案。 在完成一些设置数据输入和Excel数据导入之后，应用程序操作员将调查问题发送到（LAMP）服务器，并将一封电子邮件发送给调查接受者，其中包括带有其调查密钥的URL。 调查回答期到期后，我们将所有已完成和部分完成的调查下载到Microsoft Access数据库中，以进行详尽的配置文件报告。

Application Figure 1 (flow)

应用程序图1（流程）

a. Add row to web survey table

一个。 将行添加到网络调查表

b. Use newly inserted row's primary key value to seed VB PRNG

b。 使用新插入的行的主键值播种VB PRNG

c. Iterate Rnd() to pick out 30 characters from string

C。 迭代Rnd（）从字符串中挑选出30个字符

d. Update newly inserted row with random string

d。 用随机字符串更新新插入的行

e. Secure copy MySQL table data to LAMP server

e。 将MySQL表数据安全复制到LAMP服务器

f. Invoke data import PHP script

F。 调用数据导入PHP脚本

Application Source Figure 1 (new record)

应用程序源图1（新记录）

This is the area where the application failed due to VB's PRNG weakness. The failing statement was the second .Update method when I assigned an rs!Email_ID value. The Email_ID column has a unique index. Am I ever glad I forced uniqueness on that column, since problem analysis is more difficult on the MySQL database.

这是由于VB的PRNG弱点导致应用程序失败的区域。 当我分配rs！Email_ID值时，失败的语句是第二个.Update方法。 Email_ID列具有唯一索引。 我曾经很高兴在那一栏上强加唯一性，因为问题分析在MySQL数据库上更加困难。

With rs.AddNew!Source_ID = lngSourceID!Source_Name = strSourcename!Target_ID = Me.cboTarget.Column(0)!Target_Name = Me.cboTarget.Column(2) & " " & _Me.cboTarget.Column(3)!Survey_Name = Me.cboSurvey.Column(1)!Expire_Date = Format(CDate(Me.txtSurveyExpireDate), _"YYYYMMDD").Update
End With
rs.Bookmark = rs.LastModified
rs.Editrs!Email_ID = EmailID_For_SID(rs!S_ID)
rs.UpdateExport_Survey_For_Person rs!S_ID

Application Source Figure 2 (generate random string)

应用程序源图2（生成随机字符串）

Using the parameter (=rowID) as the seed for a new PRNG sequence, build a string of random characters.

使用参数（= rowID）作为新PRNG序列的种子，构建一串随机字符。

Public Function EmailID_For_SID(parmS_ID) As StringDim strTemp As StringDim intLoop As IntegerDim intCharPosn As IntegerDim strCharBase As StringstrCharBase = "01234ABCDEFGIJKLMNOPQRSTUVWXYZ" & _"abcdefghijklmnopqrstuvwxyz56789"strTemp = String(30, "A")Rnd -1               'resets the random seedRandomize (parmS_ID) 'initialize the seedFor intLoop = 1 To Len(strTemp)Mid$(strTemp, intLoop, 1) = _Mid$(strCharBase, Rnd() * Len(strCharBase) + 1, 1)NextEmailID_For_SID = strTemp
End Function

I seeded the VB PRNG with the (autoincrement) key value of the web-survey table row I'd just inserted and iterated 30 times, picking characters out of an alphabet string. To add to the seed variability, I changed the table default from 'sequential' to 'random' for the autoincrement field. This increased the range of primary key values from 1 -> 2.14 billion to -2.14 billion -> 2.14 billion. When two different rows' autoincrement keys resulted in identical 30 character 'random' strings, the application threw up its hands as I coded it. Identical random strings weren't supposed to happen... or so I thought. What I discovered would make the Lost In Space robot wave his arms and yell "Danger Will Robinson! Collision imminent!"

我用刚插入的网络调查表行的（自动递增）键值作为VB PRNG的种子，并重复了30次，从字母字符串中挑选字符。 为了增加种子的可变性，我将自动递增字段的表默认值从“顺序”更改为“随机”。 这将主键值的范围从1-> 21.4亿增加到-21.4亿-> 21.4亿。 当两行不同的自动增量键产生相同的30个字符的“随机”字符串时，应用程序在我编码时就举手了。 相同的随机字符串不应该发生...所以我想。 我发现的东西会使“迷失太空”机器人挥舞着手臂大喊：“危险的威尔·罗宾逊！碰撞迫在眉睫！”

PRNGs-简介 (PRNGs - An Introduction)

为了完全理解和开发针对此问题的非修补变通方法，我需要更好地了解PRNG以及VB PRNG功能的工作方式。 尽管我的补丁程序会减少冲突导致无法生成调查的机会，但是我不想被需要立即修复的疯狂用户打来电话，因为补丁程序失败了。 在我对PRNG的研究中，我学到了三件事：

Where Are PRNGs Used?

在哪里使用PRNG？

The three places you will likely see PRNGs used are Security, Statistics, and Games. Although PRNG applications are not central to this article, it may help you determine likely places to look in your VB code for PRNGs.

您可能会看到使用PRNG的三个位置是安全性，统计信息和游戏。 尽管PRNG应用程序不是本文的重点，但它可以帮助您确定在VB代码中查找PRNG的可能位置。

PRNG Security Uses

PRNG安全用途

One of the most secure methods of encrypting data is the one-time-pad. If the sender and receiver both use the same random number sequence (same size as the message) to encode their message, then anyone intercepting the message has no clue on how to decrypt the message unless they've also learned of the random number sequence. The problem with this method is the need to use a different random number sequence for each message. PRNGs are also used to generate random data when wiping a hard drive of sensitive data. These two examples only begin to enumerate the uses of PRNGs with security. This is a big list.

一次性密码是最安全的数据加密方法之一。 如果发送方和接收方都使用相同的随机数序列（与消息相同的大小）来编码其消息，则任何拦截该消息的人都不知道如何解密该消息，除非他们也了解了随机数序列。 这种方法的问题是需要为每个消息使用不同的随机数序列。 当擦除敏感数据的硬盘驱动器时，PRNG也可用于生成随机数据。 这两个示例仅开始枚举具有安全性的PRNG的用法。 这是一个很大的清单。

PRNG Statistic Uses

PRNG统计用途

The most frequent PRNG use in statistics is with Monte Carlo simulations. However, there are other related scientific fields of study, such as genetic algorithms where PRNGs have been used to select breeding pairs and methods. In this case, I'm using Statistic in an overly broad sense.

PRNG在统计中最常使用的是蒙特卡洛模拟。 但是，还有其他相关的科学研究领域，例如遗传算法，其中PRNG用于选择育种对和方法。 在这种情况下，我使用的统计信息过于笼统。

PRNG Games Uses

PRNG游戏用途

Some of the earliest applications we write as beginner programmers are games. PRNGs are used to select tic-tac-toe squares, shuffle cards, and roll dice. Casinos rely on the PRNGs in their electronic gaming equipment. If you don't think PRNG behavior makes a difference, consider the producers of the TV game show, Press Your Luck.

我们作为初学者程序员编写的最早的应用程序是游戏。 PRNG用于选择井字游戏方格，随机洗牌和掷骰子。 娱乐场在其电子游戏设备中依赖PRNG。 如果您认为PRNG行为无济于事，请考虑电视游戏节目的制作人：Press Your Luck。

PRNG Resources For Your Own Study

PRNG资源供您自己学习

VB PRNG语言功能 (VB PRNG Language Features)

VB语言有两个与PRNG相关的功能/语句，即Rnd（）和Randomize。

The Rnd() Function

Rnd（）函数

The Rnd() function gives sequences of single precision floating point numbers, where 0 <= Rnd() < 1. Rnd() can be use as a function or can appear on a line all by itself, in the form of a VB statement, without any compilation problems. Since Rnd() is a function, the compiler will discard the returned value if it is used as a statement. For the purposes of consistency, Rnd() will be the notation used in this article. You might see the alternate form, Rnd, used in production code and sample/example code.

Rnd（）函数提供了单精度浮点数的序列，其中0 <= Rnd（）<1。Rnd（）可以用作函数或以VB语句的形式单独出现在一行上，没有任何编译问题。 由于Rnd（）是一个函数，如果将其用作语句，则编译器将丢弃返回的值。 为了保持一致性，Rnd（）将是本文中使用的符号。 您可能会看到在生产代码和示例/示例代码中使用的替代形式Rnd。

The Randomize Statement

随机陈述

The Randomize statement initializes the Rnd() sequence with a new seed. The default seed value is the current Timer() function value (see below). When using the Randomize statement to reseed the sequence, you need to invoke Rnd -1 prior to the Randomize statement. Although I've used "Rnd -1" in my examples and documentation of seed resetting, the -1 can be any negative value.

Randomize语句使用新的种子初始化Rnd（）序列。 默认种子值是当前的Timer（）函数值（请参见下文）。 使用Randomize语句重新设定序列的种子时，需要在Randomize语句之前调用Rnd -1。 尽管在示例和种子重置文档中使用了“ Rnd -1”，但-1可以是任何负值。

A detailed KB article about resetting the seed is at http://support.microsoft.com/default.aspx?scid=kb;en-us;120587

有关重置种子的详细KB文章，位于http://support.microsoft.com/default.aspx?scid=kb;zh-cn;120587

The Timer() Function

Timer（）函数

The Timer() function returns values between 0.00 and 86400.00. These are the seconds of the day, starting at midnight with a resolution of 1/100th of a second. Doing the math, there are 8.64 million unique numeric Timer() values.

Timer（）函数返回介于0.00和86400.00之间的值。 这是一天中的秒，从午夜开始，分辨率为1/100秒。 进行数学运算时，有864万个唯一的Timer（）数字值。

微软告诉你的 (What Microsoft Tells You)

在文档方面，我们会受到Microsoft的摆布。 我认为应该感谢他们的帮助文件和产品文档的整体质量。 因此，这就是Microsoft关于“随机种子”和VB PRNG功能的使用的说法。

VB Classic Randomize Help

VB经典随机帮助

From the online help (both VB help file and msdn.microsoft.com), the Randomize statement seed value can be "Any Numeric Expression". That should allow you to supply a HUGE range of seed values.

从联机帮助（VB帮助文件和msdn.microsoft.com），Randomize语句的种子值可以为“任何数字表达式”。 那应该允许您提供巨大范围的种子值。

VB.NET PRNG Help (Rnd and Randomize)

VB.NET PRNG帮助（Rnd和随机化）

There is new verbiage accompanying VB.NET documentation associated with the Rnd() function and Randomize statement.

与Rnd（）函数和Randomize语句相关联的VB.NET文档附带新的术语。

Although I didn't consider what I was doing cryptography, I was obscuring the value of the survey key by expressing the row ID as a long string of 'random' characters.

尽管我没有考虑要做什么加密，但是我通过将行ID表示为一串长的“随机”字符来掩盖调查密钥的值。

Other than the Security Note, the online documentation about the Randomize statement remains the same as the VB 3 online help: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vblr7/html/vastmrandomize.asp

除安全说明外，有关Randomize语句的联机文档与VB 3联机帮助相同： http : //msdn.microsoft.com/library/default.asp?url=/library/en-us/vblr7/ html / vastmrandomize.asp

实际发生了什么 (What Actually Happens)

这是有关VB PRNG实际工作原理的秘密说明。 VB PRNG是线性同余生成器，这意味着连续值是从先前值通过数学公式得出的，其形式为：

Rk+1 = (Rk* L + M) Mod N

Rk + 1 =（Rk * L + M）模N

Rnd() Internals

Rnd（）内部

The Rnd() uses the following formula:

Rnd（）使用以下公式：

x1 = (x0 * a + c) MOD (2^24)

x1 =（x0 * a + c）MOD（2 ^ 24）

where a = 1140671485 and c = 12820163

其中a = 1140671485和c = 12820163

The default value for x0 is 327680 (&h50000). This is why you get repeatable sequences when you do not use the Randomize statement prior to the first Rnd() function invocation.

x0的默认值为327680（＆h50000）。 这就是为什么在第一次调用Rnd（）函数之前不使用Randomize语句时会得到可重复序列的原因。

Please notice the 2^24 division. This results in a 'period' for the PRNG, where a sequence of values from the Rnd() function will repeat after 16.77M invocations. In talks with my local crypto expert, we both agreed that this is a serious flaw in the PRNG. Since I was only using the first 30 items of each sequence, I wasn't too concerned about this.

请注意2 ^ 24除法。 这将为PRNG产生一个“期间”，其中Rnd（）函数的一系列值将在调用16.77M之后重复。 在与我的当地加密专家进行的会谈中，我们都同意这是PRNG中的一个严重缺陷。 由于我只使用每个序列的前30个项目，因此我对此并不太担心。

To get the 0 <= Rnd() < 1 values, the x1 value is divided by 2^24 before it is returned to your Visual Basic program code. It is then up to the VB programmer to transform the returned values into a scale and range that is appropriate for the application.

若要获得0 <= Rnd（）<1，请先将x1值除以2 ^ 24，然后再返回到Visual Basic程序代码。 然后由VB程序员将返回的值转换为适合应用程序的比例和范围。

Randomize Internals

随机化内部

After considerable research, I discovered that there is a weakness in the randomize statement that is much more severe than that in the Rnd() function. Here's what happens inside the Randomize statement:

经过大量研究，我发现随机声明中的一个弱点比Rnd（）函数中的一个弱点更为严重。 这是在Randomize语句内发生的事情：

1. The supplied seed value is cast into a Single datatype. This is understandable, since the Rnd() function returns a Single datatype.

1.将提供的种子值转换为Single数据类型。 这是可以理解的，因为Rnd（）函数返回Single数据类型。

Note: the Timer() value returns a Single datatype which does not require any datatype conversion.

注意： Timer（）值返回一个Single数据类型，该数据类型不需要任何数据类型转换。

2. The Single (datatype) seed is 'moshed' into 2-byte seed (TwoByteSeed) value with the following XOR operations:

2.使用以下XOR操作将Single（数据类型）种子“合并”为2字节种子（TwoByteSeed）值：

TwoByteSeed = [byte1 XOR byte3] [byte2 XOR byte4]

3. One additional XOR operation is performed on these two bytes, depending on the sign of the originally supplied seed as the following code snippet describes:

3.根据最初提供的种子的符号，对这两个字节执行一个附加的XOR操作，如以下代码段所述：

If originalseed < 0 ThenTwoByteSeed = TwoByteSeed XOR &h06C0
Else TwoByteSeed = TwoByteSeed XOR &h0240
End If

VB PRNG Internals References

VB PRNG内部参考

这对开发人员意味着什么 (What This Means to Developers)

这是VB PRNG的弱点和问题的摘要。

Using the Timer() value, the default seed for the Randomize statement, doesn't help as I've illustrated in the following section. Using a (guaranteed) unique seed value doesn't help as I experience in my application.

如下一节所述，使用Timer（）值（Randomize语句的默认种子）无济于事。 根据我在应用程序中的经验，使用（保证的）唯一种子值无济于事。

To help you estimate your chance of collision, take the total number of supplied seed values and divide by 64K. This would be an approximation of the average collisions. A 'collision' is the occurrence of a repeated sequence.

为了帮助您估计发生碰撞的机会，请使用提供的种子值总数除以64K。 这将是平均碰撞的近似值。 “碰撞”是重复序列的出现。

Timer Seed Collision Stats

计时器种子碰撞统计

These figures are the result of generating the actual seed values based on possible Timer() function values and counting identical values produced by the Randomize statement.

这些数字是根据可能的Timer（）函数值生成实际种子值并计算由Randomize语句生成的相同值的结果。

我们可以/应该做什么？ (What Can/Should We Do?)

VB PRNG重复序列将在我们的应用程序中发生。 有人读过这篇文章吗？

So what should you do and what can you do to protect yourself?

那么，您应该怎么做以及如何保护自己呢？

未来是什么？ （下一篇） (What's Ahead? (Next Article))

在以后的文章中，我将介绍细微调整的详细信息，例如

I will also cover details about replacing Rnd() and Randomize (major tweaks), such as

我还将介绍有关替换Rnd（）和Randomize（主要调整）的详细信息，例如

事先公布通知 (Prior Publication Notice)

本文最初发表于： http://www.15seconds.com/issue/051110.htmhttp://www.15seconds.com/issue/051110.htm

Unfortunately, 15seconds.com is no longer a web site so that URL will not navigate you to the article.  I did find a copy of the article on the great Internet Archive (the Wayback Machine) having this URL:

不幸的是，15seconds.com不再是网站，因此URL不会将您导航到该文章。 我确实在伟大的Internet存档（Wayback Machine）上找到了具有以下URL的文章副本：

http://web.archive.org/web/20051124213610/http://www.15seconds.com/issue/051110.htmhttp://web.archive.org/web/20051124213610/http://www.15seconds.com/issue/051110.htm

Since the original article has been URL-referenced widely, I decided to republish it on Experts-Exchange.com to make it easier for people to find.

由于原始文章已被广泛引用URL，因此我决定将其重新发布在Experts-Exchange.com上，以使人们更容易找到它。

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=- =-=-=-=-=- =-=-=-=-=- =-=-=-=-=- =-=-=-=-=- =-=-=

If you liked this article and want to see more from this author,  please click here.

如果您喜欢本文，并希望从该作者那里获得更多信息， 请单击此处 。

If you found this article helpful, please click the Yes button near the:

如果您认为这篇文章对您有所帮助 ，请单击以下位置旁边的“

Was this article helpful?

本文是否有帮助？

label that is just below and to the right of this text.   Thanks!

此文字下方和右侧的标签。

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=- =-=-=-=-=- =-=-=-=-=- =-=-=-=-=- =-=-=-=-=- =-=-=

翻译自: https://www.experts-exchange.com/articles/11114/An-Examination-of-Visual-Basic's-Random-Number-Generation.html

visual basic