Of the use of unpredictableSeed

cym13 via Digitalmars-d digitalmars-d at puremagic.com
Sun Mar 5 02:48:54 PST 2017 

On Thursday, 2 March 2017 at 21:50:36 UTC, Yuxuan Shui wrote:
> On Sunday, 26 February 2017 at 18:23:27 UTC, cym13 wrote:
>> Hi,
>>
>> I found many times that people use unpredictableSeed in 
>> combination with normal PRNG for cryptographic purpose. Some 
>> even go as far as reseeding at each call to try making it more 
>> secure.
>>
>> It is a dangerous practice, most PRNG are not designed with 
>> security (and unpredictability) in mind, and unpredictableSeed 
>> was definitely not designed with security in mind (or it 
>> failed heavily at it). It's a good tool when one needs 
>> randomness, not security.
>>
>> I wrote a blog post to present exactly why this is a bad idea 
>> and how it could be exploited [1].
>>
>> The best would be to add a standard CSPRNG interface to Phobos 
>> but we aren't there yet.
>>
>> [1]: https://cym13.github.io/article/unpredictableSeed.html
>
> When I see the code for unpredictableSeed I went face palm 
> really hard.
>
> I did some digging, and it was way way worse:
>
> https://github.com/dlang/phobos/commit/ff54d867e41abc8261075f0dce1261d68ee09180#diff-713ce153554afc99a07767cc8ba940aeL529
>
> https://github.com/dlang/phobos/commit/c433c36658df45677bf90b00e93cba051883294e

This is a misunderstanding: unpredictableSeed is perfectly fine 
as it is. What's wrong is 1) using it for cryptographic purpose 
and 2) systematic reseeding.

1) There is no way to make a cryptographically secure 
pseudo-random number generator that is seedable. If a PRNG is 
seedable then his number of states is finite which makes it cycle 
one way or an other once you've expended all possible states. So 
no cryptographic application should use such PRNG, and therefore 
any seed. For non-cryptographic purpose unpredictableSeed is, 
honnestly, random enough. It isn't you're actual PRNG (or 
shouldn't be, see point 2 but is only used to reseed it from time 
to time.

2) The big mistake is systematic reseeding which is far more 
common than it should be. Using unpredictableSeed as a seed is 
fine, the actual PRNG that is seeded will add a lot of entropy to 
the output. However by systematically reseeding it makes 
unpredictableSeed the PRNG that is actually used (ie, it doesn't 
leave it any time to add entropy). And that is something that 
should never happen because the PRNG in unpredictableSeed is the 
weakest possible. It is not meant to be the actual PRNG.

So this article wasn't meant to be "Haha, Phobos is broken, 
*facepalm*". It was about using tools for what they're meant and 
nothing else (especially when dealing with cryptographic 
problems). The problem, if anything, is in the documentation that 
doesn't enforce that point.

More information about the Digitalmars-d mailing list