Phobos randomUUID is not suitable to generate secrets

Johannes Pfau nospam at example.com
Sat Sep 5 10:41:34 UTC 2020 

Am Thu, 03 Sep 2020 13:31:01 +0000 schrieb Cym13:

> On Thursday, 3 September 2020 at 13:23:39 UTC, Cym13 wrote:
>> On Wednesday, 2 September 2020 at 16:49:30 UTC, Joseph Rushton Wakeling
>> wrote:
>>> ...
> 
> I feel that answer was confused, let me reformulate.
> 
> You are correct when you say that randomUUID() alone just takes whatever
> the RNG provides and isn't broken by itself. Should you provide
> cryptographically secure randomness it would be OK to use. However I
> have never seen randomUUID() used with a PRNG other than the default one
> (and I searched), which is what I attacked in that article. The reason
> why I focus on UUID generation and not just breaking the default PRNG on
> its own is twofold: first I saw much more bad usage of randomUUID() than
> of uniform() itself, and second some people had expressed doubts that it
> was exploitable at all in this context. My main goal with this article
> is not to change randomUUID itself (as you pointed out, it does not
> present any bug), but to change the default PRNG used for randomUUID()
> to be a cryptographically secure one because this is the only way to
> prevent more people to fall into the same trap of expecting it to be
> secure.

As the "original author" of that module I can probably add some 
background information on this issue:

The UUID module is mostly a 1:1 port from boost.uuid. I don't remember 
exactly which boost version was used and whether it included a function 
which used the library default random number generator. Current docs in 
boost however also use mt19937 without explicitly warning the user this 
is not cryptographically secure: https://www.boost.org/doc/libs/1_62_0/
libs/uuid/uuid.html#boost/uuid/random_generator.hpp

So this is where the problem originally came from, although it might have 
been my mistake to provide a default overload using the system RNG.


Unfortunately, we can not silently replace this overload to use a secure 
RNG: On linux, would we use random or urandom? And the system rng can 
block on low entropy, which could cause regressions in some applications. 
Also some applications (like vibe.d) would probably rather block a fiber 
than a thread, which complicates things more.


I propose the following:
1) Deprecate the version using the system RNG. Add a hint in the message 
that this function is not cryptographicallly secure. Add a reference to 
documentation how to update code.
2) Update documentation examples to show how to provide the phobos 
default RNG. State that this is not cryptographically secure.
3) Optionally: Implement a Secure, System based RNG. 

I'll open a pull request for steps 1-2 today, so that the immediate 
problem is solved. I'll also have a look how difficult it is to do 3).


-- 
Johannes

More information about the Digitalmars-d mailing list