Phobos randomUUID is not suitable to generate secrets
Johannes Pfau
nospam at example.com
Sun Sep 6 08:12:56 UTC 2020
Am Sat, 05 Sep 2020 21:17:59 -0400 schrieb Steven Schveighoffer:
> On 9/5/20 6:41 AM, Johannes Pfau wrote:
>>
>> Unfortunately, we can not silently replace this overload to use a
>> secure RNG: On linux, would we use random or urandom? And the system
>> rng can block on low entropy, which could cause regressions in some
>> applications.
>> Also some applications (like vibe.d) would probably rather block a
>> fiber than a thread, which complicates things more.
>
> 1. The default should be changed, even if it's not as performant. There
> is no promise about randomUUID's performance.
>
> 2. vibe.d does not depend on this, so there are no worries about
> blocking a thread.
>
> -Steve
1) This is not about performance. geturandom, /dev/urandom on FreeBSD and
other cryptographic random number generators can block if they have not
been seeded with enough entropy yet. There are well-known bugs caused by
this when programs in early boot use these interfaces, block and
therefore cause the whole system boot to fail: https://bugs.debian.org/
cgi-bin/bugreport.cgi?bug=897572
https://wiki.debian.org/BoottimeEntropyStarvation
On small embeeded systems with less entropy sources, it may take even
longer to properly seed the system random number generators.
Silently changin randomUUID() to use such an interface means some
programs which do not care about UUIDs being secure might block, which
could cause catastrophic effects as in the above bug reports. Although
it's unlikely such low-level tools are written in D, we can not simply
assume that.
Because of that, the only valid solution is to remove the default
overload and let the user make an informed decision.
--
Johannes
More information about the Digitalmars-d
mailing list