Of the use of unpredictableSeed
Yuxuan Shui via Digitalmars-d
digitalmars-d at puremagic.com
Thu Mar 2 13:50:36 PST 2017
On Sunday, 26 February 2017 at 18:23:27 UTC, cym13 wrote:
> Hi,
>
> I found many times that people use unpredictableSeed in
> combination with normal PRNG for cryptographic purpose. Some
> even go as far as reseeding at each call to try making it more
> secure.
>
> It is a dangerous practice, most PRNG are not designed with
> security (and unpredictability) in mind, and unpredictableSeed
> was definitely not designed with security in mind (or it failed
> heavily at it). It's a good tool when one needs randomness, not
> security.
>
> I wrote a blog post to present exactly why this is a bad idea
> and how it could be exploited [1].
>
> The best would be to add a standard CSPRNG interface to Phobos
> but we aren't there yet.
>
> [1]: https://cym13.github.io/article/unpredictableSeed.html
When I see the code for unpredictableSeed I went face palm really
hard.
I did some digging, and it was way way worse:
https://github.com/dlang/phobos/commit/ff54d867e41abc8261075f0dce1261d68ee09180#diff-713ce153554afc99a07767cc8ba940aeL529
https://github.com/dlang/phobos/commit/c433c36658df45677bf90b00e93cba051883294e
More information about the Digitalmars-d
mailing list