Of the use of unpredictableSeed
cym13 via Digitalmars-d
digitalmars-d at puremagic.com
Sun Mar 5 02:48:54 PST 2017
On Thursday, 2 March 2017 at 21:50:36 UTC, Yuxuan Shui wrote:
> On Sunday, 26 February 2017 at 18:23:27 UTC, cym13 wrote:
>> Hi,
>>
>> I found many times that people use unpredictableSeed in
>> combination with normal PRNG for cryptographic purpose. Some
>> even go as far as reseeding at each call to try making it more
>> secure.
>>
>> It is a dangerous practice, most PRNG are not designed with
>> security (and unpredictability) in mind, and unpredictableSeed
>> was definitely not designed with security in mind (or it
>> failed heavily at it). It's a good tool when one needs
>> randomness, not security.
>>
>> I wrote a blog post to present exactly why this is a bad idea
>> and how it could be exploited [1].
>>
>> The best would be to add a standard CSPRNG interface to Phobos
>> but we aren't there yet.
>>
>> [1]: https://cym13.github.io/article/unpredictableSeed.html
>
> When I see the code for unpredictableSeed I went face palm
> really hard.
>
> I did some digging, and it was way way worse:
>
> https://github.com/dlang/phobos/commit/ff54d867e41abc8261075f0dce1261d68ee09180#diff-713ce153554afc99a07767cc8ba940aeL529
>
> https://github.com/dlang/phobos/commit/c433c36658df45677bf90b00e93cba051883294e
This is a misunderstanding: unpredictableSeed is perfectly fine
as it is. What's wrong is 1) using it for cryptographic purpose
and 2) systematic reseeding.
1) There is no way to make a cryptographically secure
pseudo-random number generator that is seedable. If a PRNG is
seedable then his number of states is finite which makes it cycle
one way or an other once you've expended all possible states. So
no cryptographic application should use such PRNG, and therefore
any seed. For non-cryptographic purpose unpredictableSeed is,
honnestly, random enough. It isn't you're actual PRNG (or
shouldn't be, see point 2 but is only used to reseed it from time
to time.
2) The big mistake is systematic reseeding which is far more
common than it should be. Using unpredictableSeed as a seed is
fine, the actual PRNG that is seeded will add a lot of entropy to
the output. However by systematically reseeding it makes
unpredictableSeed the PRNG that is actually used (ie, it doesn't
leave it any time to add entropy). And that is something that
should never happen because the PRNG in unpredictableSeed is the
weakest possible. It is not meant to be the actual PRNG.
So this article wasn't meant to be "Haha, Phobos is broken,
*facepalm*". It was about using tools for what they're meant and
nothing else (especially when dealing with cryptographic
problems). The problem, if anything, is in the documentation that
doesn't enforce that point.
More information about the Digitalmars-d
mailing list