[Cryptography] Construction of cryptographic software.
ianG
iang at iang.org
Wed Dec 3 11:36:45 EST 2014
On 2/12/2014 23:17 pm, Tony Arcieri wrote:
> On Tue, Dec 2, 2014 at 1:44 PM, Ray Dillinger <bear at sonic.net
> <mailto:bear at sonic.net>> wrote:
>
> Would anybody else here like to share some of the techniques they use?
>
>
> https://cryptocoding.net/index.php/Coding_rules
I've written up my philosophy of RNGs here:
http://iang.org/ssl/hard_truths_hard_random_numbers.html
1. Use what your platform provides. Random numbers are hard, which is
the first thing you have to remember, and always come back to. Random
numbers are so hard, that you have to care a lot before you get
involved. A hell of a lot. Which leads us to the following rules of
thumb for RNG production.
a. Use what your platform provides.
b. Unless you really really care a lot, in which case, you have to
write your own RNG.
c. There isn't a lot of middle ground.
d. So much so that for almost all purposes, and almost all users,
Rule #1 is this: Use what your platform provides. E.g., for *nix, use
urandom [Ptacek].
e. When deciding to breach Rule #1, you need a compelling argument
that your RNG delivers better results than the platform's [Gutmann1].
Without that compelling argument, your results are likely to be more
random than the platform's system in every sense except the quality of
the numbers.
If you find yourself disagreeing with Rule #1, read on...
http://iang.org/ssl/hard_truths_hard_random_numbers.html
iang
More information about the cryptography
mailing list