[Cryptography] Other obvious issues being ignored?
John-Mark Gurney
jmg at funkthat.com
Fri Oct 23 17:55:25 EDT 2015
Philipp Ghring wrote this message on Thu, Oct 22, 2015 at 21:15 +0200:
> Hi,
>
> I agree that it´s impossible to catch every boneheaded issue someone could
> produce. But I think that there is some value in a list of crypto related
> mistakes people make that are not extremely obvious, and that should still
> be avoided.
>
> E.g.
> * Do not deplete /dev/*random by using fopen() fread() without disabling
> buffering
Sorry, this is not a valid issue... Once a CSPRNG has enough entropy,
say 256bits, it can never be depleted. It just happens that there are
bad implementations out there that think that it is possible.
djb has a good post on this:
http://blog.cr.yp.to/20140205-entropy.html
> * Random number generators have a reasonable usecase for reading
> uninitialized memory
You may be refering to the Debian rng bug here. I'm not an expert on
the Debian bug, but I don't believe that was the case.
Anyways, modern Unix systems do a very good job to ensure that there
is NO entropy in uninitialized memory, so there should never be a need
to read uninitialized memory for a CSPRNG...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the cryptography
mailing list