[Cryptography] Other obvious issues being ignored?

ianG iang at iang.org
Sat Oct 24 19:29:48 EDT 2015 

On 22/10/2015 20:15 pm, Philipp Gühring wrote:
> Hi,
>
> I agree that it´s impossible to catch every boneheaded issue someone could
> produce. But I think that there is some value in a list of crypto related
> mistakes people make that are not extremely obvious, and that should still
> be avoided.
>
> E.g.
> * Do not deplete /dev/*random by using fopen() fread() without disabling
> buffering
> * Random number generators have a reasonable usecase for reading
> uninitialized memory


The problem with talking about RNGs is that they are in a special space 
in cryptography - there is no easy black box testing.  No trial params 
we can put in to show it is working.  This makes them hard to get right, 
hard to prove and *hard to teach*.

Not surprisingly, opinion has changed a lot over time as to how to deal 
with RNGs.

Right now, the favoured approach is:  don't do it.  Considered & better 
advice is to leave RNGs to the core heavy specialists who can spend a 
lot of time on getting it right.

Or as I say it:  use what your platform provides [0].  Others say it 
more simply:  use /dev/urandom [1].

Now, that disposes of the second point - you shouldn't be making up your 
own RNG anyway.

The first point - depleting /dev/*random - is a good one because it 
actually points at a flaw in the interface for Linux's /dev/random. 
Linux still sticks to the old concept of delivering "entropy" when our 
thinking has moved on dramatically since those days.  Now we deliver 
"cryptographically secure random numbers" and plenty of them.  This is a 
strictly wider set than "entropy" but also a more tractable one because 
it avoids the rather traumatic implications of entropy, eg, "running 
out."  So, in short, Linux needs to update to the modern thinking here 
and telling people to program around Linux is probably wasted effort [2].


tl;dr - use /dev/urandom (Linux's /dev/random is broken if it runs out).



iang



[0] http://iang.org/ssl/hard_truths_hard_random_numbers.html
[1] http://www.2uo.de/myths-about-urandom/
[2] I think it was FreeBSD that first fixed the /dev/*random to do a 
pure CSRNG, and I for one hated it.  It took me probably a decade to 
figure out that it was indeed the right thing to do...

More information about the cryptography mailing list