[Cryptography] OpenSSL CSPRNG work
Jon Callas
jon at callas.org
Sun Jul 2 17:22:01 EDT 2017
> On Jul 2, 2017, at 12:15 PM, Ray Dillinger <bear at sonic.net> wrote:
>
> Arc4random should not be mistaken for a CSPRNG. It's a good PRNG, but
> at this point there are enough attacks on it that it's not really good
> enough for cryptography anymore. So it should not be certified as
> cryptographically secure - there is no "pretending" about it, and it is
> not "gaming" the auditing process.
>
> On the other hand, given some particular permutation of 256 elements,
> its stream of output is entirely repeatable. So it's fine as a PRNG for
> repeatable sequences.
Agree totally and them some.
Part of me wants to get fussy about definitions and say that an output function is not a RNG. It can be a PRF or PRP, but not an RNG. The other part of me just nods along and knows what you mean without getting fussy.
RC4 is not a good PR{F|P}. It has known biases, and those biases are so well studied that they are the basis of the recent break against it as a cipher. It takes about two megabytes of ciphertext to perform a break against it as a cipher. That means it's really not a good output function. It is the opposite of cryptographically, secure; it is cryptographically insecure.
AES in counter mode, any other decent block cipher in counter mode, lots of hash functions including the HMACified versions are reasonable.
More information about the cryptography
mailing list