[Cryptography] OpenSSL CSPRNG work
Mark Steward
marksteward at gmail.com
Sun Jul 2 17:46:07 EDT 2017
On Sun, Jul 2, 2017 at 10:22 PM, Jon Callas <jon at callas.org> wrote:
>
> > On Jul 2, 2017, at 12:15 PM, Ray Dillinger <bear at sonic.net> wrote:
> >
> > Arc4random should not be mistaken for a CSPRNG. It's a good PRNG, but
> > at this point there are enough attacks on it that it's not really good
> > enough for cryptography anymore. So it should not be certified as
> > cryptographically secure - there is no "pretending" about it, and it is
> > not "gaming" the auditing process.
> >
> > On the other hand, given some particular permutation of 256 elements,
> > its stream of output is entirely repeatable. So it's fine as a PRNG for
> > repeatable sequences.
>
> Agree totally and them some.
>
> Part of me wants to get fussy about definitions and say that an output
> function is not a RNG. It can be a PRF or PRP, but not an RNG. The other
> part of me just nods along and knows what you mean without getting fussy.
>
> RC4 is not a good PR{F|P}. It has known biases, and those biases are so
> well studied that they are the basis of the recent break against it as a
> cipher. It takes about two megabytes of ciphertext to perform a break
> against it as a cipher. That means it's really not a good output function.
> It is the opposite of cryptographically, secure; it is cryptographically
> insecure.
>
> AES in counter mode, any other decent block cipher in counter mode, lots
> of hash functions including the HMACified versions are reasonable.
>
I think Watson Ladd's point will be missed so to call it out again: in the
context of this discussion, arc4random is a placeholder for ChaCha20 or
newer replacement, as it is in OpenBSD 5.5+. It doesn't mean RC4.
Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170702/bfd3d67f/attachment-0001.html>
More information about the cryptography
mailing list