On 6/11/2014 12:35 PM, Kagamin wrote:
In some scenarios impredictability is not enough. For example, when you
generate a session id, an attacker doesn't have to predict it ahead of
time, he can guess it at any time later. And if they listen to radio
waves - that's an "open protocol", an attacker can setup antenna near
their antenna and get the same readings.
An interesting point.
Cryptographic PRNG and quantum
TRNG are better isolated, so it's harder to read them.
FWIW, a cryptographic PRNG isn't necessarily well-isolated. Being a
PRNG, the isolation of a cryptographic PRNG is primarily limited to two
- The isolation of its entropy source(s) (which are not normally part of
a crypto-PRNG's specification - it's just left as "choose a good one"), and
- The patterns of how data is drawn from the PRNG.
If the entropy source is poorly isolated (via poor choice of entropy
source, or a failure within the entropy source), and the requests being
made to the PRNG are relatively predictable or even guessable (quite
likely given the nature of software), then a cryptographic PRNG won't be
any better isolated than, say, the digits of PI.
TL;DR: The isolation of a cryptographic PRNG is that of its external
entropy source, not the cryptographic PRNG algorithm itself.