On 6/11/2014 12:35 PM, Kagamin wrote:


In some scenarios impredictability is not enough. For example, when you
generate a session id, an attacker doesn't have to predict it ahead of
time, he can guess it at any time later. And if they listen to radio
waves - that's an "open protocol", an attacker can setup antenna near
their antenna and get the same readings.

An interesting point.

Cryptographic PRNG and quantum
TRNG are better isolated, so it's harder to read them.

FWIW, a cryptographic PRNG isn't necessarily well-isolated. Being a PRNG, the isolation of a cryptographic PRNG is primarily limited to two main things:

- The isolation of its entropy source(s) (which are not normally part of a crypto-PRNG's specification - it's just left as "choose a good one"), and

- The patterns of how data is drawn from the PRNG.

If the entropy source is poorly isolated (via poor choice of entropy source, or a failure within the entropy source), and the requests being made to the PRNG are relatively predictable or even guessable (quite likely given the nature of software), then a cryptographic PRNG won't be any better isolated than, say, the digits of PI.

TL;DR: The isolation of a cryptographic PRNG is that of its external entropy source, not the cryptographic PRNG algorithm itself.

Reply via email to