On Thursday, 2 March 2017 at 21:50:36 UTC, Yuxuan Shui wrote:
On Sunday, 26 February 2017 at 18:23:27 UTC, cym13 wrote:
Hi,
I found many times that people use unpredictableSeed in
combination with normal PRNG for cryptographic purpose. Some
even go as far as reseeding at each call to try making it more
secure.
It is a dangerous practice, most PRNG are not designed with
security (and unpredictability) in mind, and unpredictableSeed
was definitely not designed with security in mind (or it
failed heavily at it). It's a good tool when one needs
randomness, not security.
I wrote a blog post to present exactly why this is a bad idea
and how it could be exploited [1].
The best would be to add a standard CSPRNG interface to Phobos
but we aren't there yet.
[1]: https://cym13.github.io/article/unpredictableSeed.html
When I see the code for unpredictableSeed I went face palm
really hard.
I did some digging, and it was way way worse:
https://github.com/dlang/phobos/commit/ff54d867e41abc8261075f0dce1261d68ee09180#diff-713ce153554afc99a07767cc8ba940aeL529
https://github.com/dlang/phobos/commit/c433c36658df45677bf90b00e93cba051883294e
This is a misunderstanding: unpredictableSeed is perfectly fine
as it is. What's wrong is 1) using it for cryptographic purpose
and 2) systematic reseeding.
1) There is no way to make a cryptographically secure
pseudo-random number generator that is seedable. If a PRNG is
seedable then his number of states is finite which makes it cycle
one way or an other once you've expended all possible states. So
no cryptographic application should use such PRNG, and therefore
any seed. For non-cryptographic purpose unpredictableSeed is,
honnestly, random enough. It isn't you're actual PRNG (or
shouldn't be, see point 2 but is only used to reseed it from time
to time.
2) The big mistake is systematic reseeding which is far more
common than it should be. Using unpredictableSeed as a seed is
fine, the actual PRNG that is seeded will add a lot of entropy to
the output. However by systematically reseeding it makes
unpredictableSeed the PRNG that is actually used (ie, it doesn't
leave it any time to add entropy). And that is something that
should never happen because the PRNG in unpredictableSeed is the
weakest possible. It is not meant to be the actual PRNG.
So this article wasn't meant to be "Haha, Phobos is broken,
*facepalm*". It was about using tools for what they're meant and
nothing else (especially when dealing with cryptographic
problems). The problem, if anything, is in the documentation that
doesn't enforce that point.
