Re: [sqlite] sqlite3_randomness Quality

Sat, 25 May 2013 23:54:50 -0700 

Hi Simon.

>That's 2^64 values.
That's not the same as the repetition/period. Also.sqlite3_randomness can 
supply up to n bytes so isn't limited to 8 bytes.

>"You're not going to catch any one of us saying here publicly "This is 
good enough for all cryptographic purposes." since we have no intention 
of being implicated in some disaster."

"Cryptographically secure PRNG" has specific test criteria so it's not 
unreasonable to ask whether it meets the spec or not (there are a couple though 
NIST, BSI et. al.). I suppose what you are really saying is the work has not 
been done therefore the answer is "No, it is not a CSPRNG" and the repetition 
rate is unknown for all platforms. ("we don't know" is an acceptable answer by 
the way although I would have thought it had been looked at because of the 
SQLite Encryption Extension)

Oh well. It was worth a try. Like I said, it would have been a great bonus.

thanks for your input.
Udon Shaun



________________________________
 From: Simon Slavin <slav...@bigfraud.org>
To: Udon Shaun <udon_sh...@yahoo.com> 
Sent: Friday, May 24, 2013 9:27 PM
Subject: Re: [sqlite] sqlite3_randomness Quality
 


On 24 May 2013, at 9:03pm, Udon Shaun <udon_sh...@yahoo.com> wrote:

> Ok. Good start. So we are talking about 2^24?

<http://www.sqlite.org/lang_corefunc.html>

"The random() function returns a pseudo-random integer between 
-9223372036854775808 and +9223372036854775807."

That's 2^64 values.

> Has any work been done to ascertain the quality on each platform, or is it 
> just a case of it "seems" good enough for locking and SQL on ALL platforms as 
> Simon seems to be saying. (urandom is, after all, as near to random as can be 
> expected from a machine so technically you wouldn't need an RC4 on top for 
> that platform)

Although seeding is done differently on each platform (derived from values 
supplied by different OSen), as Doctor Hipp wrote the function that is seeded 
is the widely-used well-analysed function described here:

<http://en.wikipedia.org/wiki/RC4>

Take a look.  If you feel it's secure enough for your purposes, go ahead and 
use it.  You're not going to catch any one of us saying here publicly "This is 
good enough for all cryptographic purposes." since we have no intention of 
being implicated in some disaster.

Simon.
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to