[Esapi-user] ESAPI Random Number Generation Broken

Kevin W. Wall kevin.w.wall at gmail.com
Wed Jun 25 23:25:51 UTC 2014


On Wed, Jun 25, 2014 at 6:56 PM, Jim Manico <jim.manico at owasp.org> wrote:
> The rabbit hole here is •very• deep.
>
> I encourage you to read the following from Thomas Ptacek.
>
> http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/
>

Here's my TL;DR version...

Ideally, reading from /dev/urandom would be better than using SecureRandom, BUT
it is:
   1) Not as convenient
   2) Definitely not as portable
You could of course write your own portable wrapper, but that's what
SecureRandom
is *intended* to be. Early versions were an epic failure (wrt the
initial seeding).

Secondly, Ptacek says there's no difference between /dev/urandom and
/dev/random.
For all practical purposes, that is true with the exception of shortly
after system boot
times. /dev/random blocks if you ask if for N-bytes and it has not
gathered sufficient
entropy from the system; /dev/urandom will not block but simple say,
okay, here's the
best I've got. But that is a VERY important difference!!! Why? Because when do
all those processes request most of the random values? Right; shortly
after system
boot from the various processes started from the 'rc' scripts
(/etc/init.d). So by
not blocking, someone is going to end up with random values that are more likely
to be predictable.

If someone wants to jump onto a G+ hangout or Skype session or
whatever, I'm willing to
talk about this...assuming that I get a chance to talk and am not
interrupted. I'm available
for the next 45 minutes. (It's now 7:23pm EDT.)

-kevin
P.S.- This was my 'tl;dr' version. Now you know why I don't Tweet, right? :)




-- 
Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.


More information about the Esapi-user mailing list