On 07/26/2011 03:30 PM, Brian Smith wrote:
There is some agreement that we should maintain separate PRNG state for each origin (roughly: domain name), and that all those states should be separate from the PRNG state used internally. PK11_GenerateRandom currently shares the PRNG state across all callers. Does anybody disagree about this separation being necessary?
If you believe there is a need to separate the PRNG state or restrict its output, then you believe there is an attack on the PRNG.
There was also some concern raised about preventing unnecessary depletion of entropy, while still providing good randomness to the calling JavaScript code. Suggestions for this would be much appreciated.
Complexity added to PRNGs out of concern for entropy depletion has, on several notable occasions, introduced bugs which caused PRNGs to fail badly. OpenSSL, OpenBSD, others.
On the other hand, no one has ever shown a successful attack on a properly designed and implemented PRNG with even 200 bits of state. Maybe there's one I haven't heard about, but I've been looking out for it for some time.
My current thought is that we should restrict the JavaScript API such that a origin can only acquire a certain (relatively small) quantity of output from the PRNG.
I understand the mathematical justifications for it, but I believe that model no longer reflects reality. We have to be willing to move beyond certain lessons learned from WWII crypto.
Here's a longer post with my arguments: http://www.mail-archive.com/cryptography@randombit.net/msg00601.html Of course, not everyone agrees with me on this (yet :-) - Marsh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
