On 7 July 2016 at 21:33, Dan Ackroyd <dan...@basereality.com> wrote: >> I think we need to drop the concerns about exposing "RNG state". >> >> If these are weak RNGs on your system, YOUR SYSTEM is broken. > > Telling people that their system is broken isn't going to be > comforting to the people it happens to.
Of course it isn't. If I find out suddenly that /dev/urandom is somehow predictable I would be incredibly uncomfortable. However the least of my worries would be PHPs session id generation. > There are always bugs in software and hardware. At some point it is > almost inevitable that there will be some information leak through > exposing the random numbers directly. Just telling people that their > system is broken and they need to buy need hardware immediately, > rather than just being able to re-enable hashing seems a bad choice. I feel like we're back to the discussions around random_bytes() again. The random number generators being used here are designated CS for a reason. They are not like deterministic RNGs where you can give them simple seed and produce the same set of outputs. They draw on environmental noise for additional entropy and where appropriate they reseed regularly, far before any useful statistical information can be gathered. In the case of urandom it actually performs a SHA1 on its pool, CryptGenRandom mixes in data that has been MD4 hashed, arc4random_buf is literally a stream cipher. These are well maintained and vetted systems. An extra round of hashing is simply unnecessary overhead. > But even without accidental bugs, the scenario I am remain concerned > with is when a piece of hardware or software is compromised by a > sophisticated attacker, (hello NSA!) and the 'random' numbers > generated have some subtle pattern to them. To almost everyone, the > random numbers generated would still look random. But to the > organisation that compromised the system, and so knows the algorithm > that is leaving traces in the random sequences, exposing the random > numbers directly to the outside world would be an obvious but almost > untraceable line of attack on the system. I know it's easy to say: If your system has been compromised you have bigger problems. But this is pretty much the fact of it. If someone has the ability to make your system CSPRNG predictable, they can almost certainly get anything else they want from the system anyway without resorting to that. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
