Hacker News new | past | comments | ask | show | jobs | submit login

If you’re shopping for a CSPRNG, one of the items that should be very high on your list is being able to call the setSeed function multiple times and have the inputs compose instead of clobber each other.

You can send half-random input in and then send more half-random input in until you’re satisfied that the RNG has gotten a suitable amount of entropy. Do not chop, rearrange, hash, or bit shift the data trying to make it “stronger” the CSPRNG will do an infinitely better job of doing that for you. Just treat it like a Mr Fusion. Drop a can, a banana peel and the stale beer in and let it cook.

I gave a similar speech to a team trying to initialize SSL sessions on an embedded machine. “But what if we XOR…” No. Stahp.




Can you give some examples of CSPRNG implementations that allow this?


The ones in Java did in the context of the original discussion. And cryptographic hash based PRNG should have the capability of doing so, it’s an implementation detail whether you restart the data collection or append the data.

Just poke in the setSeed function and see what it does.


The Linux rng allows writing to a file to effect this.


AFAIU the blog author is taking the correctly randomly generated UUID and just cutting out the timestamp portion.

Why are you equating that to a hacky attempt to make less random data more random?


Because it’s essentially setSeed(getTimeMillis()). V6 and v7 are sortable, that’s why they exist. Which means like getTimeMillis() there are a finite number of starting points to try to guess the seed.


This is v4.


v6 is a transform of v1 UUIDs to behave like v7 keys with respect to database indexing - increasing over time. If it’s a function of time, then it’s still guessable by brute force.

Another responder suggested that the mention of v6 UUIDs is an error. Maybe. But that’s a truly bizarre typo to make. And they still haven’t fixed it.


But you could google Postgres UUID and confirm that they only provide v4? Instead of continuing a rant based on incorrect assumptions.

https://www.postgresql.org/docs/current/functions-uuid.html


You seem to be saying that

setSeed(0); setSeed(1); rand()

and

setSeed(1); rand()

returning different values is not only a good idea but is already a thing. Am I wrong?

This would confuse the hell out of me, what specifically has this behaviour?


If you’re trying to create a repeatable source of randomness for unit testing for example, you would create a new PRNG for each run, not try to recycle an existing instance. You’re making assumptions about state that aren’t supportable.


The behavior you are describing is not setting a seed. A seed should wipe out all existing state.

Adding entropy is a very different operation.


> You can send half-random input in and then send more half-random input in until you’re satisfied that the RNG has gotten a suitable amount of entropy.

This does not actually work. If an attacker can observe output of the CSPRNG, and knows the initial state (when it did not yet have enough entropy), then piecemeal addition of entropy allows the attacker to bruteforce what the added entropy was. To be safe, you need to add a significant amount of entropy at once, without allowing the attacker to observe output from an intermediate state. But after you've done that, you won't ever need to add entropy again.


You’re right, but I did not read GP to suggest otherwise.

GP does not suggest using the output before enough entropy had been gathered, eg see ‘until’ in:

> until you’re satisfied that the RNG has gotten a suitable amount of entropy.


Sibling already answered this. I don’t know how you came to this conclusion.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: