英文:
Is there a significant difference between using a in built random number generator vs using cryptographic random number generator?
问题
我在浏览Crypto++库的RNG页面时,我在思考是否使用类似以下内容存在任何问题:
std::srand(std::time(nullptr)); //使用当前时间作为种子
与Crypto库中的RNG之一相比,可能有什么问题?
我是密码学新手,但一个可能的论点可能是Crypto RNG函数具有防碰撞性?然而,我不确定它们在数量上有多么更好/更强。
英文:
I was going through the Crypto++ library RNG page and I was wondering is there any issues with using something like
std::srand(std::time(nullptr)); //using the current time as seed
compared to the one of the rng in crypto library?
I'm beginner in cryptography, but one possible argument could be that the crypto rng functions are collision resistant ? However, I'm not sure how much better/stronger they are quantitively
答案1
得分: 3
非加密的“随机”来源不适用于加密目的,因为它们可能会产生不同的值,但这些值可能至少具有以下问题:
- 可能具有可预测的种子(通常是时间 - 预测程序启动的时间可能将真正的熵减少到几个值的数量级)
- 可能依赖于其他低系统熵(考虑在运行之间克隆的虚拟机)
- 在不同环境中可能表现不佳或逻辑上较不复杂(也许它们使用
size_t然后面向 16 或 32 位微控制器) - 可能来自相当有限的池(查看 DOOM
m_random.c以获取一个极端情况) - 即使池很大,如果顺序始终相同,结果的子集可能足以预测即将出现的值
- 可能不是在恒定的时间内生成(潜在泄漏内部状态的信息)。
英文:
Non-cryptographic "random" sources are not suitable for cryptographic purposes because while they may produce values which are indeed different, the values may at least..
- perhaps have a predictable seed (often the time - predicting when a program started can cut the real entropy down to a few orders of values)
- perhaps rely on other low system entropy (consider a cloned VM between runs)
- behave badly or be logically less-complex in different environments (perhaps they use
size_tand then target a 16 or 32-bit microcontroller) - come from a quite limited pool (see DOOM
m_random.cfor an extreme case) - even if the pool is large, a subset of the results may be sufficient to predict upcoming values if the ordering is always the same
- not be produced in constant time (potentially leaking information about internal state)
答案2
得分: 1
Yes
There is a huge difference.
There are four classes of “random” numbers, categorized by the cross-section of two basic properties:
insecure secure
┌──────────────────┐ ┌──────────────────┐
p │ PRNG │ │ CSPRNG │
s ├──────────────────┤ ├──────────────────┤
e │ rand() │ │ │
u │ LCG │ │ /dev/urandom │
d │ Mersenne Twister │ ← │ MS CryptoAPI │
o │ XOR Shift │ │ (and many more) │
│ etc │ │ │
└──────────────────┘ └──────────────────┘
↑
┌──────────────────┐ ┌──────────────────┐
│ TRNG │ │ STRNG │
t ├──────────────────┤ ├──────────────────┤
r │ Noise Sampling │ │ (a TRNG that │
u │ Radioactive Decay│ │ has been │
e │ Lightning Strikes│ → │ unbiased, or │
│ Double Pendulums │ │ “whitened” ) │
│ etc │ │ │
└──────────────────┘ └──────────────────┘
The pseudo-random numbers are the ones people tend to think of when we say “random number library”.
The insecure numbers are useful only for things like video games and other non-critical stuff.
Anything to do with security or cryptography, however, has to come from the secure side. Since it is possible to exhaust a STRNG we use CSPRNGs for just about everything. CSPRNGS are no less secure than a STRNG.
<sup>The arrows in the above diagram show the direction of travel for things like initialization and entropy renewal — something you probably don’t have to care about.</sup>
The C++ Standard Library, with one (possible) exception, is all insecure PRNGs.
The only CSPRNG in the standard library (probably) is std::random_device, and it sucks. (Its various implementations have improved significantly since its introduction, but it is still a truly awful thing. I detest it so much I even wrote a small library to replace it in 2017<sup>[1]</sup>: https://github.com/Duthomhas/CSPRNG )
However, if you are working with a specific cryptography API, stick with that. It may not be particularly C++ friendly, but it provides superior facilities to do what you intend to do with it.
If you really want to learn more about this stuff, I recommend taking a University-level course somewhere at the 300-level. Most of the stuff you can find on the internet about cryptography and security is diluted by nonsense written by well-meaning folks who don’t know what they’re talking about, leaving beginners with a really muddled view of it all.
<sup>1 • Way back when one popular implementation was still implementing Randall Munroe’s joke as a placeholder. More good reading at explainxkcd.com.</sup>
英文:
Yes
There is a huge difference.
There are four classes of “random” numbers, categorized by the cross-section of two basic properties:
insecure secure
┌──────────────────┐ ┌──────────────────┐
p │ PRNG │ │ CSPRNG │
s ├──────────────────┤ ├──────────────────┤
e │ rand() │ │ │
u │ LCG │ │ /dev/urandom │
d │ Mersenne Twister │ ← │ MS CryptoAPI │
o │ XOR Shift │ │ (and many more) │
│ etc │ │ │
└──────────────────┘ └──────────────────┘
↑
┌──────────────────┐ ┌──────────────────┐
│ TRNG │ │ STRNG │
t ├──────────────────┤ ├──────────────────┤
r │ Noise Sampling │ │ (a TRNG that │
u │ Radioactive Decay│ │ has been │
e │ Lightning Strikes│ → │ unbiased, or │
│ Double Pendulums │ │ “whitened” ) │
│ etc │ │ │
└──────────────────┘ └──────────────────┘
The pseudo-random numbers are the ones people tend to think of when we say “random number library”.
The insecure numbers are useful only for things like video games and other non-critical stuff.
Anything to do with security or cryptography, however, has to come from the secure side. Since it is possible to exhaust a STRNG we use CSPRNGs for just about everything. CSPRNGS are no less secure than a STRNG.
<sup>The arrows in the above diagram show the direction of travel for things like initialization and entropy renewal — something you probably don’t have to care about.</sup>
The C++ Standard Library, with one (possible) exception, is all insecure PRNGs.
The only CSPRNG in the standard library (probably) is std::random_device, and it sucks. (Its various implementations have improved significantly since its introduction, but it is still a truly awful thing. I detest it so much I even wrote a small library to replace it in 2017<sup>[1]</sup>: https://github.com/Duthomhas/CSPRNG )
However, if you are working with a specific cryptography API, stick with that. It may not be particularly C++ friendly, but it provides superior facilities to do what you intend to do with it.
If you really want to learn more about this stuff, I recommend taking a University-level course somewhere at the 300-level. Most of the stuff you can find on the internet about cryptography and security is diluted by nonsense written by well-meaning folks who don’t know what they’re talking about, leaving beginners with a really muddled view of it all.
<sup>1 • Way back when one popular implementation was still implementing Randall Munroe’s joke as a placeholder. More good reading at explainxkcd.com.</sup>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论