Re: $RANDOM not Cryptographically secure pseudorandom number generator

From	Eduardo Bustamante <dualbus@gmail.com>
Newsgroups	gnu.bash.bug
Subject	Re: $RANDOM not Cryptographically secure pseudorandom number generator
Date	2018-12-03 10:53 -0800
Message-ID	<mailman.5102.1543864166.1284.bug-bash@gnu.org> (permalink)
References	(1 earlier) <868cc2da-cf67-298f-4640-ab1afcf857e0@case.edu> <CA+4vN7wkuCya7FES1HXiyFTF3a=pkVSdhVCthmjR29OwCAKZng@mail.gmail.com> <fa0b238c-9cb5-a840-ec6b-15cfd11d15cd@case.edu> <CA+4vN7zP26E6o13ysfppv8zjMWDV5BgQNQ1i6GP-3pg_ewVVeA@mail.gmail.com> <20181203173551.rpejfigeboqz6f4v@eeg.ccf.org>

Show all headers | View raw

On Mon, Dec 3, 2018 at 9:36 AM Greg Wooledge <wooledg@eeg.ccf.org> wrote:
>
> On Mon, Dec 03, 2018 at 05:31:18PM +0100, Ole Tange wrote:
> > Luckily I did not just assume that Bash delivers high quality random
> > numbers, but I read the source code, and then found that the quality
> > was low. I do not think must users would do that.
>
> You're correct.  Most users would not have to read the source code to
> know that the built-in PRNG in bash (or in libc, or in basically ANY
> other standard thing) is of lower than cryptographic quality.
>
> Most users already KNOW this.

I have to echo this. If you are writing an application that requires
high quality random number, the onus is on YOU to ensure that you're
using quality sources and a good CSRNG. It would be a user mistake to
just use whatever the standard library of the run-time you're using
provides. Do we have to change C's rand() too? Or python's "random"
module? Or perl's "rand"? Or ruby's? (etc etc)

I do agree that adding a note in the manual to this effect would be nice though.

Back to gnu.bash.bug | Previous | Next | Find similar | Unroll thread

Thread

Re: $RANDOM not Cryptographically secure pseudorandom number generator Eduardo Bustamante <dualbus@gmail.com> - 2018-12-03 10:53 -0800

csiph-web