From: tom@... Date: 2018-08-29T16:34:28+00:00 Subject: [ruby-core:88737] [Ruby trunk Bug#15039] Random.urandom and SecureRandom arc4random use Issue #15039 has been updated by Freaky (Thomas Hurst). shyouhei (Shyouhei Urabe) wrote: > Freaky (Thomas Hurst) wrote: > > The other is clarifying the intent of `Random.urandom` and the priorities of `SecureRandom`. Following #9569, *are* they meant to be avoiding using userspace CSPRNGs? They do so on Linux and Windows, but don't on platforms with arc4random(). > > As far as I understand Random.urandom intends to be cryptographically secure; nothing more. Doesn't the name rather waggle its eyebrows at you while glancing pointedly at /dev/urandom? Why else call it that? > My attempt when fixing #9569 was that arc4random() supposedly adequately fulfilled this property like OpenBSD's. I did not see any reason to reject such thing. Maybe is it getting hard for a "userspace CSPRNG" in general to make sense these days? That is a possible situation and I have to change my mind then. Userspace is always going to be a bit riskier - the state is stored in the process itself rather than isolated in the kernel, fork() can trigger difficult to detect edge-cases (hopefully nobody breaks minherit()!), and their implementations tend to have a more, er, "varied" history. The payoff, of course, is some orders of magnitude better performance. I'd like that option, but I'm not sure `SecureRandom` should be taking it by default. ---------------------------------------- Bug #15039: Random.urandom and SecureRandom arc4random use https://bugs.ruby-lang.org/issues/15039#change-73790 * Author: Freaky (Thomas Hurst) * Status: Open * Priority: Normal * Assignee: * Target version: * ruby -v: * Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN ---------------------------------------- Random.urandom defaults to arc4random() on a lot of platforms, including FreeBSD. On all currently released versions of FreeBSD, arc4random() is, as the name suggests, a dubious ARC4-based userspace PRNG dating from circa 1997. Given the entire point of #9569 was that using the userspace CSPRNG in OpenSSL over /dev/urandom or equivalent is a bad idea, this seems to mean it's regressed to an *even worse* state on these platforms. Even in cases where it's using something more modern (FreeBSD 12, OpenBSD), it's still a userspace CSPRNG. If that's fine, we might as well *pick a known-good one* and use that everywhere. Like, say, OpenSSL's. Since the conclusion of #9569 seems to have been otherwise, I'd suggest dropping arc4random() as a potential source for Random.urandom due to it not matching the desired semantics. Rust's OsRng seems a good template for alternative _syscall implementations: https://docs.rs/rand/0.5.5/rand/rngs/struct.OsRng.html#platform-sources -- https://bugs.ruby-lang.org/ Unsubscribe: