|
|
|
|
|
|
by noiddicle
1644 days ago
|
|
|
The problem that we have is that a minority of people realize that not all random implementations are actually fit for purpose for cryptographic security. See CWE-338 for an enumerated list of these things in the wild. I found 300+ examples of CVEs with little effort. Should developers who are writing code that involves cryptography know better? Sure - but they don't. They cut and paste from stackoverflow with horrific results. |
|
|
but cryptography is just one small use case of RNGs. Grepping through my home for e.g. random_engine, less than 1% seems to be related to crypto use cases, the bulk are being taken by noise generation for various artistic use cases, games, compilers, schedulers, and tests. Stuff like shuffling a playlist, making particles move in random directions, randomness in paint brushes, etc.
If I want to generate a white noise texture for a video game do you think I care more about cryptographically-secureness or the operation not taking 10 seconds for a 4k texture ?