Hacker News new | ask | show | jobs
by doc_ick 2 days ago
That’s dodging the question, and a very generic and blank recommendation.
1 comments
tptacek 2 days ago
Seems like a very specific recommendation?
link
doc_ick 1 day ago
I asked for a perfect tech in your eyes, that once created was never updated or improved upon.

*edit: a recommendation for random strings in most cases isn’t perfect

link
tptacek 1 day ago
In what way? Random strings are basically the gold standard. A lot of token cryptography actually destroys value already present in the random string.
link
doc_ick 1 day ago
You keep arguing random strings are “basically” perfect for cryptography. I’d potentially read your research paper for strings if you cited it, but my main question is what technology do you think is perfect? I don’t want to hear about misplacing pseudo-random strings until I know your basis for a perfect technology that never improves from updates.

Edit: also there have been how many attacks have there been on pseudo-random generators?

link
tptacek 1 day ago
There have been basically no practical attacks on the LRNG or on Windows CryptGenRandom and its subsequents over the last 20+ years. People have gone of out of their way to build userspace RNGs and blown their toes off, but getrandom/urandom have been rock solid.

I think "don't use Mersenne Twister as your RNG" is a much safer bit of load-bearing advice than "use precisely these safe settings for your JWTs".

link
doc_ick 20 hours ago
I hear a lot of “basically” and “rock solid”, yet still no answer to my question or no “perfect” claim.

Edit: an impractical attack can still be used

link