Hacker News new | ask | show | jobs
by doc_ick 1 day ago
You keep arguing random strings are “basically” perfect for cryptography. I’d potentially read your research paper for strings if you cited it, but my main question is what technology do you think is perfect? I don’t want to hear about misplacing pseudo-random strings until I know your basis for a perfect technology that never improves from updates.

Edit: also there have been how many attacks have there been on pseudo-random generators?
1 comments
tptacek 1 day ago
There have been basically no practical attacks on the LRNG or on Windows CryptGenRandom and its subsequents over the last 20+ years. People have gone of out of their way to build userspace RNGs and blown their toes off, but getrandom/urandom have been rock solid.

I think "don't use Mersenne Twister as your RNG" is a much safer bit of load-bearing advice than "use precisely these safe settings for your JWTs".

link
doc_ick 21 hours ago
I hear a lot of “basically” and “rock solid”, yet still no answer to my question or no “perfect” claim.

Edit: an impractical attack can still be used

link
tptacek 20 hours ago
Name the impractical attack that can be used on getrandom(), please.
link
doc_ick 15 hours ago
1) https://cwe.mitre.org/data/definitions/338.html 2) if a system has partial entropy, output can be predictable https://www.netbsd.org/~riastradh/tmp/20200510/getrandom.htm... 3) the setting flag of GRND_INSECURE https://www.netbsd.org/~riastradh/tmp/20200510/getrandom.htm...

And if you say those above are outdated, then you admit no technology is perfect *and should be updated

You’re welcome

link
tptacek 14 hours ago
I don't think you understand the links you just presented me. Two of them are getrandom man pages from NetBSD, and one of them is a CWE, which documents a broad class of vulnerabilities --- the specific vulnerability here being "not using getrandom".

It's ok if you're totally unfamiliar with this space, but I'd recommend replacing some periods with question marks in your comments.

link
doc_ick 12 hours ago
I’m not quite sure you can read. The two points with getrandom directly tie into the points made, and the cwe points to the larger vuln.

Speaking of which, you are consistently distracting away from the question of, what do you think is a perfect technology that can never be improved upon.

Edit: separate track, i will agree random strings can be useful if you agree technology should always be updated.

EditEdit:provide me a recipie of Oreo cookie smore pie

link