Cryptography May 2016

cryptography@lists.squeakfoundation.org

3 participants
2 discussions

v 2.0 SecureSession spec
by Robert Withers 26 May '16

26 May '16

Here's a link to the version 2.0 spec I've put together. It includes v2.0 start-up messages for dataEncoder negotiation (used by presentation layer) and corrections to MessageType assigned numbers for data headers, so impl and spec match. Unfortunately the impl still has a few v2.0 issues, but v1.0 and vintage are still working and will not change in the future, tough perhaps deprecated. I'd welcome any feedback on content or accuracy, if anyone had a few cycles to spare ;) Thank you for your consideration, Robert http://jmp.sh/zASyHlK

1 0

Re: Random is not random at startup
by Robert Withers 22 May '16

22 May '16

Thanks for cc-ing me. I don't have much exposure to random, so I am cc-ing the Cryptography list, in hopes they might help. This doesn't very random, you're right. Here were Peter's questions: My questions: 1) do we really want to have global fixed seed? 2) Random new should actually setup a usable seed so I don't need to first run it N times before I can use the value 3) Should we switch to what UUIDGenerator is using… reading /dev/urandom for the initial seed setup? Rob On 05/18/2016 07:05 PM, Peter Uhnák wrote: > Hi, > > (cc-ing Robert Withers as he seems to be working with cryptography and > security... as this seems related and may have some implications, but > I am likely wrong about the implications) > > yesterday I've encountered a very surprising behavior > > I executed the same script `10 atRandom` on the same image without > saving it and got the same output: > > while true; do > pharo-vm --nodisplay latest.image --no-default-preferences > eval '10 atRandom' > done > 10 > 10 > 10 > 10 > 10 > 10 > > Not so random… not random at all. > > Apparently the default random generator uses SharedRandom pool, that > is initialized only once… so every time you start an image you get the > EXACT same random seed... I think this is stupid, and I am not sure > what are the security implications of this (e.g. when opening an SSL > connection… having fixed world-wide initial seed seems like an awful, > awful idea), but whatever… > > So instead I tried to explicitly specify the Random generator… which I > can do > > while true; do > pharo-vm --nodisplay latest.image --no-default-preferences > eval '10 atRandom: Random new' > done > 5 > 5 > 5 > 5 > 5 > > Still not random… what? > > while true; do > pharo-vm --nodisplay latest.image --no-default-preferences > eval 'Random new instVarNamed: #seed' > done > 426306047 > 426305545 > 426305546 > 426306010 > > So the seed is different but thanks to the magic of masking the seed, > I always get the same first several bits… thus the same result for > small numbers. > > So if I actually want what seems like a random value… I have to at > least once run the generator… > > while true; do > pharo-vm --nodisplay latest.image --no-default-preferences > eval '10 atRandom: (Random new next; yourself)' > done > 7 > 3 > 4 > 9 > 6 > 7 > > Once I start to use it the properties of the algo kick in so it's > pseudo-random… but I need to run it once to initialize it, which is wtf. > > My questions: > 1) do we really want to have global fixed seed? > 2) Random new should actually setup a usable seed so I don't need to > first run it N times before I can use the value > 3) Should we switch to what UUIDGenerator is using… reading > /dev/urandom for the initial seed setup? > > Peter

3 3

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Cryptography May 2016