问题描述
我想在erlang中为会话ID生成加密强度高的伪随机数.
I want to generate cryptographically strong pseudorandom numbers in erlang for session IDs.
有crypto:strong_rand_bytes(N).如果它抛出low_entropy异常怎么办?
There is crypto:strong_rand_bytes(N). What if it throws the low_entropy exception?
来自 http://www.erlang.org/doc/man /crypto.html#strong_rand_bytes-1
类型:N = integer()
Types: N = integer()
随机生成N个字节,统一为0..255,并将结果返回到 二进制的.定期使用加密的安全prng种子 与操作系统混合提供熵.默认情况下,这是 来自OpenSSL的RAND_bytes方法.
Generates N bytes randomly uniform 0..255, and returns the result in a binary. Uses a cryptographically secure prng seeded and periodically mixed with operating system provided entropy. By default this is the RAND_bytes method from OpenSSL.
万一随机生成器失败,可能抛出异常low_entropy 由于缺乏安全的随机性".
May throw exception low_entropy in case the random generator failed due to lack of secure "randomness".
我认为仅回退到rand_bytes(N)并不是一个好方法.
I guess a fallback to just rand_bytes(N) is not a good way.
推荐答案
首先不要进入不良状态来处理它.您可以通过为生成器添加种子来避免这种情况.
Handle it by not getting into the bad state in the first place. You avoid it by seeding the generator.
您应该在启动时明确为生成器添加种子.这样可以避免调用RAND_poll
的某些问题.对于某些问题,请参阅OpenSSL Wiki上的随机数.
You should explicitly seed the generator on startup. This avoids some of the problems with calling RAND_poll
. For some of the problems, see Random Numbers on the OpenSSL wiki.
您偶尔应该为生成器添加种子.在这种情况下,请定期读取/dev/urandom
并使用 RAND_add
.并添加您可以使用的任何其他熵,例如对等方的公钥或移动传感器数据.
You should occasionally seed the generator. In this case, read from /dev/urandom
periodically and feed it to the generator with RAND_add
. And add any other entropy you can get your hands on, like your peer's public key or mobile sensor data.
根据两篇论文(此处和此处),则应在生成秘密之前添加熵.因此,您应该在每次调用 RAND_add
. ://www.openssl.org/docs/crypto/RAND_bytes.html"rel =" nofollow> RAND_bytes
.在这种情况下,您永远都不会陷入不良状态.
According to two papers (here and here), you should add entropy before generating a secret. So you should call RAND_add
before each call to RAND_bytes
. In this case, you should never get into a bad state.
您也可以尝试 RAND_status
.如果它返回0,则应为其提供另一个熵块.该块至少应为32个字节.播种生成器所需的熵量为有意隐藏.请记住,该值会随着时间从16字节更改为32字节,因此线程使用旧值16.
You can also try RAND_status
. If it returns 0, you should supply it with another block of entropy. The block should be at least 32 bytes. The amount of entropy needed to seed the generator is purposefully hidden. Keep in mind the value changed from 16 to 32 bytes over time, so the thread uses the old value of 16.
我怀疑 RAND_status
在多线程环境中遭受竞争,因此我不会依赖它.也就是说,状态可能会在调用 RAND_status
和 RAND_bytes
.
I suspect RAND_status
suffers a race in a multithreaded environment, so I would not depend on it. That is, status could change between the call to RAND_status
and RAND_bytes
.
在这种情况下,请捕获异常,将32个字节添加到生成器,然后重试该操作.
In this case, catch the exception, add 32 bytes to the generator and then retry the operation.
RAND_status
可能会在异常之前返回0,在异常之后返回1您添加熵.
RAND_status
will likely return 0 before the exception, and 1 after you add the entropy.
但是您首先不应该进入这种状态.
But you should not get into this state in the first place.
您应该动手实践任何熵,甚至比完美的还差.冗余度越高,效果越好.有些人想争论是否使用/dev/random
与/dev/urandom
与/dev/srandom
.只要有足够的熵,我就不在乎-我正在使用/dev/random
,/dev/urandom
,对等公钥,时间,PID和来自移动设备的传感器读数.
You should feed your generator any entropy you get your hands on, even less than perfect ones. The more redundancy, the better. Some folks would like to argue about whether to use /dev/random
versus /dev/urandom
versus /dev/srandom
. I don't really care as long as there's enough entropy - I'm using /dev/random
, /dev/urandom
, peer public keys, time, PIDs, and sensor readings from mobile devices.
不必担心攻击者可以看到对等密钥"或传感器数据有偏见"之类的事情.熵将被提取,混合器会将其添加到状态,以使攻击者无法获得优势.
Don't worry about things like "the attacker can see the peer key" or "sensor data is biased". The entropy will be extracted and the mixer will add it to state so the attacker does not gain an advantage.
我认为这就是古特曼(Gutmann)和格里格斯(Griggs)所说的密码命理学".
I think this is what Gutmann and Griggs call "crypto-numerology".
假定您可以捕获物理事件,并假定您可以使用具有提供256位安全性的加密原语的生成器进行读取.然后,假设您需要32个字节的数据.
Suppose you can capture physical events, and suppose you can read from a generator with a crypto primitive that provides or 256-bits of security. Then, suppose you need 32 bytes of data.
为您提供32个字节的随机过程与为您提供32个字节的基于加密的生成器之间没有区别.对于物理过程,攻击者只能猜测,因此他们有1 / 2^256
的猜测机会.使用加密原语时,攻击者就有机会1 / 2^256
进行猜测.他们是一样的...
There is no difference between the random process giving you 32 bytes or the crypto based generator giving you 32 bytes. For the physical process, the attacker can only guess, so they have a 1 / 2^256
chance of a guess. With a crypto primitive, the attacker has a 1 / 2^256
chance of a guess. They are the same...
这篇关于如何处理crypto:strong_rand_bytes(N)的low_entropy异常?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!