From: Paul Eggert <eggert@cs.ucla.edu>
To: Matt Armstrong <matt@rfc20.org>
Cc: 58472@debbugs.gnu.org, Stefan Kangas <stefankangas@gmail.com>
Subject: bug#58472: [PATCH] Make `message-unique-id' less prone to collisions
Date: Mon, 17 Oct 2022 18:38:48 -0700 [thread overview]
Message-ID: <8fba11c5-c4b7-65ef-9b00-51799203d324@cs.ucla.edu> (raw)
In-Reply-To: <87ilki70p5.fsf@rfc20.org>
[-- Attachment #1: Type: text/plain, Size: 718 bytes --]
On 10/17/22 11:40, Matt Armstrong wrote:
> I like it.
Eli doesn't, so I'll drop the idea for now. I didn't realize we were
close to releasing 29.1, and I agree with Eli that adding a make-nonce
primitive is not something to do close to a release.
> With respect to "cryptographic purposes" how about mentioning that
> `random' itself is potentially seeded from a cryptographically weak
> source and makes no promise to use a PRNG suitable for cryptography? If
> I'm right about those two assertions, I think they are important to
> mention.
Good point. This can be done in the documentation now: this doesn't hurt
anything release-relevant, as it's simply documenting what we have. I
installed the attached.
[-- Attachment #2: 0001-Improve-random-doc-re-nonces.patch --]
[-- Type: text/x-patch, Size: 3307 bytes --]
From f4442d49f6490cb754bad66dd34a182d5eae06d9 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Sun, 16 Oct 2022 21:35:47 -0700
Subject: [PATCH] =?UTF-8?q?Improve=20=E2=80=98random=E2=80=99=20doc=20re?=
=?UTF-8?q?=20nonces?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* doc/lispref/numbers.texi (Random Numbers): Improve coverage of
random seed, entropy pools, and why one shouldn’t use ‘random’ for
nonces. See Bug#58472.
---
doc/lispref/numbers.texi | 48 +++++++++++++++++++++++++++++++++++-----
1 file changed, 42 insertions(+), 6 deletions(-)
diff --git a/doc/lispref/numbers.texi b/doc/lispref/numbers.texi
index fdcda328d8..2c7a1d3266 100644
--- a/doc/lispref/numbers.texi
+++ b/doc/lispref/numbers.texi
@@ -1238,6 +1238,9 @@ Random Numbers
sequence of numbers. By default, Emacs initializes the random seed at
startup, in such a way that the sequence of values of @code{random}
(with overwhelming likelihood) differs in each Emacs run.
+The random seed is typically initialized from system entropy;
+however, on obsolescent platforms lacking entropy pools,
+the seed is taken from less-random volatile data such as the current time.
Sometimes you want the random number sequence to be repeatable. For
example, when debugging a program whose behavior depends on the random
@@ -1256,12 +1259,45 @@ Random Numbers
any fixnum, i.e., any integer from @code{most-negative-fixnum} through
@code{most-positive-fixnum} (@pxref{Integer Basics}).
-If @var{limit} is @code{t}, it means to choose a new seed as if Emacs
-were restarting, typically from the system entropy. On systems
-lacking entropy pools, choose the seed from less-random volatile data
-such as the current time.
-
If @var{limit} is a string, it means to choose a new seed based on the
-string's contents.
+string's contents. This causes later calls to @code{random} to return
+a reproducible sequence of results.
+
+If @var{limit} is @code{t}, it means to choose a new seed as if Emacs
+were restarting. This causes later calls to @code{random} to return
+an unpredictable sequence of results.
@end defun
+
+If you need a random nonce for cryptographic purposes, using
+@code{random} is typically not the best approach, for several reasons:
+
+@itemize @bullet
+@item
+Although you can use @code{(random t)} to consult system entropy,
+doing so can adversely affect other parts of your program that benefit
+from reproducible results.
+
+@item
+The system-dependent pseudo-random number generator (PRNG) used by
+@code{random} is not necessarily suitable for cryptography.
+
+@item
+A call to @code{(random t)} does not give direct access to system
+entropy; the entropy is passed through the system-dependent PRNG, thus
+possibly biasing the results.
+
+@item
+On typical platforms the random seed contains only 32 bits, which is
+typically narrower than an Emacs fixnum, and is not nearly enough for
+cryptographic purposes.
+
+@item
+A @code{(random t)} call leaves information about the nonce scattered
+about Emacs's internal state, increasing the size of the internal
+attack surface.
+
+@item
+On obsolescent platforms lacking entropy pools, @code{(random t)} is
+seeded from a cryptographically weak source.
+@end itemize
--
2.37.3
next prev parent reply other threads:[~2022-10-18 1:38 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-12 16:07 bug#58472: [PATCH] Make `message-unique-id' less prone to collisions Stefan Kangas
2022-10-12 18:08 ` Paul Eggert
2022-10-13 2:46 ` Stefan Kangas
2022-10-13 4:53 ` Matt Armstrong
2022-10-13 12:10 ` Stefan Kangas
2022-10-13 16:35 ` Matt Armstrong
2022-10-13 16:38 ` Paul Eggert
2022-10-14 9:22 ` Stefan Kangas
2022-10-13 16:21 ` Paul Eggert
2022-10-14 9:22 ` Stefan Kangas
2022-10-16 7:32 ` Stefan Kangas
2022-10-16 17:05 ` Stefan Kangas
2022-10-16 15:19 ` Matt Armstrong
2022-10-16 16:49 ` Stefan Kangas
2022-10-17 6:17 ` Matt Armstrong
2022-10-17 7:30 ` Paul Eggert
2022-10-17 8:14 ` Stefan Kangas
2022-10-17 8:23 ` Eli Zaretskii
2022-10-17 18:47 ` Matt Armstrong
2022-10-17 8:16 ` Eli Zaretskii
2022-10-17 8:29 ` Lars Ingebrigtsen
2022-10-17 8:34 ` Eli Zaretskii
2022-10-17 9:30 ` Stefan Kangas
2022-10-17 11:22 ` Lars Ingebrigtsen
2022-10-17 15:40 ` Stefan Kangas
2022-11-25 1:26 ` Stefan Kangas
2022-10-17 18:40 ` Matt Armstrong
2022-10-18 1:38 ` Paul Eggert [this message]
2022-10-18 14:05 ` Eli Zaretskii
2022-10-13 11:45 ` Lars Ingebrigtsen
2022-10-13 12:10 ` Stefan Kangas
2022-10-13 19:15 ` Lars Ingebrigtsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8fba11c5-c4b7-65ef-9b00-51799203d324@cs.ucla.edu \
--to=eggert@cs.ucla.edu \
--cc=58472@debbugs.gnu.org \
--cc=matt@rfc20.org \
--cc=stefankangas@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.