Menu

#1475 Using unsafe "backup" RNG?

Next release
closed
nobody
None
High
2019-01-02
2018-10-12
peter gervai
No

I confess I am just "forwarding", so this may be old news or no news at all, but still, looks like something worths at least a look:

https://www.slant.co/topics/900/viewpoints/31/sections/15/comments

"Unix implementation as of the latest stable 3.43.0, there is an RNG seeding where it checks the system random number generator entropy estimate; if there isn’t enough or the estimate isn’t available, instead of throwing an error or just using potentially low-entropy random numbers it uses the current time."
"On Windows, it always uses the system time! I made the first comment after only reading the Unix implementation, but this is even worse. Astoundingly bad for crypto software. Also mystifying because GetRandomData in the same file uses the correct RtlGenRandom."

Discussion

  • Rony Shapiro

    Rony Shapiro - 2018-10-13
    • status: open --> pending
     

  • Rony Shapiro

    Rony Shapiro - 2018-10-13

    Thanks for pointing me to this. Pity the author didn't contact me or open a ticket when he found this.

    I disagree with the "Astoundingly bad for crypto software" part, but have tweaked the code so as not to add system time to the pool if the Windows RNG is available.

    Fixed in 838ccf50d, will be in next release.

     

  • rafaelx

    rafaelx - 2019-01-02
    • status: pending --> closed
    • Priority: 1 --> High
     

  • rafaelx

    rafaelx - 2019-01-02

    Released with 3.48.0.

     

Log in to post a comment.

MongoDB Logo MongoDB