Some considerations about PRNGs

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












Recently I read about pseudorandom generators and I have some observations:



  1. My conlusion is a such that a secure implementation of a PRNG had to be blocking or returning an error code when it is too little entropy. If a PRNG does not do so it means that it cannot be secure- we cannot be sure that returned pseudorandom bits "comes" from true random bits (achieved with a sufficient entropy). Yes?


  2. The presentation Understanding and Managing Entropy Usage points
    PRNG provided by OpenSSL does not reseed itself (a slide 32). Does it mean that in long-running application we have to reseed manually? Otherwise we don't have secure PRNG? If yes, how to reseed? Every minute? Every Hour? Every generated 1024 bytes? How to be sure that a seed was taken when entropy was sufficient?


  3. If you know about books/chapters/blogs that covers my doubts let me know!


Thanks in advance :)






randomness entropy







share|improve this question







New contributor




Gilgamesz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.























    up vote
    2
    down vote

    favorite












    Recently I read about pseudorandom generators and I have some observations:



    1. My conlusion is a such that a secure implementation of a PRNG had to be blocking or returning an error code when it is too little entropy. If a PRNG does not do so it means that it cannot be secure- we cannot be sure that returned pseudorandom bits "comes" from true random bits (achieved with a sufficient entropy). Yes?


    2. The presentation Understanding and Managing Entropy Usage points
      PRNG provided by OpenSSL does not reseed itself (a slide 32). Does it mean that in long-running application we have to reseed manually? Otherwise we don't have secure PRNG? If yes, how to reseed? Every minute? Every Hour? Every generated 1024 bytes? How to be sure that a seed was taken when entropy was sufficient?


    3. If you know about books/chapters/blogs that covers my doubts let me know!


    Thanks in advance :)






    randomness entropy







    share|improve this question







    New contributor




    Gilgamesz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















      up vote
      2
      down vote

      favorite









      up vote
      2
      down vote

      favorite











      Recently I read about pseudorandom generators and I have some observations:



      1. My conlusion is a such that a secure implementation of a PRNG had to be blocking or returning an error code when it is too little entropy. If a PRNG does not do so it means that it cannot be secure- we cannot be sure that returned pseudorandom bits "comes" from true random bits (achieved with a sufficient entropy). Yes?


      2. The presentation Understanding and Managing Entropy Usage points
        PRNG provided by OpenSSL does not reseed itself (a slide 32). Does it mean that in long-running application we have to reseed manually? Otherwise we don't have secure PRNG? If yes, how to reseed? Every minute? Every Hour? Every generated 1024 bytes? How to be sure that a seed was taken when entropy was sufficient?


      3. If you know about books/chapters/blogs that covers my doubts let me know!


      Thanks in advance :)






      randomness entropy







      share|improve this question







      New contributor




      Gilgamesz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      Recently I read about pseudorandom generators and I have some observations:



      1. My conlusion is a such that a secure implementation of a PRNG had to be blocking or returning an error code when it is too little entropy. If a PRNG does not do so it means that it cannot be secure- we cannot be sure that returned pseudorandom bits "comes" from true random bits (achieved with a sufficient entropy). Yes?


      2. The presentation Understanding and Managing Entropy Usage points
        PRNG provided by OpenSSL does not reseed itself (a slide 32). Does it mean that in long-running application we have to reseed manually? Otherwise we don't have secure PRNG? If yes, how to reseed? Every minute? Every Hour? Every generated 1024 bytes? How to be sure that a seed was taken when entropy was sufficient?


      3. If you know about books/chapters/blogs that covers my doubts let me know!


      Thanks in advance :)






      randomness entropy




      randomness entropy






      share|improve this question







      New contributor




      Gilgamesz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question







      New contributor




      Gilgamesz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question






      New contributor




      Gilgamesz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 5 hours ago









      Gilgamesz

      1133




      1133




      New contributor




      Gilgamesz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Gilgamesz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Gilgamesz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          2
          down vote



          accepted










          Addressing some of your questions:-




          a secure implementation of a PRNG had to be blocking




          A CSPRNG is the cryptographically secure version of a PRNG. Given a good and unknown (to any attackers) seed, then the CSPRNG can run effectively for ever. ChaCha20 or something based around AES can generate oodlebytes of output.



          It's a semantic distinction,but you could say that such CSPRNGs should block at initialisation. They should not output anything unless seeded correctly with adequate entropy. And since unknown entropy is sometimes difficult to acquire, there might be a delay before the CSPRNG kicks off. Acquisition of 128 or 256 bits of unknown entropy can be lengthy for some implementations such as IoT devices without on board TRNGs.



          Reseeding can be useful however, especially in the case of a desktop computer /server. Such devices allow other processes to execute alongside the CSPRNG. There are currently 263 running alongside my /dev/urandom device. Anyone of them could be spying on me. Regular reseeding is an attempt to mitigate a potential compromise of the inner state of the CSPRNG. If the RNG is running on an IoT fridge in your kitchen, such reseeding is not really necessary.




          ...how to reseed? Every minute? Every Hour?




          Well this is the trick. It will depend on your environment. The CSPRNG Fortuna uses a horribly convoluted, variable timed reseeding and pooling mechanism. A Quantis quantum key distribution system might re-key the conventional side every few minutes. This answer gives the default reseed rate of /dev/urandom as 1 minute. I see no reason why an IoT wine cooler has to reseed at all between power cycles. I don't think that anyone can give you a meaningful reseed period. A piece of advice might be that if you have access to some form of TRNG, you might as well capitalise on it as often as possible.



          Although consider that in cryptography rather than simulation, the exact random stream is often closely related to a key and/or IV. Simply swapping out the CSPRNG's inner state after a protocol has been established will suddenly break the session. The protocol will have to be re-established. This adds complexity and computational /network overhead and also applies to OpenSSL. Your session would terminate.



          As for further reading, this forum of course. There's much debate under the entropy and CSPRNG tags.






          share|improve this answer






















          • thanks for your response! I see now that reseeding is not necessary. If we assume that /dev/urandom does not expose a seed, does it mean that we don't need a reseeding?
            – Gilgamesz
            16 mins ago










          Your Answer




          StackExchange.ifUsing("editor", function ()
          return StackExchange.using("mathjaxEditing", function ()
          StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
          StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
          );
          );
          , "mathjax-editing");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "281"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );






          Gilgamesz is a new contributor. Be nice, and check out our Code of Conduct.









           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62745%2fsome-considerations-about-prngs%23new-answer', 'question_page');

          );

          Post as a guest

















          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          2
          down vote



          accepted










          Addressing some of your questions:-




          a secure implementation of a PRNG had to be blocking




          A CSPRNG is the cryptographically secure version of a PRNG. Given a good and unknown (to any attackers) seed, then the CSPRNG can run effectively for ever. ChaCha20 or something based around AES can generate oodlebytes of output.



          It's a semantic distinction,but you could say that such CSPRNGs should block at initialisation. They should not output anything unless seeded correctly with adequate entropy. And since unknown entropy is sometimes difficult to acquire, there might be a delay before the CSPRNG kicks off. Acquisition of 128 or 256 bits of unknown entropy can be lengthy for some implementations such as IoT devices without on board TRNGs.



          Reseeding can be useful however, especially in the case of a desktop computer /server. Such devices allow other processes to execute alongside the CSPRNG. There are currently 263 running alongside my /dev/urandom device. Anyone of them could be spying on me. Regular reseeding is an attempt to mitigate a potential compromise of the inner state of the CSPRNG. If the RNG is running on an IoT fridge in your kitchen, such reseeding is not really necessary.




          ...how to reseed? Every minute? Every Hour?




          Well this is the trick. It will depend on your environment. The CSPRNG Fortuna uses a horribly convoluted, variable timed reseeding and pooling mechanism. A Quantis quantum key distribution system might re-key the conventional side every few minutes. This answer gives the default reseed rate of /dev/urandom as 1 minute. I see no reason why an IoT wine cooler has to reseed at all between power cycles. I don't think that anyone can give you a meaningful reseed period. A piece of advice might be that if you have access to some form of TRNG, you might as well capitalise on it as often as possible.



          Although consider that in cryptography rather than simulation, the exact random stream is often closely related to a key and/or IV. Simply swapping out the CSPRNG's inner state after a protocol has been established will suddenly break the session. The protocol will have to be re-established. This adds complexity and computational /network overhead and also applies to OpenSSL. Your session would terminate.



          As for further reading, this forum of course. There's much debate under the entropy and CSPRNG tags.






          share|improve this answer






















          • thanks for your response! I see now that reseeding is not necessary. If we assume that /dev/urandom does not expose a seed, does it mean that we don't need a reseeding?
            – Gilgamesz
            16 mins ago














          up vote
          2
          down vote



          accepted










          Addressing some of your questions:-




          a secure implementation of a PRNG had to be blocking




          A CSPRNG is the cryptographically secure version of a PRNG. Given a good and unknown (to any attackers) seed, then the CSPRNG can run effectively for ever. ChaCha20 or something based around AES can generate oodlebytes of output.



          It's a semantic distinction,but you could say that such CSPRNGs should block at initialisation. They should not output anything unless seeded correctly with adequate entropy. And since unknown entropy is sometimes difficult to acquire, there might be a delay before the CSPRNG kicks off. Acquisition of 128 or 256 bits of unknown entropy can be lengthy for some implementations such as IoT devices without on board TRNGs.



          Reseeding can be useful however, especially in the case of a desktop computer /server. Such devices allow other processes to execute alongside the CSPRNG. There are currently 263 running alongside my /dev/urandom device. Anyone of them could be spying on me. Regular reseeding is an attempt to mitigate a potential compromise of the inner state of the CSPRNG. If the RNG is running on an IoT fridge in your kitchen, such reseeding is not really necessary.




          ...how to reseed? Every minute? Every Hour?




          Well this is the trick. It will depend on your environment. The CSPRNG Fortuna uses a horribly convoluted, variable timed reseeding and pooling mechanism. A Quantis quantum key distribution system might re-key the conventional side every few minutes. This answer gives the default reseed rate of /dev/urandom as 1 minute. I see no reason why an IoT wine cooler has to reseed at all between power cycles. I don't think that anyone can give you a meaningful reseed period. A piece of advice might be that if you have access to some form of TRNG, you might as well capitalise on it as often as possible.



          Although consider that in cryptography rather than simulation, the exact random stream is often closely related to a key and/or IV. Simply swapping out the CSPRNG's inner state after a protocol has been established will suddenly break the session. The protocol will have to be re-established. This adds complexity and computational /network overhead and also applies to OpenSSL. Your session would terminate.



          As for further reading, this forum of course. There's much debate under the entropy and CSPRNG tags.






          share|improve this answer






















          • thanks for your response! I see now that reseeding is not necessary. If we assume that /dev/urandom does not expose a seed, does it mean that we don't need a reseeding?
            – Gilgamesz
            16 mins ago












          up vote
          2
          down vote



          accepted







          up vote
          2
          down vote



          accepted






          Addressing some of your questions:-




          a secure implementation of a PRNG had to be blocking




          A CSPRNG is the cryptographically secure version of a PRNG. Given a good and unknown (to any attackers) seed, then the CSPRNG can run effectively for ever. ChaCha20 or something based around AES can generate oodlebytes of output.



          It's a semantic distinction,but you could say that such CSPRNGs should block at initialisation. They should not output anything unless seeded correctly with adequate entropy. And since unknown entropy is sometimes difficult to acquire, there might be a delay before the CSPRNG kicks off. Acquisition of 128 or 256 bits of unknown entropy can be lengthy for some implementations such as IoT devices without on board TRNGs.



          Reseeding can be useful however, especially in the case of a desktop computer /server. Such devices allow other processes to execute alongside the CSPRNG. There are currently 263 running alongside my /dev/urandom device. Anyone of them could be spying on me. Regular reseeding is an attempt to mitigate a potential compromise of the inner state of the CSPRNG. If the RNG is running on an IoT fridge in your kitchen, such reseeding is not really necessary.




          ...how to reseed? Every minute? Every Hour?




          Well this is the trick. It will depend on your environment. The CSPRNG Fortuna uses a horribly convoluted, variable timed reseeding and pooling mechanism. A Quantis quantum key distribution system might re-key the conventional side every few minutes. This answer gives the default reseed rate of /dev/urandom as 1 minute. I see no reason why an IoT wine cooler has to reseed at all between power cycles. I don't think that anyone can give you a meaningful reseed period. A piece of advice might be that if you have access to some form of TRNG, you might as well capitalise on it as often as possible.



          Although consider that in cryptography rather than simulation, the exact random stream is often closely related to a key and/or IV. Simply swapping out the CSPRNG's inner state after a protocol has been established will suddenly break the session. The protocol will have to be re-established. This adds complexity and computational /network overhead and also applies to OpenSSL. Your session would terminate.



          As for further reading, this forum of course. There's much debate under the entropy and CSPRNG tags.






          share|improve this answer














          Addressing some of your questions:-




          a secure implementation of a PRNG had to be blocking




          A CSPRNG is the cryptographically secure version of a PRNG. Given a good and unknown (to any attackers) seed, then the CSPRNG can run effectively for ever. ChaCha20 or something based around AES can generate oodlebytes of output.



          It's a semantic distinction,but you could say that such CSPRNGs should block at initialisation. They should not output anything unless seeded correctly with adequate entropy. And since unknown entropy is sometimes difficult to acquire, there might be a delay before the CSPRNG kicks off. Acquisition of 128 or 256 bits of unknown entropy can be lengthy for some implementations such as IoT devices without on board TRNGs.



          Reseeding can be useful however, especially in the case of a desktop computer /server. Such devices allow other processes to execute alongside the CSPRNG. There are currently 263 running alongside my /dev/urandom device. Anyone of them could be spying on me. Regular reseeding is an attempt to mitigate a potential compromise of the inner state of the CSPRNG. If the RNG is running on an IoT fridge in your kitchen, such reseeding is not really necessary.




          ...how to reseed? Every minute? Every Hour?




          Well this is the trick. It will depend on your environment. The CSPRNG Fortuna uses a horribly convoluted, variable timed reseeding and pooling mechanism. A Quantis quantum key distribution system might re-key the conventional side every few minutes. This answer gives the default reseed rate of /dev/urandom as 1 minute. I see no reason why an IoT wine cooler has to reseed at all between power cycles. I don't think that anyone can give you a meaningful reseed period. A piece of advice might be that if you have access to some form of TRNG, you might as well capitalise on it as often as possible.



          Although consider that in cryptography rather than simulation, the exact random stream is often closely related to a key and/or IV. Simply swapping out the CSPRNG's inner state after a protocol has been established will suddenly break the session. The protocol will have to be re-established. This adds complexity and computational /network overhead and also applies to OpenSSL. Your session would terminate.



          As for further reading, this forum of course. There's much debate under the entropy and CSPRNG tags.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 12 mins ago

























          answered 2 hours ago









          Paul Uszak

          6,04011332




          6,04011332











          • thanks for your response! I see now that reseeding is not necessary. If we assume that /dev/urandom does not expose a seed, does it mean that we don't need a reseeding?
            – Gilgamesz
            16 mins ago
















          • thanks for your response! I see now that reseeding is not necessary. If we assume that /dev/urandom does not expose a seed, does it mean that we don't need a reseeding?
            – Gilgamesz
            16 mins ago















          thanks for your response! I see now that reseeding is not necessary. If we assume that /dev/urandom does not expose a seed, does it mean that we don't need a reseeding?
          – Gilgamesz
          16 mins ago




          thanks for your response! I see now that reseeding is not necessary. If we assume that /dev/urandom does not expose a seed, does it mean that we don't need a reseeding?
          – Gilgamesz
          16 mins ago










          Gilgamesz is a new contributor. Be nice, and check out our Code of Conduct.









           

          draft saved


          draft discarded


















          Gilgamesz is a new contributor. Be nice, and check out our Code of Conduct.












          Gilgamesz is a new contributor. Be nice, and check out our Code of Conduct.











          Gilgamesz is a new contributor. Be nice, and check out our Code of Conduct.













           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62745%2fsome-considerations-about-prngs%23new-answer', 'question_page');

          );

          Post as a guest
































































          Comments

          Post a Comment

          Popular posts from this blog

          Long meetings (6-7 hours a day): Being “babysat” by supervisor

          Image
          Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 31 down vote favorite 4 I hold a PhD in mechanical engineering with a 7 year background in self-guided, self-paced research including 2 years as a graduate level course instructor and a subject matter expert for various engineering projects in a university setting in the United States. For the last 10-11 months, I am working in a research industry in France where my task is to debug C++ spaghetti code written over a period of several years by my current supervisor. It is a team of 2: just I and my supervisor. Diurnally, I am posed with a "bug of the day" to get out of this C++ code. My supervisor generally gives me about 15-30 minutes to solve it and then accosts me about whether or not the task is completed and then rinses and repeats this until the end of the day. Off-late, my supervisor has been holding 6-7 hour long "meetin
          Read more

          Is the Concept of Multiple Fantasy Races Scientifically Flawed? [closed]

          Image
          Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite Many fantasy worlds have multiple humanoid species (elves, orcs, humans, etc) living in the same world, in addition to that, they often have the ability to interbreed. And I can't help but question their believability... fantasy-races reproduction interspecies-relations share | improve this question edited Aug 9 at 14:46 Michael Kjörling ♦ 21.1k 10 85 161 asked Aug 9 at 13:13 Chlodio 118 6 closed as unclear what you're asking by MichaelK, Gryphon, John, Vincent, Frostfyre Aug 9 at 15:25 Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question. 3 Stack Exchange exist to
          Read more

          Confectionery

          Image
          Prepared foods made with a lot of sugar or other cabohydrates "Sweetmeat" redirects here. For the racehorse, see Sweetmeat (horse). Not to be confused with Sweetbread. This Kransekake is a traditional Scandinavian baker's confection. Confectionery is the art of making confections , which are food items that are rich in sugar and carbohydrates. Exact definitions are difficult. [1] In general, though, confectionery is divided into two broad and somewhat overlapping categories, bakers' confections and sugar confections. [2] Bakers' confectionery, also called flour confections , includes principally sweet pastries, cakes, and similar baked goods. Sugar confectionery includes candies ( sweets in British English), candied nuts, chocolates, chewing gum, bubble gum, pastillage, and other confections that are made primarily of sugar. In some cases, chocolate confections (confections made of chocolate) are treated as a separate category, as are sugar-free versions of
          Read more