Re: ACTION-23: Find out status of getrandom in HTML5 from Håvard Molland on 2012-08-20 (public-webcrypto@w3.org from August 2012)

From: Håvard Molland <haavardm@opera.com>
Date: Mon, 20 Aug 2012 16:21:28 +0200
To: public-webcrypto@w3.org
Message-ID: <503247E8.9080107@opera.com>

On 08/20/2012 03:46 PM, Harry Halpin wrote:
> [cc'ing Mike Smith from HTML WG]
>
> I believe from our last meeting that Wan-Teh Chan was concerned over 
> the use of a non-cryptographic PRG RC4 in the WHATWG spec and filed a 
> bug, and I think it was removed [2]. Also, there has been general 
> concern in the blogosphere, as exemplified by this Matsuno blog post 
> [1], that large random number generation in Javascript is currently 
> broken. However, I suspect this all goes back to Math.random(), which 
> is not part of HTML and not what we will encourage people to use (if 
> they really need to go this low-level!), but instead we will focus on 
> window.crypto.getRandomValues() [2].
>
> However, I do think the WG needs to carefully consider the issues (of 
> which random number generation is a small part) brought up by the 
> Matsuno blog post and others to make sure what the WebCrypto WG 
> produces actually has reasonable security properties. So let's make 
> sure we have secure PRG across all browsers.
>
> So everyone, what's the status of window.crypto.getRandomValues() is 
> as regards cross-browser support, either currently or in the future? I 
> see Mozilla is still trying to get a secure PRG exposed on the DOM 
> [3]. Does each browser now produce cryptographically strong PRG? Does 
> that include IE and Opera?
>
All browsers have access to cryptographically strong PRGs one way or 
another, since it is needed for the SSL stacks (key exchange and similar 
algorithms)

Math.Random() has never has been intended to be cryptographically 
secure. The spec simply says it must return a random number between 0 
and 1, with "approximately uniform distribution". So Math.Random() must 
simply not be used for cryptography. Opera uses a secure PRG for 
Math.Random(), simply because it's convenient to use the same PRG as we 
use for code that needs a secure PRG. I don't know what the other 
browsers do here.

Opera has not yet implemented window.crypto.getRandomValues(), but when 
we do, we will use the same secure PRG.

However, just as important as the algorithm used for the PRG, is the 
seeding of the PRG.  This is where most implementations fail. Having a 
cryptographically secure PRG help if the entropy of the seed is bad.

Cheers,
Håvard



> If there are no problems except the use of RC4 in HTML5, I can 
> consider this action closed.
>
> If there some possible problems, we as a WG need to suggest text for 
> the WHATWG/HTML5 effort and our own spec to address PRG concerns in 
> Javascript.
>
>    cheers,
>         harry
>
> [1] http://www.matasano.com/articles/javascript-cryptography/
> [2] http://wiki.whatwg.org/wiki/Crypto
> [3] https://bugzilla.mozilla.org/show_bug.cgi?id=440046
>
>

Received on Monday, 20 August 2012 14:21:58 UTC