W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2011

[whatwg] Cryptographically strong random numbers

From: Nifty Egg Mitch <mitch@niftyegg.com>
Date: Sun, 6 Feb 2011 14:30:02 -0800
Message-ID: <20110206223002.GA26507@hpegg.wr.niftyegg.com>
On Sun, Feb 06, 2011 at 09:04:50AM +0100, Roger H?gensen wrote:
> Subject: Re: [whatwg] Cryptographically strong random numbers
> On 2011-02-06 04:54, Boris Zbarsky wrote:
> >On 2/5/11 10:22 PM, Roger H?gensen wrote:
> >
> >>This is just my oppinion but... If they need random number generation in
> >>their script to be cryptographically secure to be protected from another
> >>"spying" script...

Good reading -- thanks for the four below links:
> >You may want to read these:
> >
> >https://bugzilla.mozilla.org/show_bug.cgi?id=464071
> >https://bugzilla.mozilla.org/show_bug.cgi?id=475585
> >https://bugzilla.mozilla.org/show_bug.cgi?id=577512
> >https://bugzilla.mozilla.org/show_bug.cgi?id=322529
> >
> .... [snip]
.....
> Outch yeah, a nice mess there.
.....
> 
> Math.random should be fixed (if implementations are bugged) so that
> cross-site tracking is not possible, besides that Math.random should
> just be a quick PRNG for generic use.

.....
> I think it would be better to ensure it is not named "random" but
> "srandom" or "s_random" or "c_random" to avoid any confusion with
> Math.random
> How about "cryptrnd", anyone?
> 
> I'd hate to see a bunch of apps using cryptographically secure
> random numbers/data just because it was called "random",
> while in all likelyhood they'd be fine with Math.random instead.

Adding crypt* is a bit unsettling.
Adding randKnuthLCM, or rand.Algorithm
makes more sense.   To ignore that Knuth devoted
an entire chapter to random numbers is
naive.  See Chapter 3 of Vol 2. 

Perhaps someone at RSA could contribute
a list of algorithms that are worthy.
Received on Sunday, 6 February 2011 14:30:02 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:30 UTC