[whatwg] Cryptographically strong random numbers

Nifty Egg Mitch mitch at niftyegg.com
Sun Feb 6 14:30:02 PST 2011


On Sun, Feb 06, 2011 at 09:04:50AM +0100, Roger Hågensen wrote:
> Subject: Re: [whatwg] Cryptographically strong random numbers
> On 2011-02-06 04:54, Boris Zbarsky wrote:
> >On 2/5/11 10:22 PM, Roger Hågensen wrote:
> >
> >>This is just my oppinion but... If they need random number generation in
> >>their script to be cryptographically secure to be protected from another
> >>"spying" script...

Good reading -- thanks for the four below links:
> >You may want to read these:
> >
> >https://bugzilla.mozilla.org/show_bug.cgi?id=464071
> >https://bugzilla.mozilla.org/show_bug.cgi?id=475585
> >https://bugzilla.mozilla.org/show_bug.cgi?id=577512
> >https://bugzilla.mozilla.org/show_bug.cgi?id=322529
> >
> .... [snip]
.....
> Outch yeah, a nice mess there.
.....
> 
> Math.random should be fixed (if implementations are bugged) so that
> cross-site tracking is not possible, besides that Math.random should
> just be a quick PRNG for generic use.

.....
> I think it would be better to ensure it is not named "random" but
> "srandom" or "s_random" or "c_random" to avoid any confusion with
> Math.random
> How about "cryptrnd", anyone?
> 
> I'd hate to see a bunch of apps using cryptographically secure
> random numbers/data just because it was called "random",
> while in all likelyhood they'd be fine with Math.random instead.

Adding crypt* is a bit unsettling.
Adding randKnuthLCM, or rand.Algorithm
makes more sense.   To ignore that Knuth devoted
an entire chapter to random numbers is
naive.  See Chapter 3 of Vol 2. 

Perhaps someone at RSA could contribute
a list of algorithms that are worthy.



More information about the whatwg mailing list