sfmt-erlang security notice 8-JAN-2020: regarding the Ambionics Security's PHP mt_seed() vulnerability

Jesper Louis Andersen jesper.louis.andersen@REDACTED
Wed Jan 8 15:48:05 CET 2020

On Wed, Jan 8, 2020 at 11:19 AM Raimo Niskanen <
raimo+erlang-questions@REDACTED> wrote:

> On Wed, Jan 08, 2020 at 01:03:53PM +0900, Kenji Rikitake wrote:
> >
> > *Note well that sfmt-erlang has no cryptographic security guarantee and
> > MUST NOT be used for security purposes such as password generation.*
> _That_ is a very important point here!
This is the important part. CSPRNGs[0] are made to withstand these types of
attacks. This is due to the fact they must withstand extension attacks,
typically by rolling the internal state material forward in a ratchet so
you can't go back to the earlier states. Otherwise, an attacker gaining
access to the internal state would be able to roll the RNG state backwards.

For example, consider we create a "CSPRNG" based on AES265 in CTR mode. Our
internal state is {k, n} for a key k and a counter n and to produce the
stream of randomness we compute AES_k(0), AES_k(1), AES_k(2), ... and so
on. Now the problem is that if the attacker gains access to the pair {k, n}
they can regenerate the whole sequence from the start up until n.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20200108/23dc9f94/attachment.htm>

More information about the erlang-questions mailing list