CSPRNG is currently possibly unsecure

Oxsomi / core3

Oxsomi Core3 is a combination of standalone C libraries useful for building applications, such as types, platform, graphics abstraction and file formats

GNU General Public License v3.0

0 stars 1 forks source link

CSPRNG is currently possibly unsecure #84

Closed Nielsbishere closed 1 year ago

Nielsbishere commented 1 year ago

If the RDRAND function is compromised on intel or amd it impacts security of things like key generation or iv generation. To fix this, multiple sources of entropy should be used and should be fed into SHA256 and then the necessary bytes can be used. This includes things like time, certain registry values, etc.

https://security.stackexchange.com/questions/195515/is-rdrand-used-in-a-safe-way-by-windows-10

Nielsbishere commented 1 year ago

Fixed by using BCrypt for number generation on windows. Should use /dev/random on linux. This is safer since it uses multiple sources of randomness; such as the TPM, rdrand function, etc. etc. Adding other types of randomness can decrease security.