When using CSPRNG (crypto secure pseudo random number generation) functions seeding is an important step. So what is the best way to seed a random number function?
-
1[This thread](https://security.stackexchange.com/q/94646/145405) might be helpful. – Gonçalo Peres Dec 23 '20 at 22:37
1 Answers
As anywhere in engineering, there's no "unique" best way; there's always going to be tradeoffs between:
- entropy of the source of randomness,
- rate of the entropy (i.e. how many bits/second can you get?),
- suitability of the source distribution,
- computational resource and energy usage,
- lack of side-channel attacks on the entropy generation,
and finally, and really not unimportant,
- cost.
For example, if you had a truly random source of entropy that you could ask arbitrarily often per second, you'd need to do little CSPRNG – you'd basically have a CSRNG, nothing pseudo about that! All that the generation would do would be a bit of distribution shaping to get uniformly distributed bits, which is what most crypto algorithms need.
Now, since you don't have that, in general, you'd want a source that is
- uncorrelated, actually even
- unpredictable,
- unmanipulatable, and
- doesn't have any side effects, neither whether it's currently working, nor about the random data it's producing.
As such, high-quality sources used where it actually matters are often of a quantum nature: spontaneous emissions of photons in excited matter, often.
However, as anything, "the best possible" will set you back a couple thousand dollars, not fit in your rack server, laptop or smartphone, and actually be resistant to ... no attack anyone would ever try to do, realistically.
So, as always: Model your threads. Then define the number of truly random bits per second you'll need. See whether built-in methods (CPUs these days have truly random number generation – is that enough for you, assuming that you can isolate that CPU well enough to make any kind of side channel attack impossible?), together with state-of-the-art entropy pools. For all things I can imagine, Linux' /dev/urandom, using the ChaCha20 algorithm on such hardware sources, is cryptographically secure!
- 5,863
- 2
- 17
- 28