README: rand is not a crypto library #1514
Conversation
|
I think it's worth to explicitly state that |
| /// - Not to leak internal state through [`Debug`] or serialization | ||
| /// implementations. | ||
| /// - No further protections exist to in-memory state. In particular, the | ||
| /// implementation is not required to zero memory on exit (of the process or |
There was a problem hiding this comment.
Just curious.. is that because it's onerous to implement or causes a performance hit or something else?
There was a problem hiding this comment.
zeroize? It's just not been done (so far). It has been implemented by the chacha20 crate, so we gain this feature when we switch (with a little adjustment to ThreadRng).
Co-authored-by: Dan <dan.middleton@intel.com>
|
Thanks for the review! |
README.md
Outdated
| [`zeroize`](https://crates.io/crates/zeroize) used buffers and generators. | ||
| We do not automatically reseed on fork (see | ||
| [`ThreadRng`](https://docs.rs/rand/latest/rand/rngs/struct.ThreadRng.html)). | ||
| Rand cannot provide any guarantees of security. |
There was a problem hiding this comment.
Maybe we can recommend using getrandom directly if you need guarantees? Most crypto applications don't need a userspace CSPRNG, and I think this is what crypto libraries like ring do.
There was a problem hiding this comment.
The current text is broken:
Rand cannot provide any guarantees of security. which retrieves random data from (operating) system sources without a local memory buffer.
Also you already stated that "Rand is not a cryptographic library and cannot provide guarantees of security" in the first sentence of this paragraph, so here you have a needless duplication.
|
In any case we should not forget to also update or remove the |
There was a problem hiding this comment.
The wording is a bit too conservative for my taste, but I guess it's fine.
Maybe we could move ThreadRng into a separate crate and use slightly less scary wording in it? This also could help cryptographic crates that would like to use ThreadRng, but do not want to pull the whole rand for it.
README.md
Outdated
| [`zeroize`](https://crates.io/crates/zeroize) used buffers and generators. | ||
| We do not automatically reseed on fork (see | ||
| [`ThreadRng`](https://docs.rs/rand/latest/rand/rngs/struct.ThreadRng.html)). | ||
| Rand cannot provide any guarantees of security. |
There was a problem hiding this comment.
The current text is broken:
Rand cannot provide any guarantees of security. which retrieves random data from (operating) system sources without a local memory buffer.
Also you already stated that "Rand is not a cryptographic library and cannot provide guarantees of security" in the first sentence of this paragraph, so here you have a needless duplication.
|
Are there specific cases where the wording is too conservative (besides the "cannot provide guarantees of security" disclaimer)? We discussed moving |
It's a big disclaimer. Users may (rightfully) interpret it as "
I don't think so, at very least, I can not name a cryptographic library that depends on |
|
Moving Yes, it is a big disclaimer. Updated. |
To my understanding, APIs like |
|
@vks though I generally prefer |
|
@vks |
|
So we're okay with this as-is? I updated again after @newpavlov's last comment on the disclaimer. |
|
Note to all who commented here: I've added another note to the opening post due to comments regarding the rand v0.9 release. See also reddit comments here. |
Attempt to slightly improve the wording left by #1514.
Closes #1358 by documenting what Rand is not.
Edit: the aims of this PR are to:
randis a community project without any legally-binding guaranteesrandcomponents where security/unpredictability are importantEdit no. 2 because more people are now seeing this.
randcontains no high-level cryptographic functionality, e.g. no encryption or signing support. It doesn't even contain a dedicated password generator (though you can pretty easily generate random strings withAlphanumeric).For example, we've had people assume that
ThreadRnghad full fork protection (it previously offered a very limited form of fork protection which the docs were clear about to anyone who actually read them), then complain that it didn't function as expected. So now we've "resolved" this by removing all fork protection but adding some instructions to people who need it.Further, various people expect cryptographic primitives to zero their contents on drop (
zeroize).ThreadRngdoes not do this, and at this point it's unclear if it ever will (StdRngmay do so in the future, but we can't guarantee thatThreadRngwill, in part because of Rust's lack of guarantees about what happens on thread destruction).ThreadRnghas always been a compromise between being an unpredictable generator and being fast (it also uses considerably more memory than something likeSmallRng, though also far less than it did in the distant past).I would prefer the project under-promise than over-promise when it comes to security. In particular, this means that anyone using
rand's functionality in a security-sensitive context needs to do their homework: what are their requirements and isgetrandom/OsRng/ThreadRngakarand::rng()appropriate for the job?