I am working on a software that also generates passwords. It does it basically this way:
static char AllowedChars[] = {...}
static int passwordLength = 123;
std::string password;
std::random_device rd;
std::mt19937 mt(rd());
std::uniform_int_distribution<int> dist(0, sizeof(AllowedChars) - 1);
for (int i = 0; i < passwordLength; ++i) {
int index = dist(mt);
password.push_back(AllowedChars[index]);
}
How can I know, that this algorithm creates cryptographically secure passwords?
I know that random_device is dependent on the compiler, target platform, its own version, etc. I also cannot rely on the output of methods like std::random_device::entropy, since it may be just a fixed value. See: http://www.pcg-random.org/posts/cpps-random_device.html
I also cannot do black box testing of its output: https://security.stackexchange.com/questions/83254/how-to-check-randomness-of-random-number-generators
How can I know which "source of randomness" (i.e. which RNG) is used? And if the seed has enough entropy? (Obviously, this must be done on the compiled binary, since static source code cannot reveal these details.) With this output I could verify that a CSPRNG is used.
Aucun commentaire:
Enregistrer un commentaire