mercredi 13 février 2019

Random bytes and encodings

I have a function that needs a random sequence of bytes as input (e.g. a salt for hashing a password). I generate that string using a CSPRNG function and then encode in to base64.
Now I pass that string to the function that needs it, but that function works with bytes, so if it receive a string it turns it into a byte-buffer by reading the string as utf8. The string given as input is not the same sequence of bytes generated with the CSPRNG function but is the utf8 decoded string of the base64 encoded random bytes. So if I generate N bytes, the transformations with encodings turns it in 4/3*N bytes. Can I assume that these expanded bytes are still random after the transformations? Are there any security implications?

Here's a pseudo code to make it more clear:

function needsRandBytes(rand) {
  if (typeof rand == 'string') {
    rand = Buffer.from(rand, 'utf8'); // here's the expansion
  }

  // use the rand bytes...
}

randBytes = generateRandomBytes(N); // cryptographically secure function
randString = randBytes.toString('base64');

needsRandBytes(randString);




Aucun commentaire:

Enregistrer un commentaire