Javascript Math.random() 加密安全吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5651789/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Is Math.random() cryptographically secure?
提问by grep
How good are algorithms used in Javascript Math.random()in different browsers? Is it okay to use it for generating salts and one-time passwords?
JavascriptMath.random()在不同浏览器中使用的算法有多好?可以用它来生成盐和一次性密码吗?
How many bits from one randomI can use?
random我可以使用多少位?
采纳答案by Teoman Soygul
Nope; JavaScript's Math.random()function is not a cryptographically-secure random number generator. You are better off using the JavaScript Crypto Library's Fortuna implementation which is a strong pseudo-random number generator (have a look at src/js/Clipperz/Crypto/PRNG.js), or the Web Crypto API for getRandomValues
不; JavaScript 的Math.random()函数不是加密安全的随机数生成器。您最好使用JavaScript Crypto Library的 Fortuna 实现,它是一个强大的伪随机数生成器(查看src/js/Clipperz/Crypto/PRNG.js),或者使用Web Crypto APIgetRandomValues
- Here is a detailed explanation: How trustworthy is javascript's random implementation in various browsers?
- Here is how to generate a good crypto grade random number: Secure random numbers in javascript?
- 这里有详细解释:javascript在各种浏览器中的随机实现有多可信?
- 以下是如何生成一个好的加密级随机数:在 javascript 中保护随机数?
回答by Bruno Rohée
It is not secure at all, and in some cases was so predictable you could rebuild internal state of the PRNG, deduct the seed and thus could use it to track people across websites even if they didn't use cookies, hid behind onion routing etc...
它根本不安全,并且在某些情况下是如此可预测,您可以重建 PRNG 的内部状态,扣除种子,从而可以使用它来跨网站跟踪人员,即使他们不使用 cookie,隐藏在洋葱路由等后面...
http://landing2.trusteer.com/sites/default/files/Temporary_User_Tracking_in_Major_Browsers.pdfa 2008 paper exposing the user tracking possibilities of the browser weak PRNG
http://dl.packetstormsecurity.net/papers/general/Google_Chrome_3.0_Beta_Math.random_vulnerability.pdfa later (2009) Chrome vulnerability, as the problem was already well known
http://landing2.trusteer.com/sites/default/files/Temporary_User_Tracking_in_Major_Browsers.pdf2008 年的论文,揭示了浏览器弱 PRNG 的用户跟踪可能性
http://dl.packetstormsecurity.net/papers/general/Google_Chrome_3.0_Beta_Math.random_vulnerability.pdf稍后(2009 年)Chrome 漏洞,因为该问题已经众所周知
回答by Kevin Hakanson
As of March 2013, window.crypto.getRandomValuesis an "experimental technology" available since Chrome 11 and Firefox 21 that lets you get cryptographically random values. Also, see getRandomValuesfrom the lastest W3C Web Cryptography APIdraft.
截至 2013 年 3 月,window.crypto.getRandomValues是自 Chrome 11 和 Firefox 21 以来可用的“实验技术”,可让您获得加密随机值。另外,请参阅最新的 W3C Web Cryptography API草案中的getRandomValues。
Description:
描述:
If you provide an integer-based TypedArray(i.e.
Int8Array,Uint8Array,Int16Array,Uint16Array,Int32Array, orUint32Array), the function is going fill the array with cryptographically random numbers. The browser is supposed to be using a strong (pseudo) random number generator. The method throws the QuotaExceededError if the requested length is greater than 65536 bytes.
如果您提供基于整数的TypedArray(即
Int8Array,Uint8Array,Int16Array,Uint16Array,Int32Array, 或Uint32Array),该函数将使用加密随机数填充数组。浏览器应该使用强(伪)随机数生成器。如果请求的长度大于 65536 字节,该方法将引发 QuotaExceededError。
Example:
例子:
var array = new Uint32Array(10);
window.crypto.getRandomValues(array);
console.log("Your lucky numbers:");
for (var i = 0; i < array.length; i++) {
console.log(array[i]);
}
Also, an answer to How random is JavaScript's Math.random?refers to Temporary user tracking in major browsers and Cross-domain information leakage and attacksfrom 2008 which discusses how the JavaScript Math.random() function leaks information.
另外,JavaScript 的 Math.random 的随机性如何?指的是 2008年主要浏览器中的临时用户跟踪和跨域信息泄漏和攻击,其中讨论了 JavaScript Math.random() 函数如何泄漏信息。
Update:For current browser support status, check out the Modern.IE Web Crypto APIsection, which also links to the Chrome, Firefox, and Safaribug reports.
更新:有关当前浏览器支持状态,请查看Modern.IE Web Crypto API部分,该部分还链接到Chrome、Firefox和Safari错误报告。
回答by Daniel B?hmer
Because you cannot know the exact implementation of the browser (except for closed user groups like for your business intranet) I would generally consider the RNG weak.
因为您无法知道浏览器的确切实现(除了像您的企业内部网这样的封闭用户组),我通常会认为 RNG 很弱。
Even if you can identify the browser you don't know if the browser itself or any other browser's agent ID is manipulated. If you can you should generate the number on the server.
即使您可以识别浏览器,您也不知道浏览器本身或任何其他浏览器的代理 ID 是否被操纵。如果可以,您应该在服务器上生成号码。
Even if you include a good PRNG in your JavaScript your server cannot know whether the request from the client originates from an unmodified script. If the number goes into your database and/or is used as a cryptographic tool it is no good idea to trust the data from the client at all. That is true not only for validity (You do validate all data coming from the client, don't you?) but also for general properties like randomness.
即使您在 JavaScript 中包含了一个好的 PRNG,您的服务器也无法知道来自客户端的请求是否来自未经修改的脚本。如果该数字进入您的数据库和/或用作加密工具,则完全不信任来自客户端的数据。这不仅适用于有效性(您确实验证了来自客户端的所有数据,不是吗?)而且适用于随机性等一般属性。
回答by DecKno
Math.random()is not cryptographically secure. Also Veracode will point this occurrence with
Math.random()不是加密安全的。Veracode 也会指出这种情况
CWE-331 (Insufficient Entropy)
CWE-331(熵不足)
We could make use of SecureRandom to implement similar functionality.
我们可以利用 SecureRandom 来实现类似的功能。
new SecureRandom().nextDouble();
