Collaborate Disseminate
I need some viable sources for entropy to seed a CSPRNG.
So far, I have:
JS Events
Web Crypto API
performance.now()
Timing for xmlHTTPRequests
etc.
Are there any other viable/secure entropy sources that I can use/access i… Continue reading What are some viable, secure sources of entropy for a CSPRNG?
This question builds off of this question.
I want to create more entropy from a viable entropy source to seed another CSPRNG.
If I use
window.crypto.getRandomValues(newUint8Array(1))
To seed a CSPRNG, is that less entro… Continue reading Is getting 1-2 outputs from a CSPRNG to seed another CSPRNG less entropy than getting say 5000 outputs from a CSPRNG and using that to seed?
Say I have Math.random() (which supposedly generates ~32 bits of entropy.)
If I use Math.random() + Math.random(), both of them generate ~32 bits of entropy.
I will use the solution of Math.random() + Math.random() to seed a… Continue reading Is using multiple instances of a browser-PRNG to seed another PRNG more secure?
I am using zip 3.0.0 on macOS High Sierra and Ubuntu. Here is my zip version on macOS:
$ zip –version | head
Copyright (c) 1990-2008 Info-ZIP – Type ‘zip "-L"’ for software license.
This is Zip 3.0 (July 5th 2008), by Info-ZIP.
… Continue reading How long should zip encryption password be for it take 10 years to crack?
How can you generate a cryptographically safe integer that falls within a range in C#? I am trying to satisfy a Veracode issue reporting CWE-331: Insufficient Entropy. Obviously the code below is not cryptographically secure…. Continue reading Generate cryptographically safe int
The premise: Knowing a persons password history should provide information to help when guessing a new password of theirs.
At an extreme end, with a password history of wildcats, wildcats1, then wildcats2, I’d guess there is… Continue reading When knowing an individual’s plaintext password history, how much information is expected to be gained with a new password? Do we know this?
I’m trying to compare two techniques for generating an OAuth 2 PKCE code_verifier.
For each character, get a random byte and “mod 66” to map to one of the 66 valid characters.
For each character, get a random byte and “mod … Continue reading Generating a secret token: security concerns other than min-entropy?
Let’s say I need to generate a 32-character secret comprised of ASCII characters from the set ‘0’..’9′. Here’s one way of doing it:
VALID_CHARS = ‘0123456789’
generate_secret_string() {
random = get_crypto_random_bytes… Continue reading Determining the entropy of a string if each character has a slight bias
Would using a 256-bit binary string, for e.g.
0000001100101011100101110101101000101000011001011010000111010100000011101100011111110010001000101010010010101101111100010011100111011100110110101001111001110110100011001010100110… Continue reading 256-bit Symmetric Keys As Passwords
It’s always been told that ECDSA is more secure “per bit of key size”, such that it offers same security with a shorter key, or offers stronger security with the same key length.
However, per my understanding, if the length … Continue reading How can ECDSA offer stronger security with the same key length (same amount of entropy)?