entropy – Page 7 – WindowsTechs.com

Is getting 1-2 outputs from a CSPRNG to seed another CSPRNG less entropy than getting say 5000 outputs from a CSPRNG and using that to seed?

Posted on August 27, 2019 by mngxyuiso

This question builds off of this question.
I want to create more entropy from a viable entropy source to seed another CSPRNG.
If I use

window.crypto.getRandomValues(newUint8Array(1))

To seed a CSPRNG, is that less entro… Continue reading Is getting 1-2 outputs from a CSPRNG to seed another CSPRNG less entropy than getting say 5000 outputs from a CSPRNG and using that to seed?→

Is using multiple instances of a browser-PRNG to seed another PRNG more secure?

Posted on August 27, 2019 by kNBDGYUIWKm

Say I have Math.random() (which supposedly generates ~32 bits of entropy.)
If I use Math.random() + Math.random(), both of them generate ~32 bits of entropy.

I will use the solution of Math.random() + Math.random() to seed a… Continue reading Is using multiple instances of a browser-PRNG to seed another PRNG more secure?→

How long should zip encryption password be for it take 10 years to crack?

Posted on August 9, 2019 by Lone Learner

I am using zip 3.0.0 on macOS High Sierra and Ubuntu. Here is my zip version on macOS:
$ zip –version | head
Copyright (c) 1990-2008 Info-ZIP – Type ‘zip "-L"’ for software license.
This is Zip 3.0 (July 5th 2008), by Info-ZIP.
… Continue reading How long should zip encryption password be for it take 10 years to crack?→

Generate cryptographically safe int

Posted on August 5, 2019 by Hoppe

How can you generate a cryptographically safe integer that falls within a range in C#? I am trying to satisfy a Veracode issue reporting CWE-331: Insufficient Entropy. Obviously the code below is not cryptographically secure…. Continue reading Generate cryptographically safe int→

When knowing an individual’s plaintext password history, how much information is expected to be gained with a new password? Do we know this?

Posted on June 21, 2019 by gnulynnux

The premise: Knowing a persons password history should provide information to help when guessing a new password of theirs.

At an extreme end, with a password history of wildcats, wildcats1, then wildcats2, I’d guess there is… Continue reading When knowing an individual’s plaintext password history, how much information is expected to be gained with a new password? Do we know this?→

Generating a secret token: security concerns other than min-entropy?

Posted on May 27, 2019 by Kannan Goundan

I’m trying to compare two techniques for generating an OAuth 2 PKCE code_verifier.

For each character, get a random byte and “mod 66” to map to one of the 66 valid characters.
For each character, get a random byte and “mod … Continue reading Generating a secret token: security concerns other than min-entropy?→

Determining the entropy of a string if each character has a slight bias

Posted on May 23, 2019 by Kannan Goundan

Let’s say I need to generate a 32-character secret comprised of ASCII characters from the set ‘0’..’9′. Here’s one way of doing it:

VALID_CHARS = ‘0123456789’

generate_secret_string() {
random = get_crypto_random_bytes… Continue reading Determining the entropy of a string if each character has a slight bias→

256-bit Symmetric Keys As Passwords

Posted on May 21, 2019 by Woodstock

Would using a 256-bit binary string, for e.g.

0000001100101011100101110101101000101000011001011010000111010100000011101100011111110010001000101010010010101101111100010011100111011100110110101001111001110110100011001010100110… Continue reading 256-bit Symmetric Keys As Passwords→

How can ECDSA offer stronger security with the same key length (same amount of entropy)?

Posted on May 10, 2019 by iBugSec

It’s always been told that ECDSA is more secure “per bit of key size”, such that it offers same security with a shorter key, or offers stronger security with the same key length.

However, per my understanding, if the length … Continue reading How can ECDSA offer stronger security with the same key length (same amount of entropy)?→

Is Diceware more secure than a long passphrase?

Posted on April 24, 2019 by MechMK1

I recently investigated best-practices in regards to passwords, and the overwhelming majority of sources recommended using a password manager. This is great advice, but not usable in every situation. Certain situations, such … Continue reading Is Diceware more secure than a long passphrase?→