3

How does Web Cryptography API (eg window.crypto.getRandomValues) produce secure PRNG?

Specifications:

How can the method be trusted? Or is it event trustworthy?

e-sushi
  • 17,891
  • 12
  • 83
  • 229
pinhead
  • 245
  • 1
  • 7

1 Answers1

6

How does Web Cryptography API (eg window.crypto.getRandomValues) produce secure PRNG?

Like the specification says:

Implementations should generate cryptographically random values using well-established cryptographic pseudo-random number generators seeded with high-quality entropy, such as from an operating-system entropy source (e.g., "/dev/urandom").

If the OS gives sufficient entropy and the PRNG is cryptographically strong, that is a secure PRNG setup.

How can the method be trusted? Or is it event trustworthy?

If you don't trust the browser vendor to not be malicious, you can't do crypto in the browser, period.

E.g. WebKit-based browsers (Chrome1, Safari) seem to use an ARC4-based RNG that drops the early keystream and mixes in OS entropy every ~1.5MB. That can be secure, if correctly implemented.

1 Nowadays Chrome and Chromium use Blink, which does not use ARC4, but uses OS RNGs directly.

otus
  • 32,132
  • 5
  • 70
  • 165
  • I don't think this answer quite goes into enough detail. For instance, the crypto.getRandomValues method fills a typed array e.g. Uint32Array with random numbers. However if it was using the OS's underlying CSPRNG e.g. /dev/urandom, that would return random bytes - so how does it turn those bytes into numbers that fit into the size of the typed array? Can you expand on that? – NDF1 Jul 07 '14 at 20:38
  • 2
    @NDF1, a random uint32 is just assigned 4 random bytes. Anyway, it doesn't use /dev/u?random directly, but only to instantiate/stir a PRNG, which can have interfaces for returning random numbers of arbitrary type. – otus Jul 07 '14 at 21:37