randomBytes is not random enough

[daviddahl]

https://github.com/evanvosberg/crypto-js/blob/59e465a8055946e84099bfaa8d9ce0e1d1371f51/src/core.js#L274-L281

This is not generating sufficiently random bytes. Math.random was never intended for use in cryptographic applications.

see:
https://code.google.com/p/chromium/issues/detail?id=246054

[ghost]

This repository provides just the latest version as a modularized port of https://code.google.com/p/crypto-js/ project.

You should report this issue directly to this project.

The project owner is Jeff.Mott.OR, I also found a github user @Jeff-Mott-OR, but I'm not sure whether he is the same guy. But 6 months ago he did some activity on his repository CryptoJS, but this repository doesn't exists anymore.

[19h]

@daviddahl you can implement more sophisticated entropy, randomized seeds. Javascript wasn't designed for cryptography, so you'd have to implement a stronger generator. For instance, try seeding a curve-based generator and re-seed it per round, then fallback, switch to another generator, etc. it gets better with more entropy.

Here's a custom generator using Donald Knuth's linear congruential pseudo-random number generator (described in Art of Computer Programming - Volume 2: Seminumerical Algorithms, section 3.2.1):

    random: function (nBytes) {
        var words = [];

        var r = (function (m_w) {
            var m_w = m_w;
            var m_z = 0x3ade68b1;
            var mask = 0xffffffff;

            return function () {
                m_z = (0x9069 * (m_z & 0xFFFF) + (m_z >> 0x10)) & mask;
                m_w = (0x4650 * (m_w & 0xFFFF) + (m_w >> 0x10)) & mask;
                var result = ((m_z << 0x10) + m_w) & mask;
                result /= 0x100000000;
                result += 0.5;
                return result * (Math.random() > .5 ? 1 : -1);
            }
        });

        for (var i = 0, rcache; i < nBytes; i += 4) {
            var _r = r((rcache || Math.random()) * 0x100000000);

            rcache = _r() * 0x3ade67b7;
            words.push((_r() * 0x100000000) | 0);
        }

        return new WordArray.init(words, nBytes);
    }

I added the rcache to seed the next round independently from the current round, it's still predictable if you control all parameters and have physical access to the engines' own seed. AFAIK in Chrome a new seed is generated each time a window is opened; this is different in ES6, where a new seed is generated per call. Needs reference

[ghost]

Please create a pull request with your fix on the develop branch.

Is there somebody up to review it?

[ghost]

Done in 3.2.1-4, special thanks to @KenanSulayman

[andidev]

@KenanSulayman
Is 'ryptoJS.lib.WordArray.random' as secure as using browsers built in 'window.crypto.getRandomValues' function?