Leaks state of RNG

[lucyllewy]

I believe that the current state of the PRNG is leaked into the file being created. This means that an adversary may be able to predict the next number in the sequence. Might be worth seeding an IV into the PRNG and using a complex algorithm to further obscure the state of the PRNG. Alternatively a true hardware RNG using quantum fluctuations as a source of entropy might improve the randomness and reduce the predictability of the output.

[geofft]

I don't think this is true: the internal state of a (properly functioning) CSPRNG is a different thing from its output, and the state cannot be calculated from the output.

From, e.g., Wikipedia's article on CSPRNGs: "Every CSPRNG should satisfy the next-bit test. That is, given the first k bits of a random sequence, there is no polynomial-time algorithm that can predict the (k+1)th bit with probability of success non-negligibly better than 50%." The output of OEE is a subset of the first k bits of a CSPRNG.

In particular, the SSL/TLS handshake involves both client and server providing random bytes to each other, generally from the OS' PRNG (and this data is unprotected over the wire because encryption hasn't been negotiated yet). If leaking this data leaks the internal state of the PRNG, then it would be unsafe to perform an SSL handshake over an untrusted network, or to connect to multiple servers or multiple clients without reinitializing the PRNG.

(Before PR #6, merged a little bit before this issue was opened, a non-cryptographically-secure PRNG was used, and I think your attack was much more plausible.)