New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove ZrtpFortuna, use SecureRandom instead #5
Conversation
We are not reseeding Fortuna RNG, so we are not sure it's still safe to use See FortunaGenerator doc (Adding Random Data) Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
It's OK to modify the ZRTP4J sources for your project, however not every system may have a sufficient secure random generator thus the generic ZRTP4J project should still use it. |
Hi @wernerd, What you are telling me is that you take an insecure seed (if SecureRandom is insecure), put it into FortunaGenerator and it become magically secure? |
If you don't seed or re-seed a random number generator then it's not save to use Actually, there is no such thing as a "secure seed", the data used to seed the See the Wikipedia about the Fortuna generator regarding its properties. Just two "Fortuna is a cryptographically secure pseudorandom number generator (PRNG) ... " "Unless an attacker is able to control all the sources of alleged entropy flowing Am 04.04.2016 um 16:42 schrieb champtar:
Fortuna is 'secure' if the application feeds some entropy from a/several source(s) The link to the Wikipedia: https://en.wikipedia.org/wiki/Fortuna_(PRNG) BTW, the current Fortuna implementation does not store a seed file, it requires seeding Werner
Werner Dittmann |
I've a pending PR to remove all ZrtpFortuna from jitsi jitsi/libjitsi#113 (my project is jitsi) I know that Fortuna is a CSPRNG, the problem is that you have to implement and use it the right way. As most of the times in crypto the problem is not the algo, it's the implementation. In this specific case, the entropy gathering depends on audio noise gathering. The problem with ZrtpFortuna/FortunaGenerator is that there is no failsafe, if you don't gather entropy/reseed it, it still outputs 'pseudo-random' data, without warning or exception. Etienne |
Am 04.04.2016 um 20:13 schrieb champtar:
If jvb does no use audio: why do you need ZRTP then? ZRTP in Jitsi requires
It's clearly stated in the Fortuna documentation that the application has to For a developer of secure communication clients it's of paramount importance to Thus you are free to use Fortuna in a VM as long as the application can provide Werner
Werner Dittmann |
And it's clearly NOT stated in ZrtpFortuna doc (just read it twice) that you MUST provide entropy. I agree we can find ways to provide entropy, but it's really too easy to use it in unsafe ways. I know Linux is using a CSPRNG, the difference is that the entropy gathering is always taken care of. All Java implementation on all platform have SecureRandom for quite some time, why not use it now? Also jitsi/libjitsi#113 is now merged so there is no ZrtpFortunaEntropyGatherer anymore, so please merge this. |
@wernerd There's no use of ZRTP in the Videobridge. However we used ZrtpFortuna as the default random source for ZRTP, then SDES and then DTLS. Reseeding of Fortuna never happened in Jitsi. And the supposedly random initialization with audio noise also wasn't happening (at least on some systems) because the capture device simply provided zeros, likely because of noise cancellation. This was a major #fail because we seeded Fortuna with zero (until jitsi/libjitsi@8648e19). I'm not sure if this PR is the right way to go, but I agree with @champtar that ZrtpFortuna is dangerous and detrimental to the intended goal of making things more secure. |
thanks @ibauersachs |
ZrtpFortuna is just a wrapper to Fortuna, not the real generator. It's the "Fortuna" documentation Fell free to do whatever you wan't in your project :-) - that'S the beauty of open Werner Am 05.04.2016 um 09:06 schrieb champtar:
Werner Dittmann |
@wernerd i know FortunaGenerator doc is explicit, but ZrtpFortuna is not! |
We are not reseeding Fortuna RNG,
so we are not sure it's still safe to use
See FortunaGenerator doc (Adding Random Data)
Signed-off-by: Etienne CHAMPETIER champetier.etienne@gmail.com