jlleitschuh10/29/2018, 4:34 PM
which is awesome! I'm wondering why there wasn't an official Kotlin version of
added. Without an official
100% kotlin based crypto libraries can't be implemented without adding platform specific implementations. Dan Kaminsky did an interesting talk at defcon about why more standard libraries libraries should offer
by default. So many software security bugs have been caused purely because someone on the implementation side goofed and used a predictable Random number generator.
Mike10/29/2018, 4:41 PM
jlleitschuh10/29/2018, 4:47 PM
is a Pseudo Random Number Generator (PRNG). (A "linear congruential PRNG"). This means the next value can easily be calculated if you have two previous values. https://crypto.stackexchange.com/questions/51686/how-to-determine-the-next-number-from-javas-random-method I'm guessing that Kotlin's implementation of
is just using the java
on the JVM. @orangy am I correct?
Mike10/29/2018, 4:48 PM
orangy10/29/2018, 4:49 PM
ilya.gorbunov10/29/2018, 4:51 PM
jlleitschuh10/29/2018, 4:52 PM
. Kotlin would need to do something like that for the JVM and need to come up with a way of getting a secure random value from browsers in JS.
number generator. I know that if there's a goal to make
truly multi-platform, that library will need a
ilya.gorbunov10/29/2018, 4:54 PM
implementation and wrap it as Kotlin's Random class inheritor with
diesieben0710/29/2018, 4:54 PM
and it seems NodeJS does, too. So that could be used for a cross-platform implementation
ilya.gorbunov10/29/2018, 4:55 PM
louiscad10/29/2018, 4:58 PM
ilya.gorbunov10/29/2018, 5:00 PM
jlleitschuh10/29/2018, 5:01 PM
implementation to the standard library. Dan Kaminsky covers a wide range of topics in the video above, but the first chunk covers how because stdlibs don't make
a priority (eg. Java where
and, as such was clearly an afterthought). The problem with having a third party library implement
is that that exposes an additional piece of security overhead kotlin users. How do you know that you can trust the library you are getting your
implementation from? I think most people generally trust the Jetbrains team, but a
implementation isn't something that should just be entrusted externally lightly.
orangy10/29/2018, 5:03 PM
is only important if the system is exposed to some external interactions. E.g. for game level generation it’s not a problem and only exhaust entropy and slows everything down. But I’ll watch the video, thanks.
jlleitschuh10/29/2018, 5:07 PM
orangy10/29/2018, 5:10 PM
? That would avoid confusion a little bit…
jlleitschuh10/29/2018, 5:36 PM
. Not something like
. You may want to consider adding default
that takes no arguments use whatever "Secure Random" implementation is added. Then it's an opt-out of secure randomness instead an opt-in of secure randomness.
fun Random(): Random
DALDEI11/03/2018, 5:24 PM
jlleitschuh03/28/2019, 5:23 PM