Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security Implications of "caching randomness"

See original GitHub issue

There are some possible security implications of caching randomness as discussed here

Since the original ticket was about “mockability” of uuid, I’m opening this ticket for further discussion on the security implications.

The gist of the problem is:

Using crypto.randomBytes made it extremely hard (impossible) to know previous or predict future values generated by this library
In https://github.com/uuidjs/uuid/pull/435 this library started using a pool, which now makes it very easy to know previous and predict future values generated by looking at a memory dump

The question is should we care and why.

Issue Analytics

State:
Created 3 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

2reactions

simlucommented, Oct 7, 2020

[…] How does preallocation of random bytes change anything about this general problem that you may get with multiple continuations of the same snapshot of a container?

@ctavan I’d say that the main difference is that with one approach you can easily “flush” (i.e. wait for all externally triggered operations to complete), while there is no easy way of clearing the uuid cache (which you might not even know about).

I’m no expert by any means and hence posted on stackexchange here. Let’s see if we can get someone who is an expert!

0reactions

simlucommented, Aug 11, 2022

Sounds good. We’ve since moved away from this library to crypto.randomUUID, since uuid wasn’t working with our test library anymore after state aka caching of randomness was introduced. So I don’t really have a reason to persue this.

OK to remain closed 👍