You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* Add text about modulo bias
This Hacker News discussion:
https://news.ycombinator.com/item?id=32849145
Pointed out this potential issue. Let's note it.
* Remove extraneous period
* Fix typo
* Fix caps
* Fix italics markup
Signed-off-by: David A. Wheeler <[email protected]>
Copy file name to clipboardExpand all lines: secure_software_development_fundamentals.md
+25Lines changed: 25 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4429,6 +4429,29 @@ In summary: Make sure you use a strong, properly-implemented cryptographically s
4429
4429
4430
4430
> In 2006 Debian Linux made a change to its version of the widely-used OpenSSL cryptographic library to attempt to remove a warning. However, the change was made by someone not well-versed in cryptography and unintentionally subverted OpenSSL's random number generator for keys on Debian. There was a brief attempt to communicate with the upstream OpenSSL library developers, but there was no attempt to propose the change back to the OpenSSL project so that the OpenSSL project could verify that the change was harmless. This meant that all keys generated via OpenSSL by Debian, as well as Ubuntu (which is based on Debian), were insecure until the vulnerability was found in 2008. This included OpenSSH keys generated by calling OpenSSL. This vulnerability was given the identifier [CVE-2008-0166](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166). Seven years later, Ben Cox reported that a large number of vulnerable keys created from this mistake were still in use and some had control over important GitHub repositories. These included repositories of Spotify, Yandex, the cryptographic libraries for Python, and Python’s core. (Ben Cox, “[Auditing GitHub users’ SSH key quality](https://blog.benjojo.co.uk/post/auditing-github-users-keys)”, 2015). This example shows how important cryptographically secure random values can be.
4431
4431
4432
+
If you need a cryptographically random number in a range
4433
+
(e.g., an integer from 0 to a number N),
4434
+
do **not** simply use the modulus or remainder operators.
4435
+
Many programmers incorrectly *think* it's fine to directly use the
4436
+
modulus or remainder operators (e.g., `%` or `mod` in many languages)
4437
+
for this purpose.
4438
+
However, this often causes some numbers to be more likely than others,
4439
+
a problem called *modulo bias*.
4440
+
Modulo bias can sometimes lead to system exploitation.
4441
+
(Yolan Romailler,
4442
+
[*The definitive guide to “Modulo Bias and how to avoid it”!*](https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/))
4443
+
4444
+
If you need a cryptographically random number in a range, don't use modulus
4445
+
or remainder operators directly - instead, use an existing
4446
+
function that provides *unbiased* cryptographically random numbers in a range.
4447
+
Most CSPRNG libraries provide this function - just check that it's unbiased.
4448
+
If you must implement this yourself, there are various methods such
4449
+
as rejection sampling,
4450
+
[nearly-divisionless random numbers per Daniel Lemire's algorithm](https://dotat.at/@/2020-10-29-nearly-divisionless-random-numbers.html), or
4451
+
[divisionless random numbers per Steve Cannon and Kendall Willets](https://dotat.at/@/2022-04-20-really-divisionless.html).
4452
+
However, you should normally just use the CSPRNG library function
Rogers, Tony, *Falsehoods Programmers Believe About Names - With Examples*, 2018 ([https://shinesolutions.com/2018/01/08/falsehoods-programmers-believe-about-names-with-examples/](https://shinesolutions.com/2018/01/08/falsehoods-programmers-believe-about-names-with-examples/))
5958
5981
5982
+
Romailler, Yolan, *The definitive guide to “Modulo Bias and how to avoid it”!* (<https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/>)
5983
+
5959
5984
Royce, Winston W., *Managing the Development of Large Systems: Concepts and Techniques*, 1970 ([https://dl.acm.org/doi/10.5555/41765.41801](https://dl.acm.org/doi/10.5555/41765.41801))
5960
5985
5961
5986
Rust Programming Language, *Recoverable Errors with Result* ([https://doc.rust-lang.org/book/ch09-02-recoverable-errors-with-result.html](https://doc.rust-lang.org/book/ch09-02-recoverable-errors-with-result.html))
0 commit comments