crypto

Module fortuna

Source
Expand description

An implementation of the Fortuna CSPRNG

First create a FortunaRng object using either the new_unseeded constructor or SeedableRng::from_seed. Additional entropy may be added using the method add_random_event, or the underlying RNG maybe reseeded directly by SeedableRng::reseed. Note that this is not recommended, since the generator automatically reseeds itself using the data provided by add_random_events through an accumulator. The accumulator is part of Fortuna’s design and using SeedableRng::reseed directly bypasses it.

Note that the underlying block cipher is AesSafe256Encryptor which is designed to be timing-attack resistant. The speed hit from this is in line with a “safety first” API, but be aware of it.

Fortuna was originally described in Practical Cryptography, Niels Ferguson and Bruce Schneier. John Wiley & Sons, 2003.

Comments throughout this file contain references of the form (PC 1.2.3); these refer to sections within this text.

§A note on forking

Proper behaviour for a CSRNG on a process fork is to reseed itself with the timestamp and new process ID, to ensure that after forking the child process does not share the same RNG state (and therefore the same output) as its parent.

However, this appears not to be possible in Rust, due to https://github.com/rust-lang/rust/issues/16799 The reason is that Rust’s process management all happens through its stdlib runtime, which explicitly does not support forking, so it provides no mechanism with which to detect forks.

What this means is that if you are writing forking code (using #![no_std] say) then you need to EXPLICITLY RESEED THE RNG AFTER FORKING.

Structs§

Constants§

  • Length in bytes that the first pool must be before a “catastrophic reseed” is allowed to happen. (A direct reseed through the SeedableRng API is not affected by this limit.)