A cryptographically secure PRNG (crypto.getRandomValues) should be used instead of Math.random
shea256 opened this issue · 2 comments
It is critical that this library be updated to use a cryptographically secure pseudo-random number generator.
Math.random
is not considered secure, while window.crypto.getRandomValues
is:
http://stackoverflow.com/questions/5651789/is-math-random-cryptographically-secure
http://stackoverflow.com/questions/578700/how-trustworthy-is-javascripts-random-implementation-in-various-browsers
http://stackoverflow.com/questions/4083204/secure-random-numbers-in-javascript
https://dl.packetstormsecurity.net/papers/general/Google_Chrome_3.0_Beta_Math.random_vulnerability.pdf
https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html
Here's how to get random bytes with window.crypto.getRandomValues
:
var array = new Uint8Array(32)
var randomBytes = window.crypto.getRandomValues(array)
Awesome, and thank you for such a quick turnaround! 💯 🚀