Sysrandom
Secure random number generation for Ruby using system RNG facilities e.g. /dev/urandom
, getrandom(2)
Description
Concerns have been raised about the current implementation of Ruby’s built-in
SecureRandom
functionality, as it presently leverages the poorly reputed OpenSSL RNG.
In cryptography circles, the prevailing advice is to use OS RNG functionality,
namely /dev/urandom
or equivalent calls which use an OS-level CSPRNG to
produce random numbers.
This gem provides an easy-to-install repackaging of the randombytes
functionality from libsodium for the purpose of generating secure random
numbers trustworthy for use in cryptographic contexts, such as generating
cryptographic keys, initialization vectors, or nonces.
The following random number generators are utilized:
OS | RNG |
---|---|
Linux | getrandom(2) if available, otherwise /dev/urandom |
Windows | RtlGenRandom |
OpenBSD | arc4random(3) with ChaCha20 CSPRNG (not RC4) |
JRuby | SecureRandom.getInstanceStrong if available, otherwise SHA1PRNG |
Others | /dev/urandom |
Supported Platforms
Sysrandom is tested on the following Ruby implementations:
- Ruby (MRI) 2.0, 2.1, 2.2, 2.3
- JRuby 9.1.1.0
Installation
Add this line to your application’s Gemfile:
ruby
gem 'sysrandom'
And then execute:
$ bundle
Or install it yourself as:
$ gem install sysrandom
Usage
Sysrandom
aims to be API-compatible with Ruby’s built-in SecureRandom
class,
but always prefers OS-level RNG wherever it’s available:
ruby
>> Sysrandom.random_number(42)
=> 15
>> Sysrandom.random_bytes(32)
=> "\xD6J\xB3\xD2\x8B\x7F*9D\xB7\xF9\xEA\xE2\\\xAAH\tV#\xEC\x84\xE3E\r\x97\xB9\b\xFCH\x17\xA0\v"
>> Sysrandom.base64(32)
=> "WXPkxfAuLRpnI6Z4zFb4E+MIenx6w6vKhe01+rMPuIQ="
>> Sysrandom.urlsafe_base64(32)
=> "37rsMfR4X8g7Bb-uDJEekRHnB3r_7nO03cv52ilaWqE="
>> Sysrandom.hex(32)
=> "c950496ce200abf7d18eb1414e9206c6335f971a37d0394114f56439b59831ba"
>> Sysrandom.uuid
=> "391c6f52-8017-4838-9790-131a9b979c63"
Patching SecureRandom with Sysrandom
Since Sysrandom is SecureRandom-compatible, it can be patched in-place of SecureRandom if you prefer its RNG behavior.
To do this, require sysrandom/securerandom
:
ruby
>> SecureRandom
=> SecureRandom
>> require "sysrandom/securerandom"
=> true
>> SecureRandom
=> Sysrandom
>> SecureRandom.hex(32)
=> "d1bbe8c1ab78fc2fe514c5623d913a27ffd2dcdc9e002f3b358bb01a996962f1"
Contributing
- Fork this repository on Github
- Make your changes and send a pull request
- If your changes look good, we’ll merge them
Copyright
Copyright (c) 2013-2016 Frank Denis, Tony Arcieri. See LICENSE.txt for further details.