Support is provided on a best-effort bases only. No binding guarantees can be provided.
Rand provides the trait rand_core::CryptoRng
aka rand::CryptoRng
as a marker trait. Generators implementating RngCore
and CryptoRng
, and given the additional constraints that:
SeedableRng
) are constructed with cryptographically secure seed valuesare expected to provide the following:
For some RNGs, notably OsRng
, ThreadRng
and those wrapped by ReseedingRng
, we provide limited mitigations against side-channel attacks:
Additionally, derivations from such an RNG (including the Rng
trait, implementations of the Distribution
trait, and seq
algorithms) should not introduce signficant bias other than that expected from the operation in question (e.g. bias from a weighted distribution).
We will attempt to uphold these premises in the following crate versions, provided that only the latest patch version is used, and with potential exceptions for theoretical issues without a known exploit:
Crate | Versions | Exceptions |
---|---|---|
rand | 0.7 | |
rand | 0.5, 0.6 | Jitter |
rand | 0.4 | Jitter, ISAAC |
rand_core | 0.2 - 0.5 | |
rand_chacha | 0.1 - 0.2 | |
rand_hc | 0.1 - 0.2 |
Explanation of exceptions:
JitterRng
is used as an entropy source when the primary source fails; this source may not be secure against side-channel attacks, see #699.thread_rng
is difficult to analyse and thus cannot provide strong assertions of security.In rand
version 0.3 (0.3.18 and later), if OsRng
fails, thread_rng
is seeded from the system time in an insecure manner.
To report a vulnerability, open a new issue. Once the issue is resolved, the vulnerability should be reported to RustSec.