-
Notifications
You must be signed in to change notification settings - Fork 316
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(nns): More secure random numbers. #1633
Conversation
8b8e0a7
to
3f1cd9e
Compare
3f1cd9e
to
d1ddc53
Compare
f84b6ab
to
9e21bb2
Compare
e539d69
to
1fb3d54
Compare
1ad6639
to
f012787
Compare
3e6ea3a
to
34d5166
Compare
bc14caa
to
8400d2f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other than my other comment on the timer, LGTM.
I agree it's a good compromise between efficiency and secrecy of the seed to periodically generate a new seed for the CSPRNG.
I agree the deterministic fallback for swap time is good enough.
Also the fact that you only allow the proto to affect the seed on restoring and not when creating a new Governance is good. If you want to be extra careful in this regard you could also generate a warning if the proto unexpectedly has the seed set to Some()
.
You maybe saw this already, but I changed title + description. Feel free to make further changes (or revert). I think my title is more informative (and more concise!), because "secure" is more precise than just "better". E.g. faster is a different way of being better, but faster is neither the intended, nor implemented. TangentIn general, we should refrain from describing changes as "better", "improve", etc, because that goes without saying. Instead, we should be specific. More concretely, we should instead answer, "In what regard is this better?". |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Result -> sad
847e665
to
7006382
Compare
In NNS Governance. This is done by reseeding every hour. The seed is sourced from the raw_rand method of the management canister, and because of this, these seeds are "as secure as it gets". This is a compromise between speed and security that DFINITY's security team is ok with. Currently, there is no need for secure RNs. However, that could come up in the future, and when it does, it would be too easy for us to overlook (without this change). --------- Co-authored-by: IDX GitHub Automation <[email protected]>
In NNS Governance.
This is done by reseeding every hour. The seed is sourced from the raw_rand method of the management canister, and because of this, these seeds are "as secure as it gets". This is a compromise between speed and security that DFINITY's security team is ok with.
Currently, there is no need for secure RNs. However, that could come up in the future, and when it does, it would be too easy for us to overlook (without this change).