In #13 (see here) @pitdicker expresses his reservations about CSPRNGs revealing their internal state easily via serialization. I point out that APIs can't provide memory protection anyway.
Anyone else have an opinion?
My thoughts:
- It's not that important for CSPRNGs to implement serialization, but there has been interest in at least simpler PRNGs having serialization, and uniformity is generally better
- The suggested alternative is not so easily or generally workable
- Presumably anyone who is able to serialize a CSPRNG could also get its state some other way (such as transmutation /
reinterpret_cast), so lack of serialization isn't much in the way of security
In #13 (see here) @pitdicker expresses his reservations about CSPRNGs revealing their internal state easily via serialization. I point out that APIs can't provide memory protection anyway.
Anyone else have an opinion?
My thoughts:
reinterpret_cast), so lack of serialization isn't much in the way of security