Support is provided on a best-effort bases only. No binding guarantees can be provided.
Rand provides the trait rand_core::CryptoRng aka rand::CryptoRng as a marker trait. Generators implementating RngCore and CryptoRng, and given the additional constraints that:
SeedableRng) are constructed with cryptographically secure seed valuesare expected to provide the following:
For some RNGs, notably OsRng, ThreadRng and those wrapped by ReseedingRng, we provide limited mitigations against side-channel attacks:
Additionally, derivations from such an RNG (including the Rng trait, implementations of the Distribution trait, and seq algorithms) should not introduce significant bias other than that expected from the operation in question (e.g. bias from a weighted distribution).
We will attempt to uphold these premises in the following crate versions, provided that only the latest patch version is used, and with potential exceptions for theoretical issues without a known exploit:
| Crate | Versions | Exceptions |
|---|---|---|
rand | 0.7 | |
rand | 0.5, 0.6 | Jitter |
rand | 0.4 | Jitter, ISAAC |
rand_core | 0.2 - 0.5 | |
rand_chacha | 0.1 - 0.2 | |
rand_hc | 0.1 - 0.2 |
Explanation of exceptions:
JitterRng is used as an entropy source when the primary source fails; this source may not be secure against side-channel attacks, see #699.thread_rng is difficult to analyse and thus cannot provide strong assertions of security.In rand version 0.3 (0.3.18 and later), if OsRng fails, thread_rng is seeded from the system time in an insecure manner.
To report a vulnerability, open a new issue. Once the issue is resolved, the vulnerability should be reported to RustSec.