Add text about modulo bias (#87)

* Add text about modulo bias This Hacker News discussion: https://news.ycombinator.com/item?id=32849145 Pointed out this potential issue. Let's note it. * Remove extraneous period * Fix typo * Fix caps * Fix italics markup Signed-off-by: David A. Wheeler <[email protected]>
ossf · Sep 28, 2022 · 2cbafa2 · 2cbafa2
1 parent 104068a
commit 2cbafa2
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/secure_software_development_fundamentals.md b/secure_software_development_fundamentals.md
@@ -4429,6 +4429,29 @@ In summary: Make sure you use a strong, properly-implemented cryptographically s
 
 > In 2006 Debian Linux made a change to its version of the widely-used OpenSSL cryptographic library to attempt to remove a warning. However, the change was made by someone not well-versed in cryptography and unintentionally subverted OpenSSL's random number generator for keys on Debian. There was a brief attempt to communicate with the upstream OpenSSL library developers, but there was no attempt to propose the change back to the OpenSSL project so that the OpenSSL project could verify that the change was harmless. This meant that all keys generated via OpenSSL by Debian, as well as Ubuntu (which is based on Debian), were insecure until the vulnerability was found in 2008. This included OpenSSH keys generated by calling OpenSSL. This vulnerability was given the identifier [CVE-2008-0166](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166). Seven years later, Ben Cox reported that a large number of vulnerable keys created from this mistake were still in use and some had control over important GitHub repositories. These included repositories of Spotify, Yandex, the cryptographic libraries for Python, and Python’s core. (Ben Cox, “[Auditing GitHub users’ SSH key quality](https://blog.benjojo.co.uk/post/auditing-github-users-keys)”, 2015). This example shows how important cryptographically secure random values can be.
 
+If you need a cryptographically random number in a range
+(e.g., an integer from 0 to a number N),
+do **not** simply use the modulus or remainder operators.
+Many programmers incorrectly *think* it's fine to directly use the
+modulus or remainder operators (e.g., `%` or `mod` in many languages)
+for this purpose.
+However, this often causes some numbers to be more likely than others,
+a problem called *modulo bias*.
+Modulo bias can sometimes lead to system exploitation.
+(Yolan Romailler,
+[*The definitive guide to “Modulo Bias and how to avoid it”!*](https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/))
+
+If you need a cryptographically random number in a range, don't use modulus
+or remainder operators directly - instead, use an existing
+function that provides *unbiased* cryptographically random numbers in a range.
+Most CSPRNG libraries provide this function - just check that it's unbiased.
+If you must implement this yourself, there are various methods such
+as rejection sampling,
+[nearly-divisionless random numbers per Daniel Lemire's algorithm](https://dotat.at/@/2020-10-29-nearly-divisionless-random-numbers.html), or
+[divisionless random numbers per Steve Cannon and Kendall Willets](https://dotat.at/@/2022-04-20-really-divisionless.html).
+However, you should normally just use the CSPRNG library function
+that provides this function.
+
 ### Quiz 3.4
 
 \>\>Select the true statement(s):<<
@@ -5956,6 +5979,8 @@ Reproducible Builds project, “Definitions”, (<https://reproducible-builds.or
 
 Rogers, Tony, *Falsehoods Programmers Believe About Names - With Examples*, 2018 ([https://shinesolutions.com/2018/01/08/falsehoods-programmers-believe-about-names-with-examples/](https://shinesolutions.com/2018/01/08/falsehoods-programmers-believe-about-names-with-examples/))
 
+Romailler, Yolan, *The definitive guide to “Modulo Bias and how to avoid it”!* (<https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/>)
+
 Royce, Winston W., *Managing the Development of Large Systems: Concepts and Techniques*, 1970 ([https://dl.acm.org/doi/10.5555/41765.41801](https://dl.acm.org/doi/10.5555/41765.41801))
 
 Rust Programming Language, *Recoverable Errors with Result* ([https://doc.rust-lang.org/book/ch09-02-recoverable-errors-with-result.html](https://doc.rust-lang.org/book/ch09-02-recoverable-errors-with-result.html))