Add entropy accumulator before ISAAC, see #16

Author: dcodeIO

dist/README.md

@@ -23,6 +23,11 @@ The Web Crypto API is fairly new and not supported by all / older browsers. For
 includes [isaac.js](https://github.com/rubycon/isaac.js), a JavaScript implementation of the ISAAC PRNG, which is used
 as the default random fallback if neither node's crypto module nor the Web Crypto API is available.
 
+**Please note:** Seeding is performed using an [entropy accumulator](https://github.com/dcodeIO/bcrypt.js/blob/master/src/bcrypt/prng/accum.js)
+using multiple sources of randomness like mouse and touch movement, page load time, general timings and mixing in
+Math.random occasionally. Please consider taking a look at the accumulator to understand how it works for optimal
+results.
+
 * **[bcrypt-isaac.js](https://github.com/dcodeIO/bcrypt.js/blob/master/dist/bcrypt-isaac.js)**
   contains the commented source code.
 

dist/bcrypt-isaac.js

@@ -40,6 +40,13 @@
      */
     var bcrypt = {};
 
+    /**
+     * The random implementation to use as a fallback.
+     * @type {?function(number):!Array.<number>}
+     * @inner
+     */
+    var randomFallback = null;
+
     /**
      * Generates cryptographically secure random bytes.
      * @function
@@ -62,20 +69,23 @@
         return randomFallback(len);
     }
 
-    /**
-     * The random implementation to use as a fallback.
-     * @type {?function(number):!Array.<number>}
-     * @inner
-     */
-    var randomFallback = function(len) {
+    // Test if any secure randomness source is available
+    var randomAvailable = false;
+    try {
+        random(1);
+        randomAvailable = true;
+    } catch (e) {}
+
+    // Default fallback, if any
+    randomFallback = function(len) {
         for (var a=[], i=0; i<len; ++i)
             a[i] = ((0.5 + isaac() * 2.3283064365386963e-10) * 256) | 0;
         return a;
     };
 
     /**
-     * Sets the random number generator to use as a fallback if neither node's `crypto` module nor the Web Crypto API
-     *  is available.
+     * Sets the pseudo random number generator to use as a fallback if neither node's `crypto` module nor the Web Crypto
+     *  API is available. Please note: It is highly important that this PRNG is cryptographically secure!
      * @param {?function(number):!Array.<number>} random Function taking the number of bytes to generate as its
      *  sole argument, returning the corresponding array of cryptographically secure random byte values.
      * @see http://nodejs.org/api/crypto.html
@@ -1162,6 +1172,144 @@
         }
     }
 
+    /* basic entropy accumulator */
+    var accum = (function() {
+
+        var pool,    // randomness pool
+            time,    // start timestamp
+            last;    // last step timestamp
+
+        /* initialize with default pool */
+        function init() {
+            pool = [];
+            time = new Date().getTime();
+            last = time;
+            // use Math.random
+            pool.push((Math.random() * 0xffffffff)|0);
+            // use current time
+            pool.push(time|0);
+        }
+
+        /* perform one step */
+        function step() {
+            if (!to)
+                return;
+            if (pool.length >= 255) { // stop at 255 values (1 more is added on fetch)
+                stop();
+                return;
+            }
+            var now = new Date().getTime();
+            // use actual time difference
+            pool.push(now-last);
+            // always compute, occasionally use Math.random
+            var rnd = (Math.random() * 0xffffffff)|0;
+            if (now % 2)
+                pool[pool.length-1] += rnd;
+            last = now;
+            to = setTimeout(step, 100+Math.random()*512); // use hypothetical time difference
+        }
+
+        var to = null;
+
+        /* starts accumulating */
+        function start() {
+            if (to) return;
+            to = setTimeout(step, 100+Math.random()*512);
+            if (console.log)
+                console.log("bcrypt-isaac: collecting entropy...");
+            // install collectors
+            if (typeof window !== 'undefined' && window && window.addEventListener)
+                window.addEventListener("load", loadCollector, false),
+                window.addEventListener("mousemove", mouseCollector, false),
+                window.addEventListener("touchmove", touchCollector, false);
+            else if (typeof document !== 'undefined' && document && document.attachEvent)
+                document.attachEvent("onload", loadCollector),
+                document.attachEvent("onmousemove", mouseCollector);
+        }
+
+        /* stops accumulating */
+        function stop() {
+            if (!to) return;
+            clearTimeout(to); to = null;
+            // uninstall collectors
+            if (typeof window !== 'undefined' && window && window.removeEventListener)
+                window.removeEventListener("load", loadCollector, false),
+                window.removeEventListener("mousemove", mouseCollector, false),
+                window.removeEventListener("touchmove", touchCollector, false);
+            else if (typeof document !== 'undefined' && document && document.detachEvent)
+                document.detachEvent("onload", loadCollector),
+                document.detachEvent("onmousemove", mouseCollector);
+        }
+
+        /* fetches the randomness pool */
+        function fetch() {
+            // add overall time difference
+            pool.push((new Date().getTime()-time)|0);
+            var res = pool;
+            init();
+            if (console.log)
+                console.log("bcrypt-isaac: using "+res.length+"/256 samples of entropy");
+            console.log(res);
+            return res;
+        }
+
+        /* adds the current time to the top of the pool */
+        function addTime() {
+            pool[pool.length-1] += new Date().getTime() - time;
+        }
+
+        /* page load collector */
+        function loadCollector() {
+            if (!to || pool.length >= 255)
+                return;
+            pool.push(0);
+            addTime();
+        }
+
+        /* mouse events collector */
+        function mouseCollector(ev) {
+            if (!to || pool.length >= 255)
+                return;
+            try {
+                var x = ev.x || ev.clientX || ev.offsetX || 0,
+                    y = ev.y || ev.clientY || ev.offsetY || 0;
+                if (x != 0 || y != 0)
+                    pool[pool.length-1] += ((x-mouseCollector.last[0]) ^ (y-mouseCollector.last[1])),
+                    addTime(),
+                    mouseCollector.last = [x,y];
+            } catch (e) {}
+        }
+        mouseCollector.last = [0,0];
+
+        /* touch events collector */
+        function touchCollector(ev) {
+            if (!to || pool.length >= 255)
+                return;
+            try {
+                var touch = ev.touches[0] || ev.changedTouches[0];
+                var x = touch.pageX || touch.clientX || 0,
+                    y = touch.pageY || touch.clientY || 0;
+                if (x != 0 || y != 0)
+                    pool[pool.length-1] += (x-touchCollector.last[0]) ^ (y-touchCollector.last[1]),
+                    addTime(),
+                    touchCollector.last = [x,y];
+            } catch (e) {}
+        }
+        touchCollector.last = [0,0];
+
+        init();
+        return {
+            "start": start,
+            "stop": stop,
+            "fetch": fetch
+        }
+
+    })();
+
+    // Start accumulating
+    if (!randomAvailable)
+        accum.start();
+
     /*
      isaac.js Copyright (c) 2012 Yves-Marie K. Rinquin
 
@@ -1194,9 +1342,9 @@
             brs = 0,        // last result
             cnt = 0,        // counter
             r = Array(256), // result array
-            gnt = 0;        // generation counter
+            gnt = 0,        // generation counter
+            isd = false;    // initially seeded
 
-        seed(Math.random() * 0xffffffff);
 
         /* 32-bit integer safe adder */
         function add(x, y) {
@@ -1293,6 +1441,10 @@
 
         /* return a random number between */
         return function() {
+            if (!isd) // seed from accumulator
+                isd = true,
+                accum.stop(),
+                seed(accum.fetch());
             if (!gnt--)
                 prng(), gnt = 255;
             return r[gnt];