[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: DIGEST-MD5 and {nonce,cnonce} (fwd)



> > > To be blunt: using gettimeofday to get SECURE random numbers
> is a really
> > > BAD idea! Most operating systems have much better ways to get
> random numbers
> > > (for example /dev/random). These specifically have been developed with
> > > security in mind, so use them!
> >
> >         Yeah, but I am thinking in terms of portability. Is reading from
> > /dev/random portable enough? AFAIK, linux supports it, but Solaris does
> > not.
> >         Maybe I shouldn't think of portability now, and just use
> > /dev/random.
>
> I hope you think of both! :-) . OpenLDAP is a multi platform
> effort, so keeping
> things portable is desirable.  Unfortunately there isn't a
> standard for getting
> secure random numbers.

I personally like generating seek offsets into the swap partition, and
getting bytes from there. I.e., use a PRNG to generate the seek offsets.