[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: DIGEST-MD5 and {nonce,cnonce}



At 01:37 PM 10/25/99 -0500, Ed Carp wrote:
>> > > > To be blunt: using gettimeofday to get SECURE random numbers is a really
>> > > > BAD idea! Most operating systems have much better ways to get random numbers
>> > > > (for example /dev/random). These specifically have been developed with
>> > > > security in mind, so use them!
>> > >
>> > >         Yeah, but I am thinking in terms of portability. Is reading from
>> > > /dev/random portable enough? AFAIK, linux supports it, but Solaris does
>> > > not.
>> > >         Maybe I shouldn't think of portability now, and just use
>> > > /dev/random.
>
>Most UNIX implementations implement rand() and friends.  Even Solaris ;)


Rand(3) provides a sequence of psuedo-random numbers.  The
amount of entropy in these numbers cannot be greater than
the seed used to determine the sequence.

It is not appropriate to use rand(3) to obtain bits of
entropy.

Kurt

----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>