On Fri, Jun 09, 2000 at 11:23:58PM -0700, Andrey A. Chernov wrote:
> On Fri, Jun 09, 2000 at 07:37:09PM -0400, Jeroen C. van Gelderen wrote:
> > > Why to XOR true random bits from arc4random() with non-random bits from
> > > getpid()? It only weakens. Better way is just remove any getpid() code and
> > > left arc4random() only.
> >
> > Then you will get collisions which you will have to deal with. I am not
> > familiar with the code but if we can handle collisions nicely then that
> > would be the way to go: 64^6 = 2^36 possibilities which is nice...
>
> 1) Just totally opposite: mixing random with non-random sources you'll get
> into collision much faster then with random source only.
To clarify this: I mean getpid() ^ arc4random() suggestion only. Current
variant is more complex because part of name is getpid() to avoid collision
and part is random. But avoiding collision in this way is less secure because
it is more predictable for attacker.
--
Andrey A. Chernov
<[EMAIL PROTECTED]>
http://ache.pp.ru/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
