> Linux should have /dev/urandom and Windows should have CryptGenRandom
Is CryptGenRandom suitable? I haven't heard anyone authoritatively say "yes, it's as good as the Linux /dev/urandom" anywhere. > You can take anything that is unpredictable and use it. What's the exact > time, to the highest accuracy you can get it, that your program started > running? Exactly how many bytes of memory are free? How many processes are > running? If you receive a packet over the network, at exactly what time did > you get it? For some of these, it'd be better to use the lower bits. The exact time now is 1056058284. Exactly a week from now it'll be 1056663084. That's only 604800 seconds later, which is about 2.5 bytes of entropy, even though the time itself is 4 bytes. And if your clock is in sync with timeservers, it's pretty easy to guess anyway. > Source of randomness are available all around your program, you just need > to mine them. And distrust them appropriately. (IE give them an estimated 'bytes of entropy' value that's much lower than their actual byte count.) -- Brian Hatch Don't ask a barber Systems and if you need a haircut. Security Engineer http://www.ifokr.org/bri/ Every message PGP signed
pgp00000.pgp
Description: PGP signature
