> > Linux should have /dev/urandom and Windows should have CryptGenRandom
> Is CryptGenRandom suitable? I haven't heard anyone authoritatively
> say "yes, it's as good as the Linux /dev/urandom" anywhere.
It is supposedly suitable, that is, Microsoft claims it is.
> > You can take anything that is unpredictable and use it.
> > What's the exact
> > time, to the highest accuracy you can get it, that your program started
> > running? Exactly how many bytes of memory are free? How many
> > processes are
> > running? If you receive a packet over the network, at exactly
> > what time did
> > you get it?
> For some of these, it'd be better to use the lower bits. The exact time
> now is 1056058284. Exactly a week from now it'll be 1056663084. That's
> only 604800 seconds later, which is about 2.5 bytes of entropy, even
> though the time itself is 4 bytes. And if your clock is in sync with
> timeservers, it's pretty easy to guess anyway.
I'm talking about the time "to the highest accuracy you can get it". For
x86's, that means the TSC.
> > Source of randomness are available all around your program, you
> > just need
> > to mine them.
> And distrust them appropriately. (IE give them an estimated 'bytes
> of entropy' value that's much lower than their actual byte count.)
Yeah.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
