> Yes, of course, there are special conditions that allow sloppy > randomness. If you look at some of the OpenSSL test programs, you > will see that we seed with static strings. I was speaking from a more > general point of view, and perhaps I should not have said something as > harsch as "Never..." and should have said "If you have reasons to care > about entropy and security, never...".
Usually I see something like this:
random = malloc(1024);
RAND_seed(random, 1024);
Assuming that 'malloc' will create totally random memory
(many OSs will create it all initialized to 0s, and
regardless if it had data before, it's likely not terribly
random.)
I just wanted to point out a case where no random data can
be good. Having done that one example, I can't think of an
example where you'd ever want to do it.
IIRC, the OpenSSL PRNG seeds itself as it is used anyway, so even if
you wanted to seed it with constant data for testing purposes,
over time it's going to start giving you different output
anyway.
--
Brian Hatch The roll of elder
Systems and brother is being
Security Engineer more than adequately
http://www.ifokr.org/bri/ performed ... by my
elder brother.
Every message PGP signed
pgp00000.pgp
Description: PGP signature
