Doug Barnes wrote:
> The answer to these arguments are: use /dev/urandom, not
> /dev/random. It's going to do as good or better than anything
> you're going to seed with /dev/random, and IT WILL NOT BLOCK.
>
> I may be wrong (I'm just starting to poke around in related
> code) but it doesn't look like the time and the session counter
> values you're appending to create the SessionID have any
> subsequent meaning. If you're looking for more entropy, I'd
> ditch the time and use another long's worth of /dev/urandom.
I'm aware of /dev/urandom being non-blocking, but my understanding of
/dev/urandom is that it is not cryptographicaly secure. From the Linux
random manual page (man 4 random):
--------------------------------
When read, /dev/urandom device will return as many bytes
as are requested. As a result, if there is not sufficient
entropy in the entropy pool, the returned values are theo
retically vulnerable to a cryptographic attack on the
algorithms used by the driver.
--------------------------------
Any thoughts on that?
Bojan
