[JDEV] Still another patch ... (seed the rand() function)
Joe Hildebrand
JHildebrand at jabber.com
Mon Oct 13 18:36:37 CDT 2003
You just want it to be difficult for the attacker to predict when the same
id is going to come around again. If they are *really* unique, this will
never be a problem.
--
Joe Hildebrand
> -----Original Message-----
> From: Matthias Wimmer [mailto:m at tthias.net]
> Sent: Monday, October 13, 2003 5:01 PM
> To: jdev at jabber.org
> Subject: Re: [JDEV] Still another patch ... (seed the rand() function)
>
> Hi!
>
> Matthias Wimmer schrieb am 2003-10-13 23:00:18:
> > But as I said: you're right. The hole thing with rand() is not the
> > best solution. Maybe it would be a good idea to use the RAND_*()
> > functions of openssl if compiled with SSL support.
>
> The attached patch would use RAND_pseudo_bytes() to get
> pseudo random bytes seeded from /dev/urandom. Using
> cryptographically strong bytes (the function RAND_bytes())
> shouldn't be needed here and most of the time you get them
> with this call too.
>
> But is it needed? I don't see any benefit for an attacker to
> predict the challenge - it just has to be unique.
>
>
> Tot kijk
> Matthias
>
> --
> For kibibytes see:
> http://www.iec.ch/online_news/etech/arch_2003/etech_0503/focus.htm
>
More information about the JDev
mailing list