Dave Townsend wrote: > I'm writing code that generates a cryptographic key pair. I have > basically followed the implementation in certutil which gathers some > random data from the keyboard and passes it to PK11_RandomUpdate. > However a few people are suggesting that NSS uses fairly good sources of > random data anyway and that providing it with extra random data is > somewhat redundant.
With entropy seeding, the more the merrier. You can't really have too much. Feeding in lots of low entropy data doesn't hurt (doesn't reduce entropy). I don't know what your program is or what platform it runs on, but on Linux you could always just get more from /dev/urandom. > So the question is can I just avoid the extra work of passing some > random data to NSS before I generate the key? It's been a long time since someone asked this question. I think our standard answer, long ago, was that NSS's built-in entropy seeding, which happens only once on startup, is OK for low value temporal keys, but for high value long-lived keys, we recommend getting more entropy. IIRC, the browser feeds more entropy from mouse and/or keyboard events as it goes along, or it once did so. > Dave /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto