"Salz, Rich" wrote:
>
> >Can somebody tell me if this method of seeding the RNG secure enough?
>
> It's not. Not by a LONG shot.
>
> If an adversary can figure out what random data you started with, then s/he
> could duplicate all your important functions -- session keys, keygen, etc.
>
> In particular, the value of rand() depends only on the previous
> values of rand(). The first value of rand() depends on what you passed into
> srand(). So, all you are basically doing is seeding the random number
> generator with the current time. Hardly random, hardly secure.
>
> On Win32, there's a function to load the PRNG from the screenbuffer.
Yes, there is RAND_screen and RAND_event and I have tried those out.
but what if the application ran on an embedded win32 box ? On win32
there's
no random device, and on embedded systems no mouse or keyboard. Is
there a
freely available source of good random seed ?
Thanks,
Amit.
>
> >additional seed in the form of PID, thread ID, system time, and
> >other private data.
>
> Of the items you listed, all of them could be easily guessed. :)
> /r$
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
