[JDEV] Still another patch ... (seed the rand() function)

Joe Hildebrand JHildebrand at jabber.com
Mon Oct 13 18:36:37 CDT 2003

You just want it to be difficult for the attacker to predict when the same
id is going to come around again.  If they are *really* unique, this will
never be a problem.

Joe Hildebrand


> -----Original Message-----
> From: Matthias Wimmer [mailto:m at tthias.net] 
> Sent: Monday, October 13, 2003 5:01 PM
> To: jdev at jabber.org
> Subject: Re: [JDEV] Still another patch ... (seed the rand() function)
> Hi!
> Matthias Wimmer schrieb am 2003-10-13 23:00:18:
> > But as I said: you're right. The hole thing with rand() is not the 
> > best solution. Maybe it would be a good idea to use the RAND_*() 
> > functions of openssl if compiled with SSL support.
> The attached patch would use RAND_pseudo_bytes() to get 
> pseudo random bytes seeded from /dev/urandom. Using 
> cryptographically strong bytes (the function RAND_bytes()) 
> shouldn't be needed here and most of the time you get them 
> with this call too.
> But is it needed? I don't see any benefit for an attacker to 
> predict the challenge - it just has to be unique.
> Tot kijk
>     Matthias
> --
> For kibibytes see:
> http://www.iec.ch/online_news/etech/arch_2003/etech_0503/focus.htm

More information about the JDev mailing list