tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bojan Smojver <bo...@binarix.com>
Subject Re: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/modules/session SessionIdGenerator.java
Date Sun, 15 Apr 2001 10:33:47 GMT
Doug Barnes wrote:

> The answer to these arguments are: use /dev/urandom, not
> /dev/random. It's going to do as good or better than anything
> you're going to seed with /dev/random, and IT WILL NOT BLOCK.
> 
> I may be wrong (I'm just starting to poke around in related
> code) but it doesn't look like the time and the session counter
> values you're appending to create the SessionID have any
> subsequent meaning. If you're looking for more entropy, I'd
> ditch the time and use another long's worth of /dev/urandom.

I'm aware of /dev/urandom being non-blocking, but my understanding of
/dev/urandom is that it is not cryptographicaly secure. From the Linux
random manual page (man 4 random):

--------------------------------
When read, /dev/urandom device will return as  many  bytes
as are requested.  As a result, if there is not sufficient
entropy in the entropy pool, the returned values are theo­
retically  vulnerable  to  a  cryptographic  attack on the
algorithms used by the driver.
--------------------------------

Any thoughts on that?

Bojan

Mime
View raw message