Hi,
>> About random numbers generation, see that (still open) discussion and
>> suggestions...:
>> https://www.mail-archive.com/[email protected]/msg36812.html
>
> But that's only relevant for standard windows desktop and neither for
> WCE nor for windows phone, isn't it? At least it seems to happen inside
> the !defined(OPENSSL_SYS_WINCE) block.
sure...but I suggested various ways to have something better than nothing....
Ah, sorry, I made the mistake to only look at the referenced posting itself,
not at the replies it got...
> the w32 code could work for wce with limited adaptation, but with very
> limited entropy due to the quasi constant state of the screen on phones.
> every suggestion is welcome...
Right, with the screen typically showing a single app on the Phone, you
probably would tend to always get the "same" random numbers from the
same application. And I think trying to access camera, speakers or
microphone to get "random noise" might be problematic, too - what
happens, if those happen to be in use, currently - can you access them
"in parallel"? And is there an API to access them at all?
Personally, I think, asking the system itself for random numbers
- assuming it is providing reasonable ones through a reasonable
interface - is the way to go. Unfortubately, this seems to be a way
straight into ifdef hell in the case of Windows, something
like use "CryptGenRandom" on WINCE (see current code),
use whatever for WinPhone 7 and the silverlight flavor of 8 (I seem to
remember that my first attempt on Windows 8.1 failed because I used
a silverlight-only-API, which didn't work for me, so there definitely is
something), use my suggestion or whatever else on the non-silverlight
flavor of Windows Phone 8.1, not sure how to name it (i.e. use
Windows::Security::Cryptography::CryptographicBuffer::GenerateRandomNumber()),
and finally use the CryptoProvider from advapi.dll if it exists, on the
desktop (again, see current code).
And then, if all these cases didn't work or if you are especially paranoid,
mix in the additional hashes obtained from screen content, heap content
or thread/process/module/event information - or at least as many of them
as you can obtain on your platform.
Regards,
Stefan
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
