You just want it to be difficult for the attacker to predict when the same id is going to come around again. If they are *really* unique, this will never be a problem.
-- Joe Hildebrand > -----Original Message----- > From: Matthias Wimmer [mailto:[EMAIL PROTECTED] > Sent: Monday, October 13, 2003 5:01 PM > To: [EMAIL PROTECTED] > Subject: Re: [JDEV] Still another patch ... (seed the rand() function) > > Hi! > > Matthias Wimmer schrieb am 2003-10-13 23:00:18: > > But as I said: you're right. The hole thing with rand() is not the > > best solution. Maybe it would be a good idea to use the RAND_*() > > functions of openssl if compiled with SSL support. > > The attached patch would use RAND_pseudo_bytes() to get > pseudo random bytes seeded from /dev/urandom. Using > cryptographically strong bytes (the function RAND_bytes()) > shouldn't be needed here and most of the time you get them > with this call too. > > But is it needed? I don't see any benefit for an attacker to > predict the challenge - it just has to be unique. > > > Tot kijk > Matthias > > -- > For kibibytes see: > http://www.iec.ch/online_news/etech/arch_2003/etech_0503/focus.htm > _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
