Valerio Schiavoni wrote: > hello dirk, thanks for your reply, > > On 11/6/06, Dirk Olmes <[EMAIL PROTECTED]> wrote: >> >> In the end it turned out to be the random device that is configured by >> default in the jdk. Take a look at >> $JAVA_HOME/jre/lib/security/java.security where the random device is >> configured. > > > what should I check ? i'm on a linux machine, the default random device is > accessed : > > securerandom.source=file:/dev/urandom > > what exactly should I check ?
Ok, forget that. Quoting from the linux random man page: > When read, the /dev/random device will only return random bytes > within the estimated number of bits of noise in the entropy pool. > /dev/random should be suitable for uses that need very high quality > randomness such as one-time pad or key generation. When the entropy > pool is empty, reads from /dev/random will block until additional > environmental noise is gathered. ... so /dev/random is NOT what you want. This used to be the default for older JDKs IIRC. > A read from the /dev/urandom device will not block waiting for more > entropy. As a result, if there is not sufficient entropy in the > entropy pool, the returned values are theoretically vulnerable to a > cryptographic attack on the algorithms used by the driver. Knowledge > of how to do this is not available in the current non-classified > literature, but it is theoretically possible that such an attack may > exist. If this is a concern in your application, use /dev/random > instead. ... obviously /dev/urandom is what you want and what's already configured. -dirk -- A: Maybe because some people are too annoyed by top-posting. Q: Why do I not get an answer to my question(s)? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
