Paul_Koning at dell.com
Thu Aug 27 11:59:50 CST 2009
My first post to this list, though I've used pycrypto for 2-3 years
I spotted the message about RandomPool, and the three replies to it
that the mail archive showed. (If there are others in later sections
of the archive, I didn't see those.)
RFC 4086, "Randomness Requirements for Security" is very much worth
studying for a discussion of this subject.
Dwayne comments "Also, after looking a bit more at OS-provided random
generators, I'm starting to think that just returning their output
might not be such a great idea. There just doesn't seem to be any
reason to trust them very far." I don't know what OS is at issue
here; it would be good for a general statement like that to be
accompanied by specific evidence. For example, I spent quite a while
looking at the Linux /dev/random code by Ted Ts'o, and my conclusion
is just the opposite. It looks strong and well constructed. So could
you spell which OS you were talking about, and why you concluded it
should not be trusted?
What is Fortuna? What makes it good enough that an application-level
RNG can be safely layered on top of it?
More information about the pycrypto