[whatwg] Cryptographically strong random numbers

Glenn Maynard glenn at zewt.org
Mon Feb 14 15:36:31 PST 2011

On Mon, Feb 14, 2011 at 5:46 PM, Shabsi Walfish <shabsi at google.com> wrote:

> This depends on what you consider to be the basic use case. Generating
> long-lived cryptographic keys absolutely requires high quality entropy... if
> you are only generating short-lived authenticators (that are not used for
> encryption) then you could get away with weaker entropy. You will get the
> most mileage out of this feature if it can be used to generate encryption
> keys, or long-lived signing keys.

OpenSSL gets randomness for generating keys by reading /dev/urandom.  It
doesn't seem to do any other tricks, like reading
/proc/sys/kernel/random/entropy_avail.  That at least suggests it's
sufficient for securely generating keys, without more complex APIs like
exposing the amount of entropy that was available.

Glenn Maynard

More information about the whatwg mailing list