[whatwg] Cryptographically strong random numbers
glenn at zewt.org
Mon Feb 14 15:36:31 PST 2011
On Mon, Feb 14, 2011 at 5:46 PM, Shabsi Walfish <shabsi at google.com> wrote:
> This depends on what you consider to be the basic use case. Generating
> long-lived cryptographic keys absolutely requires high quality entropy... if
> you are only generating short-lived authenticators (that are not used for
> encryption) then you could get away with weaker entropy. You will get the
> most mileage out of this feature if it can be used to generate encryption
> keys, or long-lived signing keys.
OpenSSL gets randomness for generating keys by reading /dev/urandom. It
doesn't seem to do any other tricks, like reading
/proc/sys/kernel/random/entropy_avail. That at least suggests it's
sufficient for securely generating keys, without more complex APIs like
exposing the amount of entropy that was available.
More information about the whatwg