[whatwg] Cryptographically strong random numbers

Glenn Maynard glenn at zewt.org
Mon Feb 14 15:36:31 PST 2011


On Mon, Feb 14, 2011 at 5:46 PM, Shabsi Walfish <shabsi at google.com> wrote:

> This depends on what you consider to be the basic use case. Generating
> long-lived cryptographic keys absolutely requires high quality entropy... if
> you are only generating short-lived authenticators (that are not used for
> encryption) then you could get away with weaker entropy. You will get the
> most mileage out of this feature if it can be used to generate encryption
> keys, or long-lived signing keys.


OpenSSL gets randomness for generating keys by reading /dev/urandom.  It
doesn't seem to do any other tricks, like reading
/proc/sys/kernel/random/entropy_avail.  That at least suggests it's
sufficient for securely generating keys, without more complex APIs like
exposing the amount of entropy that was available.

-- 
Glenn Maynard



More information about the whatwg mailing list