Cryptographically strong random - /dev/urandom ?

Roger Larsson roger.larsson@REDACTED
Wed Apr 20 01:13:41 CEST 2005


On Monday 18 April 2005 18.57, klacke@REDACTED wrote:
> On Mon, Apr 18, 2005 at 12:58:50PM +0300, joel reymont wrote:
> > Folks,
> >
> > I understand that SSL in Erlang is based on OpenSSL. That library also
> > comes with a cryptographically strong random implementation but that
> > bit is not included in Erlang SSL.
> >
> > Is there a cryptographically strong implementation for Erlang?
>
> We do:
>
>
> random_ascii_str(Length) ->
>     random_ascii_str(Length, os:cmd("dd if=/dev/urandom count=1"), [], 0).

from "man urandom"
       When  read,  /dev/urandom  device  will  return  as  many  bytes as are
       requested.  As a result, if there is  not  sufficient  entropy  in  the
       entropy  pool,  the  returned  values are theoretically vulnerable to a
       cryptographic attack on the algorithms used by the  driver.   Knowledge
       of how to do this is not available in the current non-classified liter‐
       ature, but it is theoretically possible that such an attack may  exist.
       If this is a concern in your application, use /dev/random instead.

/RogerL



More information about the erlang-questions mailing list