Re: Still wondering about random numbers...

Dr. Evil <drevil@sidereal.kz>

From: "Dr. Evil" <drevil@sidereal.kz>
To: bruno@wolff.to
Cc: lockhart@fourpalms.org, pgsql-general@postgresql.org
Date: 2001-08-07T20:31:12Z
Lists: pgsql-general
> 'Better' is in the eye of the beholder. /dev/random can stall for
> very long periods of time waiting for entropy. Even /dev/urandom may
> be overkill for some uses of random numbers. There is also the question
> of how many bytes the function is going to return.
>
> While it would be nice to have some access to /dev/random and /dev/urandom,
> I don't know that replacing the current random function is the best way
> to do this.

I'm the one who originally posted this question, and I agree, you have
a very good point.  /dev/random relies on a pool of entropy, which is
limited.  Applications which require a large volume of low-quality
random numbers (perhaps for rendering in a video game) should
definitely not use /dev/random, but applications which require a small
amount of high-quality randomness (generating cryptographic session
keys perhaps) should use it.  PG should have both calls available.  If
anyone has written a C function which calls the crypto-random
generator, which I could link in, if you would mail it to me, I would
be most appreciative, because I am using this to generate
cryptographic challenges, session keys and the like, which really do
need crypto-quality random numbers.

As an intermediate solution, I can use SHA1 to generate a sequence of
hashes, which does work as a fairly good crypto-RNG.  If anyone wants,
I can post the SHA1 code for PG.  It should really be in the
distribution, I think.  But then again, so should AES and RSA and
OpenPGP...