Subject: Re: CVS commit: src/sbin/newfs
To: David Laight <firstname.lastname@example.org>
From: Perry E. Metzger <email@example.com>
Date: 09/04/2003 13:51:43
David Laight <firstname.lastname@example.org> writes:
> > > Maybe arc4random() could be used instead?
> > I'm not a huge believer in arc4random(), but it would be a strict (and
> > indeed substantial) improvement over a linear congruential generator,
> > yes. I would suggest making the alteration, and in the longer run we
> > should discuss improved algorithms.
> Actually random() insn't a 'linear congruential generator', it is
> an 'Additive generator'. But to quote Schneier:
> Additive generators (sometimes called lagged Fibonacci generators) are
> extremely efficient because they produce random words instead of randmon
> bits. They are not secure on their own, but can be used as building
> blocks for secure generators.
I don't think random() is in any case secure, or could be made secure
> The RC4 based random sequence generator is probably secure, given
> unknown key state. RC4 itself is a trademarked - so an implementation
> has to call itself something else.
Ours calls itself "arc4", which is not a trademark.
Perry E. Metzger email@example.com