Fw: Random strings

Below is the last message I sent (to patches) regarding the random string
function for contrib. Is there any interest in this? I don't mind changing
it per Peter's comments, but I don't want to bother if no one sees any value
in it. Comments?

-- Joe

----- Original Message -----
From: "Joe Conway" <joseph(dot)conway(at)home(dot)com>
To: "Peter Eisentraut" <peter_e(at)gmx(dot)net>
Cc: "Dr. Evil" <drevil(at)sidereal(dot)kz>; <pgsql-patches(at)postgresql(dot)org>
Sent: Thursday, August 09, 2001 10:13 AM
Subject: Re: [PATCHES] Random strings

> > > seconds). The same test with /dev/urandom returns instantly. Perhaps
> there
> > > should be an option to use either. For instances where only a few
truly
> > > random bytes is needed (i.e. one session key), use /dev/random. When
you
> > > need many random bytes quickly, use /dev/urandom?
> >
> > Not sure if this is intuitive. How many bytes is "a few"? Maybe just
be
> > honest about it and name them randomstr and urandomstr or such.
> >
>
> In the patch that I sent last night, I explicitly limited /dev/random to
64
> bytes. I agree that this is not very intuitive, but for specific purposes,
> such as generating a session key for tripledes (24 byte/192 bit random
> string yielding 168 bits for a the key) periodically, it is quite useful.
> There's a tradeoff here between cryptographic strength (favoring
> /dev/random) and application performance (favoring /dev/urandom) that will
> vary significantly from application to application. It's nice to have the
> option depending on your needs.
>
> Having said that, I'm not married to the idea that we should provide
access
> to both /dev/random and /dev/urandom. I'd be happy to roll another patch,
> limited to just urandom, and renaming the function if you feel strongly
> about it. (should we move this discussion back to hackers to get a wider
> audience?)
>
> -- Joe
>