On 27. Sep 2017, at 19:57, Harald Welte
<laforge(a)gnumonks.org> wrote:
For TMSI allocation, my "cryptographic gut
feeling"[tm] is that something
like rand() or any other pseudo-random generator of significantly large
period is sufficient *if* it is seeded by a non-predictable value. So
something like seeding with getrandom() result should be fine?
GLIBC rand() maybe but "any other" not. E.g. if it is a Mersenne Twister
than observing ~624 TMSIs could be enough to predict past and future state.
Picking something like RAND_bytes of OpenSSL for TMSIs seems to be the
best way. It will re-seed itself (and we are not forking). If the OpenSSL
dependency is too bad (license compatibility, the move to the Apache license
could help us here for GPLv3+ software) then maybe the second best option
is to take a "Fortuna"[1] implementation from somewhere?
holger
[1]
https://en.wikipedia.org/wiki/Fortuna_(PRNG)