Re: time as a source of randomness

There seems to be divergence from the issue here.

SSL 3.0 never intended time to be a source of randomness. In a more
perfect world, those four bytes would be absolutely predictable. It is
only the imperfections of the current OSs and networks that make it not

During the development of the SSL 3.0 specification, it was observed
that 28 bytes would be sufficient as a random value for the purpose at
hand, and that is still believed that to be true. The extra four bytes,
from SSL's point of view, are simply carried along as a convenience to
its clients, though SSL purposely does not indicate what the client
might do with the information.

To the best of my knowledge, adding 4 predictable bytes to 28 (nearly)
unpredictable bytes leaves you with 28 (nearly) unpredictable bytes.

If someone believes that 28 bytes is not sufficient, then that would be
an issue. I haven't heard anybody making such a claim.

Alan O. Freier		Corporate Cynic
<>	(415) 937-3638 (work)

Received on Thursday, 25 April 1996 13:23:59 UTC