Boost logo

Boost :

Subject: Re: [boost] [uuid] Issue 9407: please merge fix
From: Peter Dimov (lists_at_[hidden])
Date: 2015-01-17 10:31:25


Antony Polukhin wrote:
> We have no guarantee that CryptGenRandom algorithm is not reversible or
> predictable.

There is enough information at

http://msdn.microsoft.com/en-us/library/windows/desktop/aa379942(v=vs.85).aspx
http://en.wikipedia.org/wiki/CryptGenRandom
http://blogs.msdn.com/b/michael_howard/archive/2005/01/14/353379.aspx

> So mixing in some additional entropy seems reasonable.

There is no guarantee that mixing in highly predictable, or constant, values
using SHA1 improves the quality of the random numbers, or decreases their
predictability. It is not at all impossible for such amateur improvements to
actually decrease the quality of the original source.

The only genuine entropy here is QueryPerformanceCounter, which is already
incorporated into the output of CryptGenRandom.

And in fact, the goal of the original code has never been to achieve crypto
quality randomness, or even to approach the quality of CryptGenRandom. It's
just for UUID generation, after all.


Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk