On Mon, 2 Oct 1995, Yih-Chun Hu wrote:
I wouldn't bet on it. I did a similar hack with perl, with a much more conservative 5 seconds to 32 bytes. That didn't cut it, when I ent'ed the result it gave 6 bits of entropy / 8 bits of output.
How did you measure the entropy of the output ?
Um.. I would try to generate bits quickly, then securely, so for example you get a 2k buffer and do it 5 sec / 128 bits. Then slow down and overwrite the buffer and give warnings if the user wants to use the bits too early.
Ah, well the idea is that they can just generate a OTP when they have a few spare hours, not that they'd be generating it in real-time. The Privtool code does use realtime generation of random numbers, but it has a lot of input data other than the audio (e.g. mouse movements, MD5 hashes, etc). Mark