[PATCH] When generating the token, don't use a weak PRNG.
Nick Lowe
nick.lowe at lugatech.com
Sat Feb 6 02:42:42 PST 2016
The RFC says what it does because the author(s) either must have had a
mistaken notion that there are always issues where an entropy
source/pool can be consumed and did not want to exacerbate that
presumed issue or had notions that there were always significant
performance issues using a source of random entropy. This is not the
case with /dev/urandom in Linux and the entropy sources in other
operating systems that I am aware of.
Something is only truly unpredictable when it is from a high quality
random source so the statement...
"The value of the anti-clogging token MUST be unpredictable and SHOULD
NOT be from a source of random entropy."
... contradicts itself.
We should look to the intent and purpose of the RFC and the token, not
what it says at face value. It is poorly worded and does not explain
or justify itself.
Regards,
Nick
More information about the Hostap
mailing list