Hacker News new | comments | show | ask | jobs | submit login

Virtual machines receive very little entropy from their environment, which is a real problem when entropy is required for the generation of cryptographic keys.

There have been many attacks based upon vulnerabilities which exist due to misunderstandings entropy, and the need for a secure random number generator, for example the mozilla ssl vulnerability and the debian ssh key vulnerability.

I would agree with you that /dev/urandom can be used for one shot passwords, however I would disagree with you that getting in to the habit of using a non secure random number generator as a source of secure entropy is a bad idea and should be discouraged.

I'd also like to point out that "the standard openssl RSA encryption function" last time I checked worked to spec, and does in fact encrypt a symetric key used for AES (By default), using RSA, including proper cryptographic padding of the key using PKCS#1.

I'm not exactly sure why you thought otherwise.

I do agree with your final assertion, though. Unless you know what you're doing, it's very easy to make a mistake.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact