2015-01-17 19:31 GMT+04:00 Peter Dimov
Antony Polukhin wrote:
So mixing in some additional entropy seems reasonable.
There is no guarantee that mixing in highly predictable, or constant, values using SHA1 improves the quality of the random numbers, or decreases their predictability. It is not at all impossible for such amateur improvements to actually decrease the quality of the original source.
The only genuine entropy here is QueryPerformanceCounter, which is already incorporated into the output of CryptGenRandom.
And in fact, the goal of the original code has never been to achieve crypto quality randomness, or even to approach the quality of CryptGenRandom. It's just for UUID generation, after all.
Agreed. But the initial goal of the pull request is just to avoid reads of uninitialized memory. Original methods of gathering entropy (those that possibly decrease quality) remain almost untouched, just CryptGenRandom is added as a bonus. -- Best regards, Antony Polukhin