Uninformed: Informative Information for the Uninformed

Vol 7» 2007.May

Better Entropy Sources

Perhaps the most obvious solution would be to simply improve the set of entropy sources used to generate the cookie. In particular, the use of sources with greater degrees of entropy, especially in the high order bits, would be of great benefit. The challenge, however, is locating sources that are easy to interact with and require very little overhead. For example, it's not really feasible to have the GS cookie generator rely on the crypto API due to the simple fact that this would introduce a dependency on the crypto API in any application that was compiled with /GS. As this document has hopefully shown, it's also a requirement that any additional entropy sources be challenging to estimate externally at a future point in time.

Even though this is a viable solution, the author is not presently aware of any additional entropy sources that would meet all three requirements. For this reason, the author feels that this approach alone is insufficient to solve the problem. If entropy sources are found which meet these requirements, the author would love to hear about them.