We're looking for a way to generate good random SessionID's for users of our application.
Originally we were using MESSAGE-DIGEST("SHA-512", GENERATE-UIID), but as we found out, UUIDs are too deterministic, hence they are NOT a good source for a (pseudo)random byte sequence. Hashing them doesn't make this problem go away, it just hides it.
So now I'm looking at GENERATE-RANDOM-KEY, but the doc says: Generates a pseudorandom (rather than a truly random) series of bytes to use as an encryption key, and returns the key as a RAW value.
Is this something I need to be worried about? Is there any way we can use something like /dev/urandom on Linux? Does GENERATE-RANDOM-KEY use the same seed for every session?
What's the best way of generating truly cryptographically strong session ID's?
On Unix, you may use the audio source (ie Line in or Mic) as a source for entropy. Some projects such as audio_entropyd can feed the /dev/random device with random data captured from the audio device. (Source: http://vanheusden.com/aed )
Well, that doesn't really answer my question. My question is: Where does the entropy for GENERATE-RANDOM-KEY come from? What sort of RNG does it use under the hood? I can't find this anywhere.
The GENERATE-RANDOM-KEY function uses the OpenSSL cryptographic library's default PRNG algorithm based on MD5. The algorithm is seeded with: Unix - 128 bits from /dev/urandom ; Windows - 80 bytes derived from the current date/time/tz.