Newsgroups: sci.crypt
Path: agate!dog.ee.lbl.gov!ihnp4.ucsd.edu!info.ucla.edu!csulb.edu!news.uoregon.edu!arclight.uoregon.edu!nntp.primenet.com!howland.erols.net!news.mathworks.com!uunet!in1.uu.net!world!dtd
From: dtd@world.std.com (don t davis)
Subject: Re: Need Advice: RNG
Message-ID: <DzBxMy.835@world.std.com>
Organization: The World Public Access UNIX, Brookline, MA
References: <53uj4m$iij@masters0.news.internex.net>
Date: Tue, 15 Oct 1996 18:20:57 GMT
Lines: 22

David Rudder <drig@magicweb.com> wrote:
>  I'm trying to write a cryptographically secure Random Number Generator.
>
> I throw up a window.  Everytime an event is generated, the x and y 
> coordinates of the mouse are put into a byte[] array ...

mouse-coordinates will give less randomness than you might
expect.  the problem is that with networked applications
like web browsers, the application traffic between the
client and server effectively publish the locations and
sequence of the client's mouse-events. thus, the only
private noise that's left is the position of the cursor
_within_ the button that gets pressed. since screen buttons
vary in size from a few hundred to a few thousand pixels,
you're really getting only 8 to 12 bits of variability per
event, instead of the 20 or so that you might expect.

so, i believe mouse-noise can be secret and random, but only
as long as you're careful not to keep too many bits as real
randomness.
					-don davis, boston