I'm writing an application that requires cryptographicly-sound random
decimal digits in PG. One way to do this is with a plain old hash
like SHA1. The problem is that this produces a 20 byte string, when
what I want is a digit from 0 to 9. One thing I could do is take this
20 byte string, and return the first 8 bytes of it as a INT8, and take
the mod10 of it. That should be mostly random. Is this a good way to
do it? Or is there some better way?
Btw, this is on OpenBSD, which has its own internal RNG, which is
cryptographicly sound. On such systems, does the RANDOM() function
use the cryptographicly sound RNG, or does it use the C library's
plain old low-quality RNG?
Someday it would be really cool if PG had linked-in cryptographic
functions. I wrote a SHA1 hash and DES that link in, which is a good
start, but it would be awesome to also have RSA encrypt/decrypt/sign,
and AES encrypt/decrypt, and also something that can process OpenPGP
format messages (ie, with GPG). Maybe as I get better with linking C
functions in to PG I'll work on some of that. Oh yeah, and while I'm
making a wish-list, having an option to encrypt the physical database
file that PG uses would be fantastic. Some of us are storing some
valuable data in these things, and basically none of the free OSes
support file system encryption in a way that doesn't suck. I know
everyone will say, "do it at the FS layer", but that just isn't
reality right now, and it's a lot cheaper to encrypt the database than
it is to physically secure the machine in many cases.
Thanks
