Applied Crypto Hardening [pdf]

<i>On Linux there are two devices that return random bytes when read; the &#x2F;dev&#x2F;random can block until sufficient entropy has been collected while &#x2F;dev&#x2F;urandom will not block and return whatever (possibly insufficient) entropy has been collected so far.</i><p><i>Unfortunately most crypto implementations are using &#x2F;dev&#x2F;urandom and can produce predictable random numbers if not enough entropy has been collected [HDWH12].</i><p>This is inaccurate, and implementations <i>should</i> use urandom, to the exclusion of all RNGs.<p><a href="http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/" rel="nofollow">http:&#x2F;&#x2F;sockpuppet.org&#x2F;blog&#x2F;2014&#x2F;02&#x2F;25&#x2F;safely-generate-random...</a><p><i>A word of warning: One should get familiar with ECC, different curves and parameters if one chooses to adopt ECC configurations. Since there is much discussion on the security of ECC, flawed settings might very well compromise the security of the entire system!</i><p>This is equally true of RSA, perhaps more so. In 2015, your default selection for asymmetric crypto should be ECC.