Index: typo3/sysext/install/ext_localconf.php
===================================================================
--- typo3/sysext/install/ext_localconf.php	(revision 4715)
+++ typo3/sysext/install/ext_localconf.php	(working copy)
@@ -2,6 +2,7 @@
 if (!defined ('TYPO3_MODE')) 	die ('Access denied.');
 
 require_once(t3lib_extMgm::extPath('install').'updates/class.tx_coreupdates_compatversion.php');
+$TYPO3_CONF_VARS['FE']['eID_include']['tx_install_eid'] = 'EXT:install/mod/class.tx_install_eid.php';
 $TYPO3_CONF_VARS['SC_OPTIONS']['ext/install']['update']['changeCompatibilityVersion'] = 'tx_coreupdates_compatversion';
 
 	// not used yet
Index: typo3/sysext/install/mod/class.tx_install.php
===================================================================
--- typo3/sysext/install/mod/class.tx_install.php	(revision 4715)
+++ typo3/sysext/install/mod/class.tx_install.php	(working copy)
@@ -2087,8 +2087,9 @@
 				if ($this->mode!='123')	{
 					$out.=$this->wrapInCells('Site name:', '<input type="text" name="TYPO3_INSTALL[localconf.php][sitename]" value="'.htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename']).'">');
 					$out.=$this->wrapInCells('', '<br />');
-					$out.='<script type="text/javascript" src="../md5.js"></script><script type="text/javascript">function generateEncryptionKey(key) {time=new Date(); key=MD5(time.getMilliseconds().toString());while(key.length<66){key=key+MD5(key)};return key;}</script>';
-					$out.=$this->wrapInCells('Encryption key:', '<a name="set_encryptionKey"></a><input type="text" name="TYPO3_INSTALL[localconf.php][encryptionKey]" value="'.htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']).'"><br /><input type="button" onclick="document.forms[\'setupGeneral\'].elements[\'TYPO3_INSTALL[localconf.php][encryptionKey]\'].value=generateEncryptionKey(document.forms[\'setupGeneral\'].elements[\'TYPO3_INSTALL[localconf.php][encryptionKey]\'].value);" value="Generate random key">');
+					$out.='<script type="text/javascript" src="../sysext/install/mod/install.js"></script>';
+					$out.='<script type="text/javascript" src="../contrib/prototype/prototype.js"></script>';
+					$out.=$this->wrapInCells('Encryption key:', '<a name="set_encryptionKey"></a><input type="text" name="TYPO3_INSTALL[localconf.php][encryptionKey]" value="'.htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']).'"><br /><input type="button" onclick="EncryptionKey.load(this)" value="Generate random key">');
 					$out.=$this->wrapInCells('', '<br />');
 
 						// Other
Index: typo3/sysext/install/mod/install.js
===================================================================
--- typo3/sysext/install/mod/install.js	(revision 0)
+++ typo3/sysext/install/mod/install.js	(revision 0)
@@ -0,0 +1,49 @@
+/***************************************************************
+*
+*  javascript functions to get the TYPO3 encryption key by an
+*  AJAX call and fill the form with it.
+*
+*  Copyright notice
+*
+*  (c) 2009 Marcus Krause, Helmut Hummel <security@typo3.org>
+*  All rights reserved
+*
+*  This script is part of the TYPO3 backend provided by
+*  Kasper Skaarhoj <kasper@typo3.com> together with TYPO3
+*
+*  Released under GNU/GPL (see license file in /typo3/)
+*
+*  This script is distributed in the hope that it will be useful,
+*  but WITHOUT ANY WARRANTY; without even the implied warranty of
+*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+*
+*  This copyright notice MUST APPEAR in all copies of this script
+*
+***************************************************************/
+
+
+/**
+ *
+ * @author	Marcus Krause
+ */
+var EncryptionKey = {
+	thisScript: '../../index.php',
+	eID: 'tx_install_eid',
+
+	// loads the ecryption key by an AJAX call
+	load: function(obj) {
+		// fallback if AJAX is not possible (e.g. IE < 6)
+		if (typeof Ajax.getTransport() != 'object') {
+			window.location.href = this.thisScript + '?eID=' + this.eID;
+			return;
+		}
+
+		new Ajax.Request(this.thisScript, {
+			method: 'get',
+			parameters: '?eID=' + this.eID,
+			onComplete: function(xhr) {
+				document.getElementsByName('TYPO3_INSTALL[localconf.php][encryptionKey]').item(0).value=xhr.responseText;
+			}.bind(this),
+		});
+	},
+};
\ No newline at end of file
Index: typo3/sysext/install/mod/class.tx_install_eid.php
===================================================================
--- typo3/sysext/install/mod/class.tx_install_eid.php	(revision 0)
+++ typo3/sysext/install/mod/class.tx_install_eid.php	(revision 0)
@@ -0,0 +1,111 @@
+<?php
+/***************************************************************
+*  Copyright notice
+*
+*  (c) 2009 Marcus Krause, Helmut Hummel (security@typo3.org)
+*  All rights reserved
+*
+*  This script is part of the TYPO3 project. The TYPO3 project is
+*  free software; you can redistribute it and/or modify
+*  it under the terms of the GNU General Public License as published by
+*  the Free Software Foundation; either version 2 of the License, or
+*  (at your option) any later version.
+*
+*  The GNU General Public License can be found at
+*  http://www.gnu.org/copyleft/gpl.html.
+*  A copy is found in the textfile GPL.txt and important notices to the license
+*  from the author is found in LICENSE.txt distributed with these scripts.
+*
+*
+*  This script is distributed in the hope that it will be useful,
+*  but WITHOUT ANY WARRANTY; without even the implied warranty of
+*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+*  GNU General Public License for more details.
+*
+*  This copyright notice MUST APPEAR in all copies of the script!
+***************************************************************/
+
+
+
+// *******************************
+// Set error reporting
+// *******************************
+error_reporting (E_ALL ^ E_NOTICE);
+
+
+// ***********************
+// Paths are setup
+// ***********************
+define('TYPO3_OS', stristr(PHP_OS,'win')&&!stristr(PHP_OS,'darwin')?'WIN':'');
+define('TYPO3_MODE','FE');
+if (!defined('PATH_thisScript')) 	define('PATH_thisScript',str_replace('//','/', str_replace('\\','/', (php_sapi_name()=='cgi'||php_sapi_name()=='isapi' ||php_sapi_name()=='cgi-fcgi')&&($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])? ($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']?$_SERVER['ORIG_SCRIPT_FILENAME']:$_SERVER['SCRIPT_FILENAME']))));
+
+if (!defined('PATH_site')) 			define('PATH_site', dirname(PATH_thisScript).'/');
+if (!defined('PATH_t3lib')) 		define('PATH_t3lib', PATH_site.'t3lib/');
+define('PATH_tslib', PATH_site.'tslib/');
+define('PATH_typo3conf', PATH_site.'typo3conf/');
+define('TYPO3_mainDir', 'typo3/');		// This is the directory of the backend administration for the sites of this TYPO3 installation.
+
+if (!@is_dir(PATH_typo3conf))	die('Cannot find configuration. This file is probably executed from the wrong location.');
+
+require_once(PATH_t3lib.'class.t3lib_div.php');
+
+/**
+ * This is the eID handler for encryption key generation.
+ *
+ * @author	Marcus Krause <security@typo3.org>
+ */
+class tx_install_eid {
+
+
+	/**
+	 * Keeps content to be printed.
+	 *
+	 * @var string
+	 */
+	var $content;
+
+
+	/**
+	 * Main function which creates the ecryption key for the install tools AJAX call 
+	 * It stores the key in $this->content
+	 *
+	 * @return	void
+	 */
+	function main()	{
+			// Create output:
+		$this->content = $this->createEncryptionKey();
+	}
+
+	/**
+	 * Outputs the content from $this->content
+	 *
+	 * @return	void
+	 */
+	function printContent()	{
+		echo $this->content;
+	}
+
+	/**
+	 * Returns a newly created TYPO3 encryption key with a given length.
+	 *
+	 * @param  integer  $keyLength  desired key length
+	 * @return string
+	 */
+	function createEncryptionKey($keyLength = 96) {
+		
+		$bytes = t3lib_div::generateRandomBytes($keyLength);
+		return substr(bin2hex($bytes), -96);
+	}
+}
+
+// Make instance:
+$SOBE = t3lib_div::makeInstance('tx_install_eid');
+$SOBE->main();
+$SOBE->printContent();
+
+if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['typo3/sysext/install/mod/class.tx_install_eid.php'])	{
+	include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['typo3/sysext/install/mod/class.tx_install_eid.php']);
+}
+
+?>
\ No newline at end of file
Index: t3lib/class.t3lib_div.php
===================================================================
--- t3lib/class.t3lib_div.php	(revision 4715)
+++ t3lib/class.t3lib_div.php	(working copy)
@@ -1368,6 +1368,37 @@
 		return chr(10).htmlspecialchars($content);
 	}
 
+	/**
+	 * Returns a string of highly randomized bytes (over the full 8-bit range).
+	 *
+	 * @copyright	Drupal CMS
+	 * @license		GNU General Public License version 2
+	 * @param		integer  Number of characters (bytes) to return
+	 * @return		string   Random Bytes
+	 */
+	public static function generateRandomBytes($count) {
+		$output = '';
+			// /dev/urandom is available on many *nix systems and is considered
+			// the best commonly available pseudo-random source.
+		if (TYPO3_OS != 'WIN' && ($fh = @fopen('/dev/urandom', 'rb'))) {
+			$output = fread($fh, $count);
+			fclose($fh);
+		}
+
+			// fallback if /dev/urandom is not available
+		if (!isset($output{$count - 1})) {
+				// We initialize with the somewhat random.
+			$randomState = $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']
+							. microtime() . getmypid();
+			while (!isset($output{$count - 1})) {
+				$randomState = md5(microtime() . mt_rand() . $randomState);
+				$output .= md5(mt_rand() . $randomState, true);
+			}
+			$output = substr($output, strlen($output) - $count, $count);
+		}
+		return $output;
+	}
+