diff --git a/iscsi-scst/usr/chap.c b/iscsi-scst/usr/chap.c
index 532ac78a0..227a372dc 100644
--- a/iscsi-scst/usr/chap.c
+++ b/iscsi-scst/usr/chap.c
@@ -28,6 +28,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <fcntl.h>
 #include "sha1.h"
 #include "md5.h"
 
@@ -332,6 +333,22 @@ static inline void chap_calc_digest_sha1(char chap_id, const char *secret, int s
 	sha1_final(&ctx, digest);
 }
 
+/*
+ * To generate challenge for CHAP, use stronger random number generator as
+ * opposed to simple rand().
+ */
+static int chap_rand(void)
+{
+    int fd;
+    int r;
+
+    fd = open("/dev/urandom", O_RDONLY);
+    assert(fd != -1);
+    (void)read(fd, &r, sizeof(r));
+    close(fd);
+    return r;
+}
+
 static int chap_initiator_auth_create_challenge(struct connection *conn)
 {
 	char *value, *p;
@@ -366,7 +383,7 @@ static int chap_initiator_auth_create_challenge(struct connection *conn)
 	 * wise, or should we rather always use the max. allowed length of
 	 * 1024 for the (unencoded) challenge?
 	 */
-	conn->auth.chap.challenge_size = (rand() % (CHAP_CHALLENGE_MAX / 2)) + CHAP_CHALLENGE_MAX / 2;
+	conn->auth.chap.challenge_size = (chap_rand() % (CHAP_CHALLENGE_MAX / 2)) + CHAP_CHALLENGE_MAX / 2;
 
 	conn->auth.chap.challenge = malloc(conn->auth.chap.challenge_size);
 	if (!conn->auth.chap.challenge)
@@ -376,7 +393,7 @@ static int chap_initiator_auth_create_challenge(struct connection *conn)
 	strcpy(p, "0x");
 	p += 2;
 	for (i = 0; i < conn->auth.chap.challenge_size; i++) {
-		conn->auth.chap.challenge[i] = rand();
+		conn->auth.chap.challenge[i] = chap_rand();
 		sprintf(p, "%.2hhx", conn->auth.chap.challenge[i]);
 		p += 2;
 	}