CJ Holmes wrote:
>
> >
> >> Eh? You can already point OpenSSL at a file and tell it to read bytes.
> >> What's the problem?
> >
> >Ben, I am talking about functionality beyond pointing OpenSSL at a file.
> >OpenSSL ought to include the code to generate that file using a sound
> >card or other device/scheme, and ought to trigger refreshing the file
> >automatically at certain intervals depending on usage. Wouldn´t you
> >agree?
>
> Well, not everyone *has* a sound card, and of those who do not everyone has
> the *same* sound card. So hardware-dependent code in OpenSSL might not be
> such a great idea because it isn't portable.
>
> Having said that, I think the basic point is a good one. Currently OpenSSL
> uses time(NULL) at various points to add "entropy" to the PRNG. For *nix
> systems there's a couple of instances of using inode data as seed as well.
> This data was then severly hashed and mixed and hashed again. Then the SSL
> PRNG gets the same data and remixes/rehashes it all again.
>
> I would certainly like to see more thought put into the seed generation -
> but for reasons of portability I think this isn't as easy as it sounds.
> Different OSes and hardware provide different opportunities for "noise".
> But the hooks are there to grab any source of entropy you deem fit and add
> them to the RNG.
Exactly. The fundamental point that OpenSSL should have a pool of
entropy which it attempts to fill with an appropriate amount of the
stuff at appropriate moments is a good one. Not sure how easy it is to
do, though.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]