Seems like a good approach. But I havent tried it. I thought for "crypto quality" random numbers you had to feed results through AES so that a secret counter feeding AES would be reasonable. ...or something trying to be both like http://www.pcg-random.org/
Thanks for the link. There are a number of key gen installations with low entropy. -Rick On Sat, Mar 7, 2015 at 1:49 PM, Robert Martin-Legene <rob...@pch.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > For you Scandinavians; no, it's not an animal for mowing your lawn. > > Does anyone have experiences using haveged for PRNG? When generating > DNSSEC keys on a virtual server is takes a looong time to get > randomness. I found an article [1] about haveged and decided to try it > out - there are also some tests at the end of the article. > > Basically haveged fills the entropy pool by running different programs > and seeing how long it takes to run them, claiming that's random enough. > > > # "flush" out /dev/random > robert@lux:~/projects/dns/keys$ time dd < /dev/random > /dev/null > ^C > 0+98029 records in > 24507+0 records out > 12547584 bytes (13 MB) copied, 4,7777 s, 2,6 MB/s > > > real 0m4.780s > user 0m0.044s > sys 0m3.424s > > > # create 4K KSK > robert@lux:~/projects/dns/keys$ time /usr/sbin/dnssec-keygen -f KSK -a > NSEC3RSASHA1 -b 4096 -n ZONE example.com > Generating key > > pair........................................................................................................................................................................................................................................................................................................................................................................................................++ > ................................++ > Kexample.com.+007+64218 > > real 0m3.922s > user 0m3.776s > sys 0m0.096s > > > 4 seconds for a 4K key is very impressive performance for a virtual > server. > > One thing that makes me wonder though is, when I do "cat < /dev/random > > /dev/null" I see cat taking 73% CPU and haveged 26%. I would at > least have expected haveged to use the same CPU as cat. > > > > [1] > > https://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged > > > - -- > Robert Martin-Legene > Internet Infrastructure Specialist > Packet Clearing House > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQIcBAEBAgAGBQJU+3JjAAoJEM82zYyXDYSwuGsP/0REVRrSZbXQ3i5H4T8eLGvn > fmhILq2uaFUm1CaWjxSPVeFK/RHtl6s9A43RwJa718F1CCi3nUtlEmHCSi5MomHe > oZQEbx4qnyYCv9895Uh0OJsrAddcTP4GOS1n60Zto1LNpePBY3V3K48d1nCAvMC7 > y04jNouKW1rz3B/tU6iYqgZGRT/8zdn0tT2ujG65oVTz0nBN6suc5jjZTGR5rtgR > CUBgQ5DaLQUZmAKwuuPklXW1m6/468x/JYGhQ1HFIDQ98arN0z5XPHGcC1mELJcr > SeLgT5uCekGNnVx+BoxMghw36Nesk2z3fuwQjxhWV08jZx04bRShR4uTuiLOeTq0 > Z84/AlOe98Vj52TgaqTqoys4+77MZ7WakIfC7Ih+BMwHRddMRolQGsBhGe0/E3Dt > hBP4tWSMIAfClZhobO2Noj2KWBdQexmuHYZi57Gremz4ZjJEaEaEtzf+L7SfulTr > cFzC8uTv97RNJIj6MnUNnNHiPhCcB9zOVqh6izeVXFSfOKU5rnXX4+3eYv+jtxz6 > PswTEgWZms1u9p5AI3CxuX9F9ED49U9LVb/+pkXaYw7XMzhuVAK8FFNtcDIcvRsQ > UcSurB/0blit4VUxz3jY6Xw6+JBVz2AxnyADrSv6R0elvtT35HQE7yN/rtc9DLPt > tI3PELxAVMNxOtESDmsw > =wLfd > -----END PGP SIGNATURE----- > >