> > I do not actually believe that a one time 30 second delay > during process > initialization is inappropriate for a security application. In the > discussions that are being held with regards to the use of AES in > conjunction with Kerberos there is a belief that 30 seconds should be > the minimum amount of time taken to perform the crypto operations for > processing a password to key operation. This is to ensure > that there is > not the opportunity for offline dictionary attacks on passwords.
that's fine for that particular application. I don't believe the ssl library should enforce such excessive requirements on applications seeing that it has no knowledge of what the application is doing or what level of trust/privacy it requires. I don't have a problem with a library providing strong methods of generating entropy but forcing every application to endure a 30 second delay is excessive. > > The 30 second delay for random key data initialization does > not have to > be a blocking operation for the initialization of the > application. It > can be done in parallel to other operations your app requires > unless the > first thing that is performed are SSL/TLS operations. And if it is, like mine was, then your application just sits there looking hung to the user. Which means it's a PITA and doesn't get used. > > I also wonder what it is that your application is doing at > initialization time that results in a heap size of greater > than several well, it's a bit more complicated than that. all the heaps of all the processes are walked. They don't have to be big, just lots of them. Which is why this isn't a problem on some systems running few processes or with small heap list lengths and is a big problem on others systems (desktops of power users, for example). My Solution... I hacked the code to get rid of the heap walk and just used the entropy from the process, thread and module walk. My application didn't need that paranoid a level of security. But personally, I think these methods should be exposed openssl library calls that the application can pick and choose. -lee ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
