I hear what you're saying, and I totally agree. The problem with using RAND_screen() is that the app I'm writing is a server. So it may be running on a box hidden away in some closet, and may not even have a monitor attached to it. So there may not be any user interaction at all, in which case, this may not provide very much entropy. But I hear what you're saying. Thanks.
Ed --- "Stephen G. Schoggen" <[EMAIL PROTECTED]> wrote: > Hi Ed, > > Knowing very little about any of this cryptography > stuff, I have no > idea what value of nBytes is enough. I think the > wisdom, though, is > that it depends upon your situation. From what I've > read, the whole > purpose of cryptography is to make it too difficult > for an attacker > to succeed with an attack. Obviously, how much > effort you have to > make to thwart an attack depends to a significant > degree upon how > much effort the attacker is willing to make. That > would depend upon > how valuable the information is, etc. In my > particular application > of SSL, I don't think the information being > transferred is terribly > sensitive. So I just chose to use RAND_screen() on > Windows to seed > the PRNG. Although Viega, et. al., page 99 (Network > Security with > OpenSSL, O'Reilly), makes it clear that he thinks > RAND_screen() is a > poor choice at best, it is described as using a hash > of the current > screen scan-lines for entropy. I'm no math wiz, but > it's hard for me > to see how any attacker could determine what the > results of that are, > regardless of effort. Perhaps if the attacker can > see the screen... > > I conclude that with cryptography, as with other > things in life, we > all just have to decide when enough is enough and > move on. > > Steve > > > >Not exactly open source, but > >http://www.intel.com/design/security/rng/rng-capi.htm > "Accessing the Intel® > >Random Number Generator through a CSP for > Microsoft* CryptoAPI" describes > >how to access the Intel *hardware* RNG. Might be > of some use to you on > >Windows platforms. (I believe some *NIXs use the > same hardware to populate > >/dev/random when on Intel platforms.) > > > > > > > > > > > > > > Edward > >Chan > > > > <[EMAIL PROTECTED]> > To: > >[EMAIL PROTECTED] > > > Sent by: > >cc: > > > owner-openssl-users@ > Subject: Re: > >anybody using > >EGADS? > > > > >openssl.org > > > > > > > > > > > > > > > > 10/22/2002 01:13 > >PM > > > Please respond > >to > > > > >openssl-users > > > > > > > > > > > > > > > > > > > > > > > >Hi Stephen, > > > >Thanks for the reply. You're absolutely right. It > >does appear that I am not blocked indefinitely...it > >certainly does take a while to gather entropy. I > was > >using nBytes = 1024. Then I tried 512. Still very > >long time. > > > >Any suggestions on what a number should be for > >acceptable randomness? > > > >Does anybody have any alternative suggestions? > Does > >anybody know how Apache seeds the OpenSSL PRNG on > >Windows? I think Apache uses OpenSSL don't they? > > > >Thanks, > >Ed > > > >--- "Stephen G. Schoggen" > <[EMAIL PROTECTED]> > >wrote: > >> Ed, > >> > >> I tried EGADS on Windows (PIII 866) and found > that > >> it's time to > >> 'gather entropy' was noticeable beyond nBytes=4. > So > >> if you use a > >> relatively large nBytes, then it would appear to > >> block. > >> > >> Steve > >> > >> > >> >Hi there, > >> > > >> >Is anybody using EGADS on Windows? I'm having > a > >> >problem using it. I've downloaded the source > and > >> >built everything. The egads service is > running. > >> I've > >> >written a program that links with egads.dll. I > >> have a > >> >function that tries to see the OpenSSL PRNG : > >> > > >> >bool seedPRNG(int nBytes) > >> >{ > >> > prngctx_t ctx; > >> > int nError; > >> > > >> > egads_init(&ctx, 0, 0, &nError); > >> > if (nError != 0) > >> > { > >> > > DEBUG_TRACE1(_T("egads_init() failed : %d (Is > >> egads > >> >service running???)"), nError); > >> > return false; > >> > } > >> > > >> > char* pBuf = new char[nBytes + 1]; > >> > egads_entropy(&ctx, pBuf, nBytes, > &nError); > >> > bool bOK = (0 == nError); > >> > if (bOK) > >> > { > >> > RAND_seed(pBuf, nBytes); > >> > } > >> > delete [] pBuf; > >> > > >> > egads_destroy(&ctx); > >> > return bOK; > >> >} > >> > > >> >However, I seem to be blocking inside > (presumably > >> as > >> >egads gathers entropy), but it seems like I > never > >> >unblock. Can anybody tell me what I'm doing > wrong? > >> > > >> >Thanks, > >> >Ed > >> > > >> > >__________________________________________________ > >> >Do you Yahoo!? > >> >Y! Web Hosting - Let the expert host your web > site > >> >http://webhosting.yahoo.com/ > >> > >>______________________________________________________________________ > >> >OpenSSL Project > >> http://www.openssl.org > >> >User Support Mailing List > >> [EMAIL PROTECTED] > >> >Automated List Manager > >> [EMAIL PROTECTED] > >> > >> > >______________________________________________________________________ > >> OpenSSL Project > >> http://www.openssl.org > >> User Support Mailing List > >> [EMAIL PROTECTED] > >> Automated List Manager > >[EMAIL PROTECTED] > > > > > >__________________________________________________ > >Do you Yahoo!? > >Y! Web Hosting - Let the expert host your web site > >http://webhosting.yahoo.com/ > >______________________________________________________________________ > >OpenSSL Project > http://www.openssl.org > >User Support Mailing List > [EMAIL PROTECTED] > >Automated List Manager > [EMAIL PROTECTED] > > > > > > > > > >______________________________________________________________________ > >OpenSSL Project > http://www.openssl.org > >User Support Mailing List > [EMAIL PROTECTED] > >Automated List Manager > [EMAIL PROTECTED] > > ______________________________________________________________________ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __________________________________________________ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
