9.20 Cryptographically secure pseudo-random numbers
AIX 5L Version 5.2 now supports a cryptographically secure pseudo-random number generator (PRNG). Random numbers are extremely important for any sort of cryptographic application. Random numbers are used to generate session keys, salts used for hashed passwords, and initializing public key certificates. If the generated random numbers are easily predictable, any application using those insecure numbers is also insecure. No algorithms or protocol can fix problems with random number generation.
The PRNG on Version 5.2 is based on the Yarrow engine and collects entropy from the running system and feeds an entropy pool to seed a PRNG. The entropy gathering process selects three hardware devices upon startup such as, SSA, Ethernet, and SCSI adapters. The entropy-gathering daemon detects hardware interrupts or network packets and determines the times between two events. These timings are then put into the entropy pool.
The API for accessing the PRNG is quite simple. An application just has to open the /dev/random or /dev/urandom file and read the required number of bytes of the special device. The /dev/random and /dev/urandom have different behaviors when the pool of entropy is exhausted or requires reseeding. The /dev/random device will have the reading application block until more entropy is gathered. The /dev/urandom device will behave the same as /dev/random, but when entropy is exhausted it will fall back and generate entropy using a software algorithm. The level of randomness of the numbers generated by the software algorithm is not as high as the entropy gathered from the running system.
The PRNG automatically keeps the entropy pools replenished and reseeds it occasionally. When the entropy pool is half empty, the entropy gatherer will intercept the hardware interrupts and network packets until the entropy is replenished. There is a slight performance penalty while entropy is being gathered. When the pools are full, the entropy-gathering process goes idle and no longer effects machine performance.
For more information on the Yarrow engine, refer to the Counterpane Labs home page at the following URL:
http://www.counterpane.com/yarrow.html
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Spence
Sent: Wednesday, July 20, 2005 12:38 PM
To: openssl-users@openssl.org
Subject: RE: OpenSSL 0.9.8 with AIX 5.2
[EMAIL PROTECTED] wrote:
Use EGD ( Entropy Gathering Daemon ) on AIX 5.1 and below...HTH,Lamar
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Spence
Sent: Wednesday, July 20, 2005 10:42 AM
To: openssl-users@openssl.org
Subject: Re: OpenSSL 0.9.8 with AIX 5.2I kept researched why it stopped at aix_ppc32.o aix_ppc32.s...Now I found the problem...My AIX 5.1 doesn't have /dev/random and /dev/urandom!!! So where can I get /dev/random and /dev/urandom? Or How can I install them?I appreciate your help. Thanks.Tom
Tom Spence <[EMAIL PROTECTED]> wrote:Excatly!!! That's why, I can't use OpenSSL 0.9.8 so I have to stay with 0.9.7g for now.But I don't understand this one... I have 21 servers... Only one server (AIX 5.2 with GCC) accepted with OpenSSL 0.9.8 but 20 servers can't... Isn't strange? :-(Tom
Jacques Lebastard <[EMAIL PROTECTED]> wrote:Tom Spence a écrit :
> Hello,
>
> I have very small problem but it won't running... Please help me...
> Here is what I got:
>
> # ./Configure aix-gcc
> .... (no problem)
> # make
> ....
> gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_THREAD_SAFE
> -DDSO_DLFCN -DHAVE_DLFCN_H -O -DB_ENDIAN -c -o aix_ppc32.o aix_ppc32.s
> (It stops right there for forever)
>
> Any idea??? I appreciate your help. Thanks.
I could not find a way to successfully build OpenSSL (at least from
version 0.9.7g) without using IBM's C/C++ compiler :-(
--
Mr. Jacques LEBASTARD mailto:[EMAIL PROTECTED]
EVIDIAN S.A. www.evidian.com
Rue Jean Jaurès Tel: +33 1 30 80 77 86
F-78340 LES CLAYES SOUS BOIS Fax: +33 1 30 80 77 99
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Privileged and Confidential. This e-mail, and any attachments there to, is intended only for use by the addressee(s) named herein and may contain privileged or confidential information. If you have received this e-mail in error, please notify me immediately by a return e-mail and delete this e-mail. You are hereby notified that any dissemination, distribution or copying of this e-mail and/or any attachments thereto, is strictly prohibited.
