Hi Mike (and all). Thanks for the info. I understand the implications of storing the randomized data to storage and precautions would be taken to air-gap this info from the outside world.
> If not, you can use the TRNG for all newly issued certificates moving forward. Can you pease syntax? I have googled but I’m unclear if this would be with -rand flag, or setting the RANDFILE variable, or something else. Provided the randomized numbers are in a binary file, can you advise how to use this file for the generation of future keys/certs from the existing CA. Thank you > On Sep 3, 2015, at 2:23 AM, Mike Mohr <akih...@gmail.com> wrote: > > Once you've written the random data to secondary storage you've permanently > compromised the integrity of any cryptographic secrets generated from it. > Depending on your threat model, underlying storage media, filesystem, and > other factors the data files may be recoverable indefinitely (especially if > you're using solid-state disks, due to their internal wear-leveling > algorithms). Don't do that. > > The cryptographic secrets contained in your existing CA infrastructure were > presumably generated using some sort of PRNG, so you'd have to regenerate > them if you think the PRNG was somehow compromised. If not, you can use the > TRNG for all newly issued certificates moving forward. However, I'd suggest > not using one of the proprietary devices which are encased in epoxy ... you > have no way to verify that they're doing what they say they are. The data > quality coming out of those is fairly suspect in my mind (despite any > positive results from e.g. dieharder, etc). > > On Wed, Sep 2, 2015 at 9:53 PM, Kevin Long <kevinlong...@gmail.com > <mailto:kevinlong...@gmail.com>> wrote: > > > Hello, > > I’m using openssl to administer a root/intermediate CA and I use the > certificates for a number of web servers and other applications. All of my > users install my root CA certificate for trust. > > I’ve been asked to use a hardware random number generator to create the > keys/certificates going forward. I have a hardware RNG, and have created > several files of random numbers using it, and I would like to know: > > 1) Can I specify my random numbers file to create keys/certificates from my > CA (openssl command line, mac or linux) > > 2) Will this actually do any good, security wise, given how openssl > certs/keys “work”. My users and superiors are concerned with backdoors in > PRNGs and RNG predictabilities. > > 3) If I can indeed use my own random numbers, does this mean I have to start > my CA from scratch to take advantage of any benefit using “true” random > numbers from my hardware RNG? or would simply using my RN’s for the > generation of keys for new certificates going forward allow for the benefit > the true randomness gives. > > Thank you. > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > <https://mta.openssl.org/mailman/listinfo/openssl-users> > > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
_______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
