Hardware random number generator
I would like to know your opinions on commercial hardware random number generators. Are they worth the money? How do they compare to the /dev/random device? Thnx. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Hardware random number generator
Wai Wu wrote: I would like to know your opinions on commercial hardware random number generators. Are they worth the money? How do they compare to the /dev/random device? Thnx. I've written extensively about this elsewhere. The devices are properly termed RBGs (random bit generators), and they produce very high quality, cryptographically useful random bit streams. The Intel chip on many Intel Mobos has been extensively analyzed by Paul Kocher and others. In summary, these are useful for stirring the entropy pool, but are generally have maximum bit rates that are well below what a busy server may need for random material, including ephemeral keys, nonces, padding, etc. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: OpemSSL Hardware Random Number Generator (RNG) for Intel Chipsets .
excellent source of random data available to you I thought consensus was that since it was a closed system, whiten it or use it as input to entropy. This is what OpenSSL does when you use RAND_screen(). It munges it up numerous items, including the PRNG, through a cryptographic hash (MD5 if I recall correctly). - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpemSSL Hardware Random Number Generator (RNG) for Intel Chipsets .
Did you know that many of the new Intel desktop and server chipsets have a built in Hardware Random Number generator? I did not until a while ago. If your computer uses the Intel 815 chipset, Intel 820 chipset, Intel 840 chipset, Intel 850 chipset, or Intel 860 chipset you have a excellent source of random data available to you. For those of you who use windows Intel provides a driver for CryptoAPI that exposes this Hardware Random Number Generator via CAPI. The driver can be found at http://developer.intel.com/design/software/drivers/platform/security.htm. On windows OpenSSL already uses the necessary CryptoAPI calls to take advantage of this device; take a look and have fun ;) Ryan It may roundly be asserted that human ingenuity cannot concoct a cipher which human ingenuity cannot resolve. -Edgar Allan Poe
Re: OpemSSL Hardware Random Number Generator (RNG) for Intel Chipsets .
excellent source of random data available to you I thought consensus was that since it was a closed system, whiten it or use it as input to entropy. /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpemSSL Hardware Random Number Generator (RNG) for Intel Chip sets.
Rich -
I am not sure I understand what you are saying; currently rand_win.c
calles CryptGenRandom (CryptoAPI) and the INTEL_DEF_PROV to acquire input
to the entropy functions in OpenSSL.
/* poll the Pentium PRG with CryptoAPI */
if (acquire(hProvider, 0, INTEL_DEF_PROV, PROV_INTEL_SEC,
0))
{
if (gen(hProvider, sizeof(buf), buf) != 0)
{
RAND_add(buf, sizeof(buf), sizeof(buf));
#ifdef DEBUG
printf(randomness from PROV_INTEL_SEC\n);
#endif
}
release(hProvider, 0);
}
}
This seems like a logical way to do this so that the code across platforms
is consistent; what would be nice is a linux/*bsd interface to the Intel rng
device.
Rya
-Original Message-
From: Rich Salz [mailto:[EMAIL PROTECTED]]
Sent: Saturday, September 08, 2001 1:38 PM
To: Ryan Hurst
Cc: Openssl-Dev ([EMAIL PROTECTED]); Openssl-Users
([EMAIL PROTECTED])
Subject: Re: OpemSSL Hardware Random Number Generator (RNG) for Intel
Chipsets .
excellent source of random data available to you
I thought consensus was that since it was a closed system, whiten it or
use it as input to entropy.
/r$
--
Zolera Systems, Securing web services (XML, SOAP, Signatures,
Encryption)
http://www.zolera.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: OpemSSL Hardware Random Number Generator (RNG) for Intel Chip sets.
I am not sure I understand what you are saying You called the intel h/w rng excellent. I believe consensus is we don't know. The code you showed does exactly the right thing: don't rely on the h/w RNG directly, but use it as an entropy source. /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpemSSL Hardware Random Number Generator (RNG) for Intel Chip sets.
Granted; guess I should not have given such high praise to the quality/uniqueness of that this device produces since they do not provide information on its design nor state that it has been evaluated by any qualified independent reviewers. My assumption was and I guess still (to some degree) that the quality of input material available in a hardware based implementation is far superior to what is available to a software implementation (like egd.pl, etc.) At a minimum this driver/hardware essentially gives windows users a /dev/urandom which they have been missing. In either case I would still say its best to maintain the current implementations use of this device to allow for code conformity. I would like to see the FAQ updated to refer to this drivers/hardware existence. Ryan -Original Message- From: Rich Salz [mailto:[EMAIL PROTECTED]] Sent: Saturday, September 08, 2001 7:36 PM To: Ryan Hurst Cc: Openssl-Dev ([EMAIL PROTECTED]); Openssl-Users ([EMAIL PROTECTED]) Subject: Re: OpemSSL Hardware Random Number Generator (RNG) for Intel Chip sets. I am not sure I understand what you are saying You called the intel h/w rng excellent. I believe consensus is we don't know. The code you showed does exactly the right thing: don't rely on the h/w RNG directly, but use it as an entropy source. /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpemSSL Hardware Random Number Generator (RNG) for Intel Chip sets.
I have just read the Intel technical brief covering the Intel hardware RNG device (ftp://download.intel.com/design/security/rng/techbrief.pdf) interesting read; although it and the accompanying documents (http://developer.intel.com/design/security/rng/rngppr.htm) still do not cover in detail and of the afore mentioned items. Ryan -Original Message- From: Ryan Hurst [mailto:[EMAIL PROTECTED]] Sent: Saturday, September 08, 2001 7:42 PM To: 'Rich Salz' Cc: Openssl-Dev ([EMAIL PROTECTED]); Openssl-Users ([EMAIL PROTECTED]) Subject: RE: OpemSSL Hardware Random Number Generator (RNG) for Intel Chip sets. Granted; guess I should not have given such high praise to the quality/uniqueness of that this device produces since they do not provide information on its design nor state that it has been evaluated by any qualified independent reviewers. My assumption was and I guess still (to some degree) that the quality of input material available in a hardware based implementation is far superior to what is available to a software implementation (like egd.pl, etc.) At a minimum this driver/hardware essentially gives windows users a /dev/urandom which they have been missing. In either case I would still say its best to maintain the current implementations use of this device to allow for code conformity. I would like to see the FAQ updated to refer to this drivers/hardware existence. Ryan -Original Message- From: Rich Salz [mailto:[EMAIL PROTECTED]] Sent: Saturday, September 08, 2001 7:36 PM To: Ryan Hurst Cc: Openssl-Dev ([EMAIL PROTECTED]); Openssl-Users ([EMAIL PROTECTED]) Subject: Re: OpemSSL Hardware Random Number Generator (RNG) for Intel Chip sets. I am not sure I understand what you are saying You called the intel h/w rng excellent. I believe consensus is we don't know. The code you showed does exactly the right thing: don't rely on the h/w RNG directly, but use it as an entropy source. /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
