> 1. When using OpenSSL for signing data, and for SSL sessions > (both client side and server side), should I use the /dev/random instead?
IMO, if you're using the random data just to seed a PRNG, there is no rational reason to insist on using /dev/random instead of /dev/urandom. The only argument would be that if you're on a system that has no entropy, you might prefer to fail rather than work with random data that has a theoretical vulnerability. > 2. If I should use /dev/random; Is it OK to initialize a file one > time from /dev/random and then when I start my application I would > load it from that file, and when I finish I will write my random > status back to that file? Is this a truly strong good random? That, if it's done correctly, can help. I would recommend two changes in your approach: 1) Don't consider the data in the file to be your starting state. Just consider it some extra random information to help you. 2) Don't write your state out to the file, just write some random data to the file. > 3. How much bytes should I load from the random file? 256 bytes is enough. 1Kb is overkill. I've seen military applications that use 4Kb. > 4. Do I need to load it again once in a while, or is it enough > to load it once, even if my system runs for a long time before > restarting (weeks)? Theoretically, it is enough to load it once. If you're worried about long-term predictability, loading the same data gain won't help. What you should do is add in data that an attacker can't predict that you encounter while you are running. With a good PRNG, and I'm pretty sure OpenSSL's falls into this category, once you're properly seeded, you can never make things worse by adding additional seed data, even if an attacker knows its contents. IMO, the best data to mix in is precise timing information. For example, on an x86, you can timestamp network data with nanosecond accuracy. No attacker can predict that consistently. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]