RE: using /dev/random & /dev/urandom

Sat, 08 Apr 2006 17:06:02 -0700 

> 1. When using OpenSSL for signing data, and for SSL sessions
> (both client side and server side), should I use the /dev/random instead?

        IMO, if you're using the random data just to seed a PRNG, there is no
rational reason to insist on using /dev/random instead of /dev/urandom. The
only argument would be that if you're on a system that has no entropy, you
might prefer to fail rather than work with random data that has a
theoretical vulnerability.

> 2. If I should use /dev/random; Is it OK to initialize a file one
> time from /dev/random and then when I start my application I would
> load it from that file, and when I finish I will write my random
> status back to that file? Is this a truly strong good random?

        That, if it's done correctly, can help. I would recommend two changes in
your approach:

        1) Don't consider the data in the file to be your starting state. Just
consider it some extra random information to help you.

        2) Don't write your state out to the file, just write some random data 
to
the file.

> 3. How much bytes should I load from the random file?

        256 bytes is enough. 1Kb is overkill. I've seen military applications 
that
use 4Kb.

> 4. Do I need to load it again once in a while, or is it enough
> to load it once, even if my system runs for a long time before
> restarting (weeks)?

        Theoretically, it is enough to load it once. If you're worried about
long-term predictability, loading the same data gain won't help. What you
should do is add in data that an attacker can't predict that you encounter
while you are running.

        With a good PRNG, and I'm pretty sure OpenSSL's falls into this 
category,
once you're properly seeded, you can never make things worse by adding
additional seed data, even if an attacker knows its contents.

        IMO, the best data to mix in is precise timing information. For 
example, on
an x86, you can timestamp network data with nanosecond accuracy. No attacker
can predict that consistently.

        DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to