Re: entropy + openSSL question

From: Brian Hatch (focus-linux@ifokr.org)
Date: 02/20/03

  • Next message: focus-linux: "Fw: goldfish"
    Date: Wed, 19 Feb 2003 15:41:35 -0800
    From: Brian Hatch <focus-linux@ifokr.org>
    To: focus-linux@securityfocus.com
    
    
    

    > > Then... I start again with my first question. there?s a good way to
    > > generate entropy??? [Suppose that the machine who generates the key will
    > > not have much interrupts because anybody are in front of the keyboard to
    > > generate it]
    >
    > Robert M Love has put together some patches for the Linux kernel to add
    > network interfaces to the device drivers that generate entropy for the
    > random pool: http://www.tech9.net/rml/linux/ Note that this is of
    > debatable value; since network traffic may be seen or even controlled by
    > attackers, it may or may not add real entropy to the pool. You need to
    > decide for yourself if this is a concern.

    I believe[0] you can write to /dev/random and /dev/urandam to increase the
    entropy contained in them. Of course, you should only write data that
    is of equivalent entropy to them. Sending non-random data to /dev/random
    defeats the purpose entirely.

    One option is to take data from an external random source, such as
    hotbits[1] or lavarnd[2] when it goes back online.

    [0] I have heard this, but have not verified this myself through an
        actual code review.

    [1] http://www.fourmilab.ch/hotbits/

    [2] http://www.lavarnd.org/

    --
    Brian Hatch                  We waste time so
       Systems and                you don't have to.
       Security Engineer
    www.hackinglinuxexposed.com
    Every message PGP signed
    
    




    Relevant Pages

    • Re: entropy + openSSL question
      ... > generate a key with 2048 bits length when entropy is out?? ... /dev/urandom on linux and openbsd will not block; ... versions of what is in the entropy pool. ... network interfaces to the device drivers that generate entropy for the ...
      (Focus-Linux)
    • Re: [PATCH] Let DAC960 supply entropy to random pool
      ... DAC960 block device driver). ... entropy to the random pool, so it was impossible to get any data from ... the proper path for disks to add entropy. ... more than an hour (with heavy disk activity) before applying the ...
      (Linux-Kernel)
    • Re: [PATCH] Let DAC960 supply entropy to random pool
      ... DAC960 block device driver). ... entropy to the random pool, so it was impossible to get any data from ... the proper path for disks to add entropy. ... Add disk entropy in DAC960 request completions. ...
      (Linux-Kernel)