Re: entropy + openSSL question

From: Brian Hatch (focus-linux@ifokr.org)
Date: 02/20/03

  • Next message: focus-linux: "Fw: goldfish"
    Date: Wed, 19 Feb 2003 15:41:35 -0800
    From: Brian Hatch <focus-linux@ifokr.org>
    To: focus-linux@securityfocus.com
    
    
    

    > > Then... I start again with my first question. there?s a good way to
    > > generate entropy??? [Suppose that the machine who generates the key will
    > > not have much interrupts because anybody are in front of the keyboard to
    > > generate it]
    >
    > Robert M Love has put together some patches for the Linux kernel to add
    > network interfaces to the device drivers that generate entropy for the
    > random pool: http://www.tech9.net/rml/linux/ Note that this is of
    > debatable value; since network traffic may be seen or even controlled by
    > attackers, it may or may not add real entropy to the pool. You need to
    > decide for yourself if this is a concern.

    I believe[0] you can write to /dev/random and /dev/urandam to increase the
    entropy contained in them. Of course, you should only write data that
    is of equivalent entropy to them. Sending non-random data to /dev/random
    defeats the purpose entirely.

    One option is to take data from an external random source, such as
    hotbits[1] or lavarnd[2] when it goes back online.

    [0] I have heard this, but have not verified this myself through an
        actual code review.

    [1] http://www.fourmilab.ch/hotbits/

    [2] http://www.lavarnd.org/

    --
    Brian Hatch                  We waste time so
       Systems and                you don't have to.
       Security Engineer
    www.hackinglinuxexposed.com
    Every message PGP signed