Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] The RSA Keying links



On Thu, Feb 16, 2012 at 01:15:59PM -0500, Edward Ned Harvey wrote:
> Here's how openssl works:  It seeds from the RANDFILE, and then it uses its
> own internal prng stream cipher.  And every time it runs, it will overwrite
> the RANDFILE with a new seed for next time.  So to ensure good random
> numbers in openssl, all you need to do is any variation of the following:

This is a very incomplete description of how it works, and note
espeically that it tries to use /dev/urandom and /dev/random by
default, and that $RANDFILE is only used by OpenSSL command line tools;
other programs which use the OpenSSL libraries must provide their own
means of specifying the source of randomness.  See:

  http://www.openssl.org/support/faq.cgi#USER1

> Personally, I'm inclined to export RANDFILE=/dev/random, because it
> eliminates the possibility you accidentally looked in the wrong openssl.cnf,

This should not be possible unless your openssl is installed manually
and the sysamind screwed up, or you somehow told it manually to look
at the wrong file...  Don't do that. :)

> and it eliminates the possibility of someone discovering your seed by
> reading your ~/.rnd file.

The .rnd file is created with 600 perms in your home directory (or
whatever $RANDFILE is set to).  No one but you can read it, ever,
unless your system is compromised.  If that's the case, you've got
much bigger trouble.  And again, this file is only used by the openssl
command line tools, so it may be irrelevant to the average user.

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org