Using random number file
|
View:
New views
9 Messages
—
Rating Filter:
Alert me
|
 |
Using random number file
by Akos Vandra
::
Rate this Message:
Hello!
I have a source of (more or less) true random numbers, which I get as binary files (1MB each). I want openssl to use these files as a random number source to generate keys and signing operations. How can this be done? Regards, Vandra Ákos |
|
|
Re: Using random number file
by Bernhard Froehlich-2
::
Rate this Message:
Akos Vandra schrieb:
> Hello! > > I have a source of (more or less) true random numbers, which I get as > binary files (1MB each). > I want openssl to use these files as a random number source to > generate keys and signing operations. How can this be done? > > Regards, > Vandra Ákos Try using the RANDFILE= parameter in the configuration file http://www.openssl.org/docs/apps/config.html, though I don't know if this parameter is used by all commands. Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 |
|
|
Re: Using random number file
by Akos Vandra
::
Rate this Message:
As far as I understand, that file is used only to seed the internal PRNG, not to read numbers from there... Or am I wrong? (Also the docs say the file will be overwrited)
Regards, Vandra Ákos
2009/7/3 Bernhard Froehlich <ted@...> Akos Vandra schrieb: |
|
|
Re: Using random number file
by Michael S. Zick-4
::
Rate this Message:
On Fri July 3 2009, Akos Vandra wrote:
> As far as I understand, that file is used only to seed the internal PRNG, > not to read numbers from there... Or am I wrong? (Also the docs say the file > will be overwrited) > Yes to both. This is intended to reduce the chance that the same random bit sequence will be used more than once. Reading "random" numbers from a file is one way to defeat this protection. I.E: You don't know how many other people have read the same file. There are types of cryptography based on the concept of a "one time pad" - but that does not seem to be what you are asking about in this post. Mike > Regards, > Vandra Ákos > > 2009/7/3 Bernhard Froehlich <ted@...> > > > Akos Vandra schrieb: > > > > Hello! > >> > >> I have a source of (more or less) true random numbers, which I get as > >> binary files (1MB each). > >> I want openssl to use these files as a random number source to generate > >> keys and signing operations. How can this be done? > >> > >> Regards, > >> Vandra Ákos > >> > > Try using the RANDFILE= parameter in the configuration file > > http://www.openssl.org/docs/apps/config.html, though I don't know if this > > parameter is used by all commands. > > > > Hope it helps. > > Ted > > ;) > > > > -- > > PGP Public Key Information > > Download complete Key from http://www.convey.de/ted/tedkey_convey.asc > > Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 > > > > > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@... |
|
|
Re: Using random number file
by Akos Vandra
::
Rate this Message:
I see what the main misunderstanding is here.
If the numbers are read from the file with no precautions whatsoever, the same numbers will be read more than once (at every run) of course. But I thought it was possible to have a set of random numbers saved in a file, and it would be possible for openssl to save a "pointer", and continue reading the file on the next run (not start from the beginning). Of course this can be done by pipeing tha file to a FIFO buffer, and then making openssl read from the pipe rather than the file (this solves the problem with the same random sequence). What my problem here is: I have a true random number generator, but it is not linked to the computer, I get the numbers on a flash disk(as a binary file). Because these are true random numbers (well at least as far a quantum rng is random), they are safe to use for the prime generation, and I would like to use these files, rather than the PRNG of openssl (being on the safe side of a coding error in the PRNG, no offence intended, we all make mistakes :). I would like to know if this is possible Regards, Vandra Ákos 2009/7/3 Michael S. Zick <openSSL@...>
|
|
|
RE: Using random number file
by JoelKatz
::
Rate this Message:
Akos Vandra wrote: > I see what the main misunderstanding is here. > If the numbers are read from the file with no precautions whatsoever, > the same numbers will be read more than once (at every run) of course. > But I thought it was possible to have a set of random numbers saved in > a file, and it would be possible for openssl to save a "pointer", and > continue reading the file on the next run (not start from the beginning). > Of course this can be done by pipeing tha file to a FIFO buffer, and then > making openssl read from the pipe rather than the file (this solves the > problem with the same random sequence). Yes, exactly. > What my problem here is: I have a true random number generator, but it > is not linked to the computer, I get the numbers on a flash disk(as a > binary file). Because these are true random numbers (well at least as > far a quantum rng is random), they are safe to use for the prime > generation, and I would like to use these files, rather than the PRNG > of openssl (being on the safe side of a coding error in the PRNG, no > offence intended, we all make mistakes :). I would like to know if > this is possible What you need is a program that sucks in the files of random numbers and serves them to a pipe that OpenSSL (and other RNG clients) can read from. The program would need to ensure that each number is only written to the pipe once. It can keep the pipe 'full' and let you know when it's low on random numbers. This is a very simple program to write. (And I believe similar programs do already exist. Have a look at 'egd'.) However, it will not likely achieve your stated objective. Unless you vet your program to the same degree as OpenSSL's PRNG has been vetted, you will simply have replaced a solution with a less-reliable solution. As a general rule, in crytography, the worst thing you can do is cook up your own solution to a problem. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@... |
|
|
Re: Using random number file
by Akos Vandra
::
Rate this Message:
Thanks for your reply.
I have two further questions I would like to ask: How can I make openssl read from that pipe? And why would a certified hardware quantum random generator hardware be less reliable than openssl's prng? Regards, Vandra Ákos 2009/7/4 David Schwartz <davids@...>
|
|
|
RE: Using random number file
by JoelKatz
::
Rate this Message:
Alos Vandra: > Thanks for your reply. > I have two further questions I would like to ask: > How can I make openssl read from that pipe? It depends on exactly what you're asking. If you're talking about how to do it in a program somebody else wrote, you'd have to ask them. If you're talking about how to do it in your own program, you can replace the OpenSSL PRNG with RAND_set_rand_method. If you're talking about how to do it in the applications included with OpenSSL, use the 'RANDFILE' environment variable There's built-in support for EGD, so it may be worth 'faking' EGS's protocol. > And why would a certified hardware quantum random generator hardware > be less reliable than openssl's prng? Because "reliable" is an attribute of the system as a whole, not its individual components. When I read your question, I see, "Why would a system I put together myself be less reliable than a system that has been publicaly vetted and stood the test of time?" And the answer is obvious -- you might make mistakes putting the system together and your shoulder is not being looked over the way the OpenSSL project is. My advice to you would be to compromise. A known property of OpenSSL's PRNG is that it can never be hurt by adding seed material to it. So add as much seed material to it as often as you like. This cannot possibly hurt, so your baseline is the reliability of OpenSSL. (And, in fact, this is what I do.) If you really want to, you can intercept OpenSSL's PRNG calls with your own rand method. Keep track of how much entropy is being pulled out of the pool and add back in the same amount from your own source. This way even if you screw up the worst imaginable way (assuming you don't actually distort the data from the PRNG going back to OpenSSL) you cannot make things any less secure. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@... |
|
|
Re: Using random number file
by Richard Koenning-2
::
Rate this Message:
Akos Vandra wrote:
> And why would a certified hardware quantum random generator hardware be less reliable than openssl's prng? The details depend on the specific hardware, but when for example a resistor blows up it may be that there is no more random input. Afair some years ago one tested some HW generators and experienced at least with one model that many examplars of this model failed right from the beginning. So it is not so simple to make a reliable HW random number generator. Ciao, Richard -- Dr. Richard W. Könning Fujitsu Technology Solutions GmbH ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@... |
smime.p7s (4K) | Free embeddable forum powered by Nabble | Forum Help |
