 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss- > bounces+blu=nedharvey.com at blu.org] On Behalf Of Daniel Hagerty > > * Linux has /proc/sys/kernel/random. Thanks for the pointer. To figure out how much entropy you have, do this: watch -n 1 cat /proc/sys/kernel/random/entropy_avail At any given moment, it will tell you how many bits of randomness you have available right now, but they quickly expire. So your system will hover around some level... If you have a TPM or any other hardware random generator, or even mouse & keyboard, then you'll generate a lot more and have a higher level. A relatively un-random system might be around 100 or 200 (which corresponds to approx bits/sec) and a good system might be around 2,000 or 4,000. There are pages all over the internet saying to use prngd to feed bits from urandom into random. This sounds foolish to me. If there is any purpose to distinguish random from urandom at all... Then feeding random from urandom defeats that purpose. To ensure you generate good ssh keys is easy: export SSH_USE_STRONG_RNG=256 (Notice, these are bytes. So the above is 2048 bits.) Notice, this could take a while. Supposing your system is generating 128 bits/sec, a lot of them get wasted, and ssh-keygen will take about a minute or two. That answers the question for ssh. Now what about SSL? Star by checking for the existence of a RANDFILE environment variable. If there is none... Look for RANDFILE in your openssl.cnf file. In my system: grep RANDFILE /etc/pki/tls/openssl.cnf RANDFILE = $ENV::HOME/.rnd RANDFILE = $dir/private/.rand # private random number file And sure enough, when I look in my home directory, I have a 1K file ~/.rnd Here's how openssl works: It seeds from the RANDFILE, and then it uses its own internal prng stream cipher. And every time it runs, it will overwrite the RANDFILE with a new seed for next time. So to ensure good random numbers in openssl, all you need to do is any variation of the following: export RANDFILE=/dev/random or dd if=/dev/random of=~/.rnd bs=1k count=1 or Whatever is appropriate based on your individual RANDFILE. Personally, I'm inclined to export RANDFILE=/dev/random, because it eliminates the possibility you accidentally looked in the wrong openssl.cnf, and it eliminates the possibility of someone discovering your seed by reading your ~/.rnd file.
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
