Re: Embedded SSL and randomness

Fri, 04 May 2001 07:36:50 -0700 

Lee,

unpredictable random numbers required for ssl client to set
pre-master secret, client key exchange message, rsa mode.
One can run a "reverse" solution with SSL client on a web server.
Unfortunately this breaks HTTPS. However, you still have
a secure solution and a CA in business :)

would this fit your environment? "gather initial entropy" step?
please be cautious and think twice before actually going this route.

-vf

On Fri, 4 May 2001, Lee Webber wrote:

> At 04:10 PM 5/4/01 +0300, Andreas Bäck wrote:
>
> >The core question is what [it] takes to port it to an embeded system.
>
> FWIW: my number one worry about porting SSL to an embedded system is where
> I get my entropy.  Because my company sells embedded OS's to end
> developers, I need a general solution if possible.
>
> So where does the randomness come from on startup?  No users, no mouse or
> keyboard input, no unpredictable thread activity...  I can get a little
> randomness from clock skew, if I'm willing to wait forever to gather it.  I
> can get some more from arrival of network packets -- except that by the
> time network packets start arriving I'd better already be seeded.
>
> That leaves two possibilities, external sources (including unused sound
> cards) and the Intel 81x chipset.  Both of these have the drawback that no
> one solution is always available.
>
> Finally, I can start the system out insecure, have it train up to
> sufficient entropy, and then store the entropy for future use.
>
> The above is all I've been able to find on the Internet.  Have I missed
> anything?
>
>
> **********************************************************************
> This email, and any files transmitted with it, are confidential
> and intended solely for the use of the individual or entity to
> whom they are addressed. If you have received this email
> in error please advise [EMAIL PROTECTED]
> **********************************************************************
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to