Knowing very little about any of this cryptography stuff, I have no idea what value of nBytes is enough. I think the wisdom, though, is that it depends upon your situation. From what I've read, the whole purpose of cryptography is to make it too difficult for an attacker to succeed with an attack. Obviously, how much effort you have to make to thwart an attack depends to a significant degree upon how much effort the attacker is willing to make. That would depend upon how valuable the information is, etc. In my particular application of SSL, I don't think the information being transferred is terribly sensitive. So I just chose to use RAND_screen() on Windows to seed the PRNG. Although Viega, et. al., page 99 (Network Security with OpenSSL, O'Reilly), makes it clear that he thinks RAND_screen() is a poor choice at best, it is described as using a hash of the current screen scan-lines for entropy. I'm no math wiz, but it's hard for me to see how any attacker could determine what the results of that are, regardless of effort. Perhaps if the attacker can see the screen...
I conclude that with cryptography, as with other things in life, we all just have to decide when enough is enough and move on.
Steve
Not exactly open source, but
http://www.intel.com/design/security/rng/rng-capi.htm "Accessing the Intel®
Random Number Generator through a CSP for Microsoft* CryptoAPI" describes
how to access the Intel *hardware* RNG. Might be of some use to you on
Windows platforms. (I believe some *NIXs use the same hardware to populate
/dev/random when on Intel platforms.)
Edward Chan <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Sent by: cc: owner-openssl-users@ Subject: Re: anybody using EGADS?
openssl.org
10/22/2002 01:13 PM Please respond to
openssl-users
Hi Stephen,
Thanks for the reply. You're absolutely right. It
does appear that I am not blocked indefinitely...it
certainly does take a while to gather entropy. I was
using nBytes = 1024. Then I tried 512. Still very
long time.
Any suggestions on what a number should be for
acceptable randomness?
Does anybody have any alternative suggestions? Does
anybody know how Apache seeds the OpenSSL PRNG on
Windows? I think Apache uses OpenSSL don't they?
Thanks,
Ed
--- "Stephen G. Schoggen" <[EMAIL PROTECTED]>
wrote:
Ed, I tried EGADS on Windows (PIII 866) and found that it's time to 'gather entropy' was noticeable beyond nBytes=4. So if you use a relatively large nBytes, then it would appear to block.Steve >Hi there, > >Is anybody using EGADS on Windows? I'm having a >problem using it. I've downloaded the source and >built everything. The egads service is running. I've >written a program that links with egads.dll. I have a >function that tries to see the OpenSSL PRNG : > >bool seedPRNG(int nBytes) >{ > prngctx_t ctx; > int nError; > > egads_init(&ctx, 0, 0, &nError); > if (nError != 0) > { > DEBUG_TRACE1(_T("egads_init() failed : %d (Is egads >service running???)"), nError); > return false; > } > > char* pBuf = new char[nBytes + 1]; > egads_entropy(&ctx, pBuf, nBytes, &nError); > bool bOK = (0 == nError); > if (bOK) > { > RAND_seed(pBuf, nBytes); > } > delete [] pBuf; > > egads_destroy(&ctx); > return bOK; >} > >However, I seem to be blocking inside (presumably as >egads gathers entropy), but it seems like I never >unblock. Can anybody tell me what I'm doing wrong? > >Thanks, >Ed > >__________________________________________________ >Do you Yahoo!? >Y! Web Hosting - Let the expert host your web site >http://webhosting.yahoo.com/ ______________________________________________________________________ >OpenSSL Project http://www.openssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED]______________________________________________________________________OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __________________________________________________ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
