Gerd Schering wrote:
> Lutz Jaenicke wrote:
>> Gerd Schering wrote:
>>
>>> Hello,
>>>
>>> we purchased a hrng for the generation of RSA keys for instance.
>>> It is an USB device an shows up as /dev/qrandom.
>>>
>>> So, in order to generate rsa keys, is it sufficient to use it as a
>>> replacement for /dev/urandom and to call genrsa as
>>>
>>> openssl genrsa -rand /dev/qrandom 2048 ?
>>>
>>>
>> Yes, it is sufficient. Please note that a source not having a definite
>> EOF (End Of File) will lead to an infinite loop reading from the source.
>> It may therefore be necessary to read a specified amount of entropy
>> first into an intermediate file to be fed via "-rand".
>>
> So , if I get it right: we have a "true" random source to seed the PRNG
> and this produces "true" random numbers?
To my best knowledge there does not exist a mathematical proof for the
quality of the used "entropy pool with hash mixing" PRNG. We believe
that it is of very high quality.
You may also have a look into the thread "Fix VIA Padlock RNG support"
on the openssl-dev mailing list. It discusses the point that OpenSSL does
handle RNGs provided via engine interface in fact completely replace the
built-in PRNG with the external entropy source.
Best regards,
Lutz
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
