On 2008.11.05 at 00:29:40 -0800, David Schwartz wrote: > PRNG. This is better for several reasons: > > 1) You can rate-limit how much you mix in. Say you mix in 1KB at startup and > 128 bytes every 10 seconds after that. This will provide the same quality of > randomness for cryptographic purposes, but will limit the effort. This will > protect you against possible denial-of-service attacks where an attacker > tries to make you use up more randomness than you have. Many HRNGs are > vulnerable to this.
This typically is not an issue for operations such as generation of long-time private/public key pairs. These operations are performed with user interaction, and usially done as separate process. This process can well be configured to use HWRNG only. > 2) The OpenSSL PRNG is well-investigated. If your HRNG's output is not > comparable in quality, your security could be compromised. For example, > subtle bias in the output could have serious cryptographic consequences. Typically one have to perform much investigations to come out to the market with some cryptography hardware. In Russia, for example this requires goverment certification, and rules are very strict. Of course, good software which use HWRNG should test its proper functioning each time, for example by FIPS-140 tests and just fail if it doesn't pass. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
