>>> I’m using PRNGD to seed my random numbers (I’m on a system without >>> /dev/random and /dev/urandom). I occasionally get the dreaded “PRNG is >>> not seeded” error. >> >> I don’t know your OS or environment, have you tried the ‘openssl rand’ >> functionality as a random source to seed your entropy issues ? > >Where would openssl rand be getting its entropy from, in this case? You have a >circular dependency: openssl needs entropy, so it tries to get it from PRNGD; >and you're asking openssl to put entropy into PRNGD. > >> perhaps rather than pseudo random, try a hardware device ? > >Now, this is a case where you might use openssl rand, in conjunction with >engine, to get entropy from another source. That could be a useful hack if you >can't easily change PRNGD or the application to read entropy from the device. > >For example, I think I successfully used openssl with the pkcs11 engine to get >entropy from a NitroKey device a couple of years back, when I was playing >around with cheap HSMs. > >Whether something like the NitroKey (which is an inexpensive USB-attached HSM >in a thumbdrive form factor) would be useful in this case is something Scott >would have to determine. > >If it is, it'd be cleaner if he could change the application to load the >pkcs11 engine and use its RNG directly, or at least get entropy from it to >seed OpenSSL's PRNG. > >>> I know this is caused by a lack of available entropy in the system; >>> but what can I do to address this? Is it just a matter of waiting >>> until enough entropy has been collected? Is there any kind of workaround? > >Depends on what sources PRNGD uses (I haven't looked), what the device is, >what the application is... If the device has sensors you can read, you might >be able to gather some entropy by reading noise from them (though this is >somewhat fraught - you don't want to overestimate the amount of entropy, and >both sensors and sensor APIs are often vulnerable to attack). > >Sometimes applications ask users to generate some entropy by asking them to >bang on the keyboard or wiggle the mouse, or that sort of thing. Again, it >really depends on what your device and application are. > >This topic is discussed at some length in the technical literature; see for >example section 3 of RFC 4086. >
The platform in question is an HPE NonStop. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
