RNG quality verification

Philipp Gühring pg at futureware.at
Thu Dec 22 04:28:47 EST 2005 

Hi,

I have been asked by to verify the quality of the random numbers which are 
used for certificate requests that are being sent to us, to make sure that 
they are good enough, and we don´t issue certificates for weak keys.

The client applications that generate the keys and issue the certificate 
requests are the usual software landscape OpenSSL, IE, Firefox, 
SmartCards, ... and we would like to be able to accept all normally used 
software.

We are being asked to either issue the keys for our users (I don´t want to), 
or alternatively demand the users to have good quality random numbers with a 
contract for the user. Now it might be easy that I demand the user to have 
good random numbers, but the first question will likely be "and how do I do 
that?" or "which software/hardware does that?"

So I guess I have to ask the vendors, whether ther random numbers are good 
enough. But what if they just say "yes" or "no"? 
I think the better way would be if I had a possibility to verify the quality 
of the random numbers used in a certificate request myself, without the 
dependence on the vendor.

From what I remember of the usual RSA key generation, random numbers gathered 
are being put into a field with the expected keysize. Then the first and last 
bit is set to 1, to make sure that the key has the necessary size, and to 
have it odd (not to be devidable by 2). Then it is verified for primeness, 
and if the check is ok, the number is used.

So if I extract the key, remove the first and the last bit, then I should have 
the pure random numbers that are being used. If I do that with lots of keys, 
I should have a good amount of random material for the usual statistical 
tests.

Am I right? Am I wrong?
Has anyone done that before?
Any other, better ideas?
Should I do it that way?

Best regards,
Philipp Gühring


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list