RNG quality verification
James A. Donald
jamesd at echeque.com
Sat Dec 24 18:48:42 EST 2005
--
From: Philipp Gühring
<pg at futureware.at>
> The problem is that I have to live with COTS
> (Common-off-the-shelf) software out there, that is
> generating the certificate requests. The only thing I
> can do is create a blacklist or a whitelist of known
> bad or known good software, to tell the users: Use
> this software, or don´t use that software.
Randomness is necessarily theory laden. To determine
what is good, and what is bad, you have to look inside
the software.
Software should get its randomness from dev/random, or
from similarly open sources of randomness, so that the
source of randomness can be inspected.
The general rule is that true randomness comes from
quantities that are known to be unknown - for example
the variation in disk read timing, which is affected by
turbulence, or the microphone input, which is inherently
noisy. You have to ask where these random numbers
ultimately come from.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
5i5rAiu+t+UqxlCHKBfiAn24UbuH1D2GsYrL3hv7
4q7w1mi+V9whucgThiyHnkPt0EkjS1oIAp9hQ1UKc
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list