[Cryptography] [FORGED] Re: OpenSSL and random

Ben Laurie ben at links.org
Tue Nov 29 14:04:53 EST 2016

On 29 November 2016 at 18:20, Salz, Rich <rsalz at akamai.com> wrote:
> Tens of thousands of individual developers and sysadmins have downloaded, built, and installed OpenSSL.  A handful of distributions also do that, and bundle it with their release. For a variety of understandable reasons, said distro's are always out of date.
>> Real developers are not generally crypto geeks.  They need an alarm bell like this to go off to let them know when something is wrong.
> And if the alarm bell is "apache won't start" they will throw out openssl or swamp us with email or perhaps fall back to plaintext.
> Servers do not have keyboards or screens that can be scraped for a source of entropy.

But what they do have is instruction counters and loads of devices
that take a random amount of time to initialise. I demonstrated quite
a while back that there's enough entropy at startup just from that to
seed your RNG, even in quite cut-down machines, and in VMs.

More information about the cryptography mailing list