[Cryptography] [FORGED] Re: OpenSSL and random
Tom Mitchell
mitch at niftyegg.com
Tue Nov 29 21:04:56 EST 2016
On Tue, Nov 29, 2016 at 10:20 AM, Salz, Rich <rsalz at akamai.com> wrote:
> Tens of thousands of individual developers and sysadmins have downloaded,
> built, and installed OpenSSL. A handful of distributions also do that, and
> bundle it with their release. For a variety of understandable reasons, said
> distro's are always out of date.
>
> > Real developers are not generally crypto geeks. They need an alarm bell
> like this to go off to let them know when something is wrong.
>
> And if the alarm bell is "apache won't start" they will throw out openssl
> or swamp us with email or perhaps fall back to plaintext.
> <cryptography at metzdowd.com>
>
Invite the world to get it correct add worthy options to examples on
stackexchange.com
Lots of bad code starts there... so add some good code.
http://unix.stackexchange.com/questions/114878/reading-from-dev-random-does-not-produce-any-data
google for: site:stackexchange.com random urandom dev/random dev/urandom
sample the offered solutions.
As a group a small group here could ask and answer questions that could be
better.
Sure that is a shill game but a valuable way to share known solutions and
even
update them.
OpenSSL could have a go-get-rand() function that is #ifdef rich and does
all the
right things. For the systems that ./configure does not find worthy
foundations and
tools have a configure option that is a lot like $HobbledInsecureMachine
and then
use internet timeouts and other "weak solutions".
http://crypto.stackexchange.com/questions/34019/on-linux-does-dev-random-unblocking-imply-that-dev-urandom-is-seeded
For blocking sources read a small number of bits at a time and time
them each read to know how sluggish the application might feel. Stop with
the TRNG
and seed a PNRG with the TRN set you have and local environment...
Blocking reads are the bane of programmers... as are hidden buffers as
small as
four characters.
--
T o m M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161129/ad404ce9/attachment.html>
More information about the cryptography
mailing list