At 04:12 PM 7/25/2002 +0100, [EMAIL PROTECTED] writeth: >On 25/07/2002 15:47:30 owner-openssl-users wrote: > >>My question is whether this compromises security in any way. Especially >if >>this same "random.pem" file is being used on multiple clients and is being >>freely and openly distributed, is this making my system less secure and >more >>vulnerable to attack in any way? > >Without an unpredictable random source you are completly and absolutely >vulnerable. Having your random seed an attacker may recreate your key >pairs, your session keys anything (s)he wants.
I'm still wanting to see a polymorphic random number generator that not only changes its internal seed size, but also changes its own algorithm as it goes along. This would require an attacker to not only obtain the seed material but also the current algorithm within the engine at the time of generation. Obtaining the seed material is trivial compared to obtaining a polymorphic algorithm. Of course, if you only need a true source of randomness for a short amount of time, <http://www.fourmilab.ch/hotbits/> offers you about 8K of radioactive-decay enabled numbers (an _EXTREMELY_ random process) per day (about 8K per IP address). If you need a real consistent source of randomness, you can make your own radioactive number generator by following the online schematics or get a block of IPs :) Hope this helps! Thomas J. Hruska -- [EMAIL PROTECTED] Shining Light Productions -- "Meeting the needs of fellow programmers" http://www.shininglightpro.com/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]