At 04:12 PM 7/25/2002 +0100, [EMAIL PROTECTED] writeth:
>On 25/07/2002 15:47:30 owner-openssl-users wrote:
>
>>My question is whether this compromises security in any way.  Especially
>if
>>this same "random.pem" file is being used on multiple clients and is being
>>freely and openly distributed, is this making my system less secure and
>more
>>vulnerable to attack in any way?
>
>Without an unpredictable random source you are completly and absolutely
>vulnerable. Having your random seed an attacker may recreate your key
>pairs, your session keys anything (s)he wants.

I'm still wanting to see a polymorphic random number generator that not
only changes its internal seed size, but also changes its own algorithm as
it goes along.  This would require an attacker to not only obtain the seed
material but also the current algorithm within the engine at the time of
generation.  Obtaining the seed material is trivial compared to obtaining a
polymorphic algorithm.

Of course, if you only need a true source of randomness for a short amount
of time, <http://www.fourmilab.ch/hotbits/> offers you about 8K of
radioactive-decay enabled numbers (an _EXTREMELY_ random process) per day
(about 8K per IP address).  If you need a real consistent source of
randomness, you can make your own radioactive number generator by following
the online schematics or get a block of IPs :)

Hope this helps!


          Thomas J. Hruska -- [EMAIL PROTECTED]
Shining Light Productions -- "Meeting the needs of fellow programmers"
                  http://www.shininglightpro.com/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to