On 6/7/2013 1:17 PM, srikanth chakravarthula wrote:
Hi Jakob,
Thank you for your response.
So If I understand, when genrsa or rand command is called, it uses the
seeded random number from /dev/random or /dev/urandom and generates the
key and then re-seeds the random bytes from the /dev/random
or/dev/urandom. And it will use the configrued RANDFILE for this
purpose. Is my understanding correct.
No, it is much simpler: When you use the "openssl genrsa" commandline
command, it will load some random bytes from /dev/random or /dev/urandom
and use those to seed the OpenSSL PRNG, which in turn is used to
generate the private key.
/dev/random and /dev/urandom reseed themselves from hardware as necessary.
So f I want to reseed the random seeds generated from /dev/random or
/dev/urandom I need to use the RAND_add command checking for the entropy.
If you have a source of entropy other than /dev/random, you can pass it
to "openssl genrsa -rand YourEntropyFile" and it will be used to seed
the OpenSSL PRNG, by making "openssl genrsa" call RAND_add().
If you have a source of entropy other than /dev/random and want to use
it as an additonal seed for /dev/random, just use the non-openssl
command "cat YourEntropyFile > /dev/random", in fact that is what most
good hardware entropy device drivers do.
this RAND_add command is from a C API as I could not find a command or
script from openssl directly. Is it compiled as a C library?. or can we
use any custom API etc.. to generate and add on to the one generated
from /dev/random or /dev/urandom to have enough entropy.
Yes, all of OpenSSL is a C library, with the handy little C program
/usr/bin/openssl calling it in common ways from the command line.
And as I said, /usr/bin/openssl can be made to call the C function
RAND_add() by simply passing it the option "-rand YourEntropyFile".
On Fri, Jun 7, 2013 at 3:38 PM, Jakob Bohm <jb-open...@wisemo.com
<mailto:jb-open...@wisemo.com>> wrote:
On 6/6/2013 4:57 AM, srikanth chakravarthula wrote:
Hi I need help in openssl random seed genertion.
We use the genrsa command to generate keys and certificates and we
want to ensure the entropy of the random number being generated is
having a high entropy.
we need to know how does openssl while genrting the key using the
command genrsa will generate the random number and of what bytes
does
it.
How can we improve the entropy before generating the key, we use
dev/urandom and its been said that there is an options like rand_add
and rand_seed.
On platforms with /dev/random and /dev/urandom, openssl by default
seeds itself from one of those. On other platforms, the documentation
is murky at best.
rand_add() is what your own code would call if it had a different and
better source of entropy which was for some reason not set up to just
add its entropy to the /dev/urandom system pool automatically (most
hardware entropy sources on the market do that).
How do I call these API's using the shell script before
generating the
keys to ensure high entropy is achieved. Also how do I output the
random seed generated to check for the entropy.
Use the -rand option
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
