<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Wow, that is pretty epic - in a bad way...... Am I really trusting opendnssec<br>
to generate RSA keys with the below code for entropy? filenames in /tmp?<br></blockquote><div><br></div><div><p class=""><span lang="EN-US">CONCLUSION:
The file names in the tmp directory will only be used as one of the last
resorts if not enough entropy has been gathered from the other sources. Also,
the seed will go through two layers of RNGs before used in the cryptographic operations.</span></p><p class=""><span lang="EN-US">Below is a summary
of my finding regarding the Botan RNG.</span></p><p class=""><span lang="EN-US">The Botan
RNG is based on the ANSI_X931_RNG class. It is the standard issue X9.31
Appendix A.2.4 PRNG, though using AES-256 instead of 3DES as the block cipher.
This PRNG implementation has been checked against official X9.31 test vectors.</span></p><p class=""><span lang="EN-US">Internally,
the ANSI_X931_RNG holds a pointer to another PRNG. This internal PRNG generates
the key and seed used by the X9.31 algorithm, as well as the date/time vectors.
Each time an X9.31 PRNG object receives entropy, it passes it along to the PRNG
it is holding, and then pulls out some random bits to generate a new key and
seed.</span></p><p class=""><span lang="EN-US">The
internal PRNG in the ANSI_X931_RNG is of class HMAC_RNG(af.make_mac("HMAC(SHA-512)"),
af.make_mac("HMAC(SHA-256)") or Randpool(af.make_block_cipher("AES-256"),
af.make_mac("HMAC(SHA-256)")).</span></p><p class=""><span lang="EN-US">The
internal PRNG is set to the following entropy sources on Unix: High_Resolution_Timestamp(),
Intel_Rdrand(), Device_EntropySource(split_on("/dev/random:/dev/srandom:/dev/urandom",
':')), EGD_EntropySource(split_on("/var/run/egd-pool:/dev/egd-pool",
':')), FTW_EntropySource("/proc"), and Unix_EntropySource(split_on("/bin:/sbin:/usr/bin:/usr/sbin",
':').</span></p><p class="">
</p><p class=""><span lang="EN-US">When
polling for entropy, the PRNG will start with the first entropy source added and
then go through the list. The last entropy source, Unix_EntropySource, will
include the list of commands as mentioned earlier in this email thread. The “ls
-alni /tmp” has priority 4 out of 5. This makes it one of the last commands in the last entropy
source.</span></p><p class="">// Rickard</p></div></div></div></div>