[Opendnssec-develop] True Random Number Generator
Rickard Bondesson
Rickard.Bondesson at iis.se
Wed Jan 7 14:33:28 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> RSA is a different matter. With that, random material is
> only needed when generating keys. Unless you are signing
> loads and loads of domains you need nothing to speed up
> random generation for that, I'd imagine.
> A _good_ source is still advisable of course, and hardware is
> so incoherent it produces far better generators than software.
>
> When signing for DNSSEC, the choice between RSA and DSA is easy:
> - RSA keysizes can be increased as security demands;
> - RSA needs no masses of random material when in signing operation;
> - RSA validates much quicker than DSA.
I agree that RSA is a good choice. Currently there is no support for DSA in SoftHSM. Hardware TRNG is thereby, as for OpenDNSSEC, not a high priority, just a nice thing but would need device dependent code since there is no standardized interface. I will make it easy to extend the SoftHSM with such code.
> Hope this helps,
Yeah, thank you.
// Rickard
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8
wsBVAwUBSWS9OOCjgaNTdVjaAQiQtAf/T9nSE6hZfZR8v8I6Wh6X5B/qh0AOvPFI
Advk2YAb/WAG7VBEAIH9EyLifQpRtAJqBiePK1VlCtufT2Ka8wCISymwrnydBsmL
+6YrSlotEJFYxscP2wTwjrSoZ7IBFf3C4x8mnGFY1t/8rtbod5iWbaJqzhUpOkuv
SnPKGmaeC+UV4N8QwC0LehXoJkaFUpHJdrirGtP1ufEH/Dfk+dtHReiFCYimwzo4
Nt29oNr5PkMia8MkzCZXmUQEQ9+FK0D7xqpqOU79ClX7Z4jGsh6zkkKtJmYBOg1P
CLJ9IywAdXKrzlUm0g9ALtqXjJTQFwkMcH/TTd/fxKDcv7UknOjmhg==
=tCSI
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list