[Opendnssec-develop] True Random Number Generator
John Dickinson
jad at jadickinson.co.uk
Thu Jan 8 12:36:43 UTC 2009
On 7 Jan 2009, at 14:33, Rickard Bondesson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>> RSA is a different matter. With that, random material is
>> only needed when generating keys. Unless you are signing
>> loads and loads of domains you need nothing to speed up
>> random generation for that, I'd imagine.
>> A _good_ source is still advisable of course, and hardware is
>> so incoherent it produces far better generators than software.
>>
>> When signing for DNSSEC, the choice between RSA and DSA is easy:
>> - RSA keysizes can be increased as security demands;
>> - RSA needs no masses of random material when in signing operation;
>> - RSA validates much quicker than DSA.
>
> I agree that RSA is a good choice. Currently there is no support for
> DSA in SoftHSM. Hardware TRNG is thereby, as for OpenDNSSEC, not a
> high priority, just a nice thing but would need device dependent
> code since there is no standardized interface. I will make it easy
> to extend the SoftHSM with such code.
I did use one of those Araneus things once. I seem to remember it
being easy to create a file full of random data. Would it be better to
have the Araneus appear as an alternative /dev/random device that you
point the softHSM at? Or am I completely misunderstanding?
One other thing that I thought would be good is if the softHSM can be
complete enough to work with an OpenSSL pkcs11 engine (like the OpenSC
one). I know we don't want that for OpenDNSSEC but it might be a good
feature to have. WDYT?
Thanks
John
More information about the Opendnssec-develop
mailing list