[Opendnssec-develop] True Random Number Generator

John Dickinson jad at jadickinson.co.uk
Thu Jan 8 13:35:30 UTC 2009


On 8 Jan 2009, at 12:57, Rickard Bondesson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>> I did use one of those Araneus things once. I seem to remember it
>> being easy to create a file full of random data. Would it be
>> better to
>> have the Araneus appear as an alternative /dev/random device
>> that you
>> point the softHSM at? Or am I completely misunderstanding?
>
> I would implement an interface to the internal RNG that would pull  
> random data from the USB via libusb.
> But do you mean that the user should manually pull data from the  
> Araneus and mount this. This source of data would then only last for  
> a limited time, so I think it is better to let the SoftHSM do the  
> pulling.

Sorry, I wasn't clear. They were two separate threads of thought. What  
I meant is an application?? or kernel module?? that gets random data  
via libusb and presents it as something like /dev/random to the  
applications that might want to use it. So any application that allows  
you to specify the random device (like the -r option to dnssec-keygen)  
can use it.

>> One other thing that I thought would be good is if the
>> softHSM can be
>> complete enough to work with an OpenSSL pkcs11 engine (like
>> the OpenSC
>> one). I know we don't want that for OpenDNSSEC but it might
>> be a good
>> feature to have. WDYT?
>
> SoftHSM will be PKCS11 compliant, but will not implement all of the  
> functions. I have not checked if these demand more functionality  
> than we do, but it is sure a good thing to do. However, if we want  
> more functionality like certificate or symmetric key handling then  
> SoftHSM must be redesigned. With, as mentioned in a conversation in  
> December, a loss of performance.

I agree this should only be done if it is a question of supporting the  
correct attributes or something simple. Adding certs or symmetric keys  
is too much. I did try getting the opensc engine to talk to softHSM  
and it kept complaining about things (they seemed minor) but I didn't  
note down what they were - I will try again and post a summary.

John



More information about the Opendnssec-develop mailing list