[Opendnssec-user] ods-signerd calling vmstat?!?
Rickard Bellgrim
rickard at opendnssec.org
Mon Sep 2 08:51:17 UTC 2013
On Mon, Sep 2, 2013 at 9:47 AM, Jakob Schlyter <jakob at kirei.se> wrote:
> On 30 aug 2013, at 17:44, Paul Wouters <paul at nohats.ca> wrote:
>
> > Wow, that is pretty epic - in a bad way...... Am I really trusting
> opendnssec
> > to generate RSA keys with the below code for entropy? filenames in /tmp?
>
> Although I agree this is bad - have you checked if these are the ONLY
> entropy sources used by Botan?
>
Botan has a global RNG which is seeded by e.g. vmstat and filenames in
/tmp. get_**default_sources() has a long list of sources, where vmstat is
one of them. Trace the call to get_**default_sources() and you will see
that there are also other sources added before the default ones are added.
SoftHSM uses Botan::AutoSeeded_RNG which is derived from the global RNG.
All RSA operations (except generating the random number for the RSA
blinding) are done by using the RNG supplied by SoftHSM to Botan. This link
describes how RNGs are handled by Botan.
http://botan.randombit.net/rng.html
Currently, you can add more entropy by calling the PKCS#11
function C_SeedRandom(). It is however recommended to use a real HSM to get
a much better RNG.
When it comes to the use of vmstat and similar. What we could do is not to
use the Botan::AutoSeeded_RNG and just seed a Botan RNG with other sources.
This would fix all functions calls except the RSA blinding. Perhaps it is
better to fix the get_**default_sources() in Botan? Then we could use the
Botan implementation and be more platform independent.
// Rickard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20130902/58b6b6f0/attachment.htm>
More information about the Opendnssec-user
mailing list