apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@algroup.co.uk>
Subject Re: random number generation
Date Mon, 31 Dec 2001 15:25:20 GMT
"William A. Rowe, Jr." wrote:
> 
> From: "Ben Laurie" <ben@algroup.co.uk>
> Sent: Saturday, December 29, 2001 3:25 PM
> 
> > Justin Erenkrantz wrote:
> >
> > > AIUI, we must also consider that OpenSSL will do some magic to
> > > the seed value on its own, so it *should* make it slightly better.
> > > It'd be nice to get some input from the OpenSSL folks as they've
> > > probably thought about this longer than we have (but, I'm afraid
> > > I'm against a random file on-disk as *no one* wants to deal with
> > > that).
> > >
> > > I guess the problem is trying to identify how good we want this to
> > > be.  We'd only use this on platforms that don't have a source of
> > > entropy (i.e. Solaris, AIX, etc.).  We're currently kind of screwed
> > > on these platforms anyway - are any of these options better than
> > > nothing at all?  I'm at a loss as to what we should do.  -- justin
> >
> > I'm completely opposed to us subverting the whole entropy question. It
> > is absolutely unacceptable for Apache to ship with anything that will
> > "fix" the problem of insufficient entropy in any way other than
> > providing sufficient entropy. If this means people have to think, well
> > that's just tough.
> 
> Agreed - but perhaps differently.  It's something of a political question,
> but if OpenSSL is the solution to crypto ... I rather expect it alone has
> the maintainers and contributors to address cross platform entropy.
> 
> My question is --- is it our place to gather entropy; or do we rely upon
> the OpenSSL project to do so across platforms [and fill in the gaps for
> platforms that really offer nothing.]

It would obviously be better to put any improved solutions for entropy
gathering into OpenSSL rather than APR, if that's what you mean.

> I'm not against supplimenting Entropy [in fact, Justin and I were joking,
> well half joking, that a simple output filter that recognizes only gzip
> compressed data - could suppliment the entropy.]  I just question if we
> have the resources to address this adaquately, or if it truly belongs in
> the scope of the OpenSSL project itself.

gzip compressed data provides no more entropy than the uncompressed
version of the data - in fact, it provides the same amount. One
advantage of compressed data is that (for certain types of source data)
the compression can give you a better clue as to the amount of entropy
present.

> > BTW, EGD is a cross-platform entropy gatherer. And Solaris has patches
> > to provide /dev/random.
> 
> Interesting.  At least it's dual-licensed [GPL + MIT].  Note it's perl
> based, however.
> 
>   http://sourceforge.net/projects/egd/

As noted later in the thread, I should really have pointed at PRNGd.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Mime
View raw message