Skip to Content.
Sympa Menu

cacert-sysadm - Re: [Cacert-sysadm] openSSL/debian debacle -> random numbers for Security Manual

cacert-sysadm AT lists.cacert.org

Subject: CAcert System Admins discussion list

List archive

Re: [Cacert-sysadm] openSSL/debian debacle -> random numbers for Security Manual


Chronological Thread 
  • From: Kim Holburn <kim AT holburn.net>
  • To: cacert-sysadm AT lists.cacert.org
  • Subject: Re: [Cacert-sysadm] openSSL/debian debacle -> random numbers for Security Manual
  • Date: Thu, 29 May 2008 22:13:10 +0200
  • List-archive: <http://lists.cacert.org/pipermail/cacert-sysadm>
  • List-id: CAcert System Admins discussion list <cacert-sysadm.lists.cacert.org>
I ran a group of small servers for several years with no moving parts, mini-itx with flash disks and debian woody at the time. We had real issues getting random numbers because debian got it's random number supply (entropy) from the mechanical artefacts of hard disk activity which we didn't have. Keyboard and mouse aren't much use to get entropy on a server and network activity isn't trusted if the servers are under a network attack. We had to compiile a daemon that created entropy from the sound card.

Whatever the application you still need to consider how the randomness is generated, ie an entropy source.

On 2008/May/29, at 5:30 PM, Ian G wrote:

With the OpenSSL/debian debacle fresh in our minds, it seems
that this would be a good time to think about CAcert's need
for good random numbers.

It has frequently been pointed out that random numbers are
devilishly difficult to deal with, something made apparent
with the recent events.  To deal with them requires some
sort of process and/or check and/or alternate sources, it
would seem.

As Pat is writing the Security Manual, it would seem that
this is the place for such a thing;  does anyone have a view
on a simple procedure for creating a sequence of RNs that is
useful for the tasks?

I'm expecting to see something that overcomes simple things
like "OpenSSL delivers all zeros and we didn't notice..."

I'd guess there are two parts:  root keys (high quality
needed) and routine protocol work (OpenSSL/httpd, SSH, etc,
so "regular" randoms needed, whatever that means).

Any thoughts?  Pat, is there an easy place for this in the SM?

http://wiki.cacert.org/wiki/SecurityManual



iang
_______________________________________________
CAcert-sysadm mailing list
CAcert-sysadm AT lists.cacert.org
https://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-sysadm

--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim AT holburn.net
  aim://kimholburn
skype://kholburn - PGP Public Key on request

Democracy imposed from without is the severest form of tyranny.
                         -- Lloyd Biggle, Jr. Analog, Apr 1961



--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim AT holburn.net
  aim://kimholburn
skype://kholburn - PGP Public Key on request

Democracy imposed from without is the severest form of tyranny.
                          -- Lloyd Biggle, Jr. Analog, Apr 1961





Archive powered by MHonArc 2.6.16.

Top of Page