[OTR-dev] solution for slow key generation
Thorsten Glaser
tg at mirbsd.de
Tue May 20 08:55:54 EDT 2008
Greg Troxel dixit:
>Do you really mean srandom? NetBSD provides
Did you not see my reference to the MirBSD srandom(4) manual page further
below? ;-) I used this term because the actual names of the random devices
differ from platform to platform, so I used the one I’m at home on and put
in a link to the explanation. I know for sure it’s /dev/random on Leenocks.
>I'm not sure this is a good idea. openssl ought to be using /dev/random
Actually, /dev/arandom has better quality on MirBSD (and, possibly, Open-
BSD), even though, strongly mathematically spoken, its entropy _level_ is
not as high (but the numerical quality of the output is better).
>It really depends on whether you want to wait for good quality key bits,
>or to get lesser quality bits faster.
Considering the fact that you can mix a few bytes from srandom (let me use
this name just to avoid confusion with “random” which might be used as a
placeholder for all random devices) with some (as many as needed) bytes
from urandom and still have a high-quality output (that’s what pools are
for after all), _and_ use the -rand option to openssl (-r in my script) to
provide additional entropy, this is a no-issue.
Paranoid people will of course want to continue using srandom exclusively,
but other people won’t want to wait an hour or more on their headless ser-
ver for generation of an OTR key for their backup account.
Let me phrase it like this: “We sell rope.” (This is actually a quote from
a NetBSD developer.) Whether you use that rope to hang yourself or do some-
thing clueful with it is up to the user. My script is intended for people
who know what they do (and do not run Debian ;-).
For reference, again: http://www.mirbsd.org/man/srandom.4 ☺
bye,
//mirabilos
--
[...] if maybe ext3fs wasn't a better pick, or jfs, or maybe reiserfs, oh but
what about xfs, and if only i had waited until reiser4 was ready... in the be-
ginning, there was ffs, and in the middle, there was ffs, and at the end, there
was still ffs, and the sys admins knew it was good. :) -- Ted Unangst über *fs
More information about the OTR-dev
mailing list