[guardian-dev] using /dev/random in openssl

Daniel McCarney daniel at binaryparadox.net
Thu Mar 27 23:31:41 EDT 2014


On 27/03, Hans-Christoph Steiner wrote:
> Anyone have any opinions about generating keys with openssl using /dev/random
> on GNU/Linux? i.e.
> 
>   openssl genrsa -out key.pem -rand /dev/random 2048
> 
> I figure there had been many flaws related to poorly seeded and implemented
> CSPRNGs that might as well just use pure random.  Sure, it takes a lot longer,
> but its only once.

Seems like a good idea to avoid userland csprngs in favour of the OS
csprng. That's what Google recommends on Android too[1].

For what its worth some folks[2] think that /dev/urandom is a better choice.

- Daniel

[1] http://android-developers.blogspot.ca/2013/08/some-securerandom-thoughts.html
[2] http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 620 bytes
Desc: not available
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20140327/2d710749/attachment.pgp>


More information about the Guardian-dev mailing list