[Help-gnutls] Re: gnutls 1.2.6 and Mozilla Firefox compatibility problem
Matthias Urlichs
smurf at smurf.noris.de
Mon Sep 19 13:24:57 CEST 2005
Hi,
Nikos Mavrogiannopoulos:
> The kernel's random functions have not really been designed for being used
> in cryptographic libraries that require several levels of randomness --in a
> non blocking way. Also by using /dev/urandom (say for nonces) you also
> deplete the /dev/random pool. This is unacceptable. Thus the best way is to
> use some good PRNG sinstead of the kernel's.
>
There are other possibilities.
- The kernel has a hardware RNG.
- Teach /dev/urandom not to deplete the randomness pool beyond a certain
level, assuming it doesn't do that already.
- Add a /dev/uurandom interface to the kernel which bases its randomness on
/dev/random's internal state, but doesn't itself deplete the pool.
> > I think we should change the GnuTLS default to read from /dev/urandom
> > for pseudo-random data like TLS master secrets.
I agree.
--
Matthias Urlichs | {M:U} IT Design @ m-u-it.de | smurf at smurf.noris.de
Disclaimer: The quote was selected randomly. Really. | http://smurf.noris.de
- -
:terminal illness: n. 1. Syn. {raster burn}. 2. The `burn-in' condition
your CRT tends to get if you don't have a screen saver.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: </pipermail/attachments/20050919/efab6d6f/attachment.pgp>
More information about the Gnutls-help
mailing list