Intro

Collection of technical notes for support of the Roots/NewRootsTaskForce and the Roots/CreationCeremony. Also see the SecurityManual.

Creating the Key with OpenSSL

Use these:

openssl x509, openssl ca, openssl genrsa

For research....

Random Feed

Sources of RNGs (daemons) for mixing

Methods of mixing the RNs

cd /proc/sys/kernel/random/
cat uuid            # fetches random from the pool...
cat entropy_avail   # reveals how much is in the pool

Tooling

OpenSSL

Which

version

md5

sha1

current best

OpenSSL=openssl-0.9.8i

OpenSSL_MD5="561e00f18821c74b2b86c8c7786f9d8b"

OpenSSL_SHA1="b2e029cfb68bf32eae997d60317a40945db5a65f"

comments:

current best should have all the best patches in it

FIPS validated

OpenSSL=openssl-fips-1.1.2

OpenSSL_MD5="8d618698947a48e93c57e5808d663669"

OpenSSL_SHA1="e2f210a41469e73d8b2c2793d8925fbbac243fe2"

comments:

FIPS 1.1.2 fixes PRNG bug that was in the 1.1.1 validated version.

policy:

FIPS 1.1.2 is to be read and used with OpenSSL FIPS 140-2 Security Policy Version 1.1.2

OpenPGP

Random Numbers

Misc about /dev/random

Data we could put into /dev/random has to be put more or less slowly

So we could have a script taking bytes from several files, let's say 10 byte from each file at a time, to feed some randomness into the pool

so we can have files with some KB of random stuff from - a camera - turbid (with will be fed automatically) - a laptop - some havege data

The thing is to put the data as slowly as possible not to fill up the pool and loose the random data.

more on /dev/random in OpenSSLHowTo

We can look at /proc/sys/kernel/random/entropy_avail to see if data is feed by turbid or random sources files into the /dev/random pool

Hardware

Script


Roots/TechScript (last edited 2011-02-20 17:24:14 by UlrichSchroeter)