Intro

Collection of technical notes for support of the Roots/NewRootsTaskForce and the Roots/CreationCeremony. Also see the SecurityManual.

Creating the Key with OpenSSL

Use these:

openssl x509, openssl ca, openssl genrsa

For research....

openssl random number seed check: openssl provides a mechanism to look for EGD daemon socket eg /dev/entropy or from environment RANDFILE variable setting for file with random number. Use -rand option of openssl for random number seed (fifo) socket on private key generation.

HAVEGE needs linux => takes randomness from internal states of the CPU which are more or less random as there are frequent system context switches
/dev/random, which can be seeded via super user access and /dev/[us]random.
turbid which provides mechanism for obtaining entropy via alsa audio Linux drivers (academic report). Must be calibrated. Turbid can seed OpenSSL via FIO or /dev/random. Use standard Turbid code. The paper describes the theoretical backgrounds and how to.
ccd noise method.
- One suggestion is photos of white or grey backgounds
- another is here: LavaRnd
- then hash the frames

feed all sources all into /dev/random. Problems:
- how do we know it is working? Use verbalized mode of program to show this is working. What is that?
- can do these to check functionality:

cd /proc/sys/kernel/random/
cat uuid            # fetches random from the pool...
cat entropy_avail   # reveals how much is in the pool

XOR all the different sources together. Problems:
- need to read the code. E.g., mix.c .
- (Previous version was buggy and did logical OR instead of XOR; I just replaced it. –NicoR)
- Check the XOR method.
- Thanks NicoR. You did read it. But, how are we going to know that others are reading the source code??? - Iang
encrypt one feed with the key in the other feed. Problems:
- need to read the code, and
- need to chain it for more then 2 feeds.
concatenate all sources and SHA2 them
- it was pointed out on crypto that a better way would be to append all the different sources and hash the result, as XOR can be attacked if the other inputs can be seen
concatenate by mixing on byte level

Which	version	md5	sha1
current best	OpenSSL=openssl-0.9.8i	OpenSSL_MD5="561e00f18821c74b2b86c8c7786f9d8b"	OpenSSL_SHA1="b2e029cfb68bf32eae997d60317a40945db5a65f"
comments:	current best should have all the best patches in it
FIPS validated	OpenSSL=openssl-fips-1.1.2	OpenSSL_MD5="8d618698947a48e93c57e5808d663669"	OpenSSL_SHA1="e2f210a41469e73d8b2c2793d8925fbbac243fe2"
comments:	FIPS 1.1.2 fixes PRNG bug that was in the 1.1.1 validated version.
policy:	FIPS 1.1.2 is to be read and used with OpenSSL FIPS 140-2 Security Policy Version 1.1.2

GNUPG Integredity checking:
- GNUPG=gnupg-1.4.9 GNUPG_SHA1="826f4bef1effce61c3799c8f7d3cc8313b340b55" GNU_MD5="cc52393087480ac8d245625004a6a30c"
- GNUPG2=gnupg-2.0.9 GNUPG2_SHA1="959bdb934e3a72d256bfbd0122d996a73adb5d1f"
${WGET} -v -O ${GNUPG}.tar.bz2 ftp://ftp.gnupg.org/gcrypt/gnupg/${GNUPG}.tar.bz2
${WGET} -v -O ${GNUPG2}.tar.bz2 ftp://ftp.gnupg.org/gcrypt/gnupg/${GNUPG2}.tar.bz2
echo "$GNUPG_MD5 ${GNUPG}.tar.bz2" >${GNUPG}.tar.bz2.md5

Turbid software with hardware tooling (audio cabling, Voltmeter) to generate seed with reported entropy (see study Turbid).
- turbid_MD5="b5170bccaf06ec905a75042cc95ce965"
- ${WGET} -v -O turbid.tgz http://www.av8n.com/turbid/turbid.tgz
- turbid makes use of alsa audio drivers and sound card:
  - soundcard to be used: Creative SB PC128 CT4700, in full duplex mode
  - Turbid QA box, stereo audio cabling, Fluke 10 multimeter for saturation calibration
  - ENS1370 Soundcard specific turbid settings: 208mV saturation, Q=1.17e-05, Rin=25719 (card input impedance, Kout=1.47961, Bandwidth 4556, Vin/Vmeter 0.9996 (should be very close to 1).
  - There is a script available for redoing soundcard calibration on sound cards (estimated cal. time: 3 hours)
webcam for cheap & cheerful piccy_rng
- frame grabber bearshand_Ver.0.7.4.0e.zip BEARSHAND_MD5="ca0b974adbc496d96a7981c9697d8572"
- http://moments-studio.com/en/BearsHand/
/dev/random
- must not use /dev/urandom
- on Linux only, not on *BSD. On *BSD, /dev/random is synonymous with /dev/urandom . It is broken for entropy collection

Data we could put into /dev/random has to be put more or less slowly

So we could have a script taking bytes from several files, let's say 10 byte from each file at a time, to feed some randomness into the pool

so we can have files with some KB of random stuff from - a camera - turbid (with will be fed automatically) - a laptop - some havege data

The thing is to put the data as slowly as possible not to fill up the pool and loose the random data.