[16577] in cryptography@c2.net mail archive
Re: SSL/TLS passive sniffing
daemon@ATHENA.MIT.EDU (John Denker)
Wed Dec 22 12:30:18 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 22 Dec 2004 11:49:18 -0500
From: John Denker <jsd@av8n.com>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: cryptography@metzdowd.com
In-Reply-To: <877jne5k84.fsf@deneb.enyo.de>
Florian Weimer wrote:
> Would you recommend to switch to /dev/urandom (which doesn't block if
> the entropy estimate for the in-kernel pool reaches 0), and stick to
> generating new DH parameters for each connection,
No, I wouldn't.
> or ...
> generate them once per day and use it for several connections?
I wouldn't do that, either.
If the problem is a shortage of random bits, get more random bits!
Almost every computer sold on the mass market these days has a sound
system built in. That can be used to generate industrial-strength
randomness at rates more than sufficient for the applications we're
talking about. (And if you can afford to buy a non-mass-market
machine, you can afford to plug a sound-card into it.)
For a discussion of the principles of how to get arbitrarily close
to 100% entropy density, plus working code, see:
http://www.av8n.com/turbid/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
