[19363] in cryptography@c2.net mail archive
RNG quality verification
daemon@ATHENA.MIT.EDU (Philipp =?iso-8859-1?q?G=FChring?=)
Thu Dec 22 11:35:19 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: Philipp =?iso-8859-1?q?G=FChring?= <pg@futureware.at>
To: cryptography@metzdowd.com
Date: Thu, 22 Dec 2005 10:28:47 +0100
X-MDaemon-Deliver-To: cryptography@metzdowd.com
Hi,
I have been asked by to verify the quality of the random numbers which are=
=20
used for certificate requests that are being sent to us, to make sure that=
=20
they are good enough, and we don=B4t issue certificates for weak keys.
The client applications that generate the keys and issue the certificate=20
requests are the usual software landscape OpenSSL, IE, Firefox,=20
SmartCards, ... and we would like to be able to accept all normally used=20
software.
We are being asked to either issue the keys for our users (I don=B4t want t=
o),=20
or alternatively demand the users to have good quality random numbers with =
a=20
contract for the user. Now it might be easy that I demand the user to have=
=20
good random numbers, but the first question will likely be "and how do I do=
=20
that?" or "which software/hardware does that?"
So I guess I have to ask the vendors, whether ther random numbers are good=
=20
enough. But what if they just say "yes" or "no"?=20
I think the better way would be if I had a possibility to verify the qualit=
y=20
of the random numbers used in a certificate request myself, without the=20
dependence on the vendor.
=46rom what I remember of the usual RSA key generation, random numbers gath=
ered=20
are being put into a field with the expected keysize. Then the first and la=
st=20
bit is set to 1, to make sure that the key has the necessary size, and to=20
have it odd (not to be devidable by 2). Then it is verified for primeness,=
=20
and if the check is ok, the number is used.
So if I extract the key, remove the first and the last bit, then I should h=
ave=20
the pure random numbers that are being used. If I do that with lots of keys=
,=20
I should have a good amount of random material for the usual statistical=20
tests.
Am I right? Am I wrong?
Has anyone done that before?
Any other, better ideas?
Should I do it that way?
Best regards,
Philipp G=FChring
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
