Q: Where do I get random numbers for my certificate keypair?

Random numbers in Common-Off-The-Shelf products

The crypto research around random number sources is concentrated on the technical sources behind the scenes, but not much research happened on the randomness of ready-to-use products that are widely used in practice.

It does not make much sense in our opinion that a CA demand it´s users to use good random numbers for their keypairs, without giving any hint, where they could get them, or where they definitely can´t get them.

This the list of FIPS certified Random Number generators: http://csrc.nist.gov/cryptval/rng/rngval.html http://csrc.nist.gov/rng/SP800-22b.pdf

Product

Vendor

Status

OpenSSL

OpenSSL

http://www2.futureware.at/~philipp/RNGQA-light.tar.bz2

IE

Microsoft

PGP

PGP Corporation

PGP 5.? had a flaw, newer versions should be ok

Navigator

Netscape

older versions (which?) had a flaw

Firefox

Mozilla

How can I test the random numbers behind a certificate?

Since the random numbers are used for the private key (p,q of RSA), they don´t go into the public key, which is part of a certificate request. So the CA doesn´t see the random numbers, and therefore can´t verify it´s quality directly.

http://www2.futureware.at/~philipp/RNGQA-light.tar.bz2

It is not yet clear, whether that method will work, any feedback is highly appreciated!

Where can I get random number generators?

http://sig.cacert.at/cgi-bin/rngresults

Where can I test my own random numbers?

http://sig.cacert.at/random/

Requirements for a random number generator

https://financialcryptography.com/requirements/qdrng.html

http://www.cypherpunks.to/~peter/06_random.pdf

Secure programming, Chapter about random numbers. Also includes good history examples of mistakes that were done

http://en.wikipedia.org/wiki/Randomness

Wikipedia on Randomness

http://www.cs.berkeley.edu/~daw/rnd/

Good links

http://www.intel.com/design/chipsets/manuals/298029.htm

Intel documentation


RandomNumbers (last edited 2013-09-12 10:25:14 by UlrichSchroeter)