Cryptographically strong random

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Cryptographically strong random

Joel Reymont-2
Folks,

I understand that SSL in Erlang is based on OpenSSL. That library also
comes with a cryptographically strong random implementation but that
bit is not included in Erlang SSL.

Is there a cryptographically strong implementation for Erlang?

What is the easiest way to hook up into the Erlang SSL to bring in
OpenSSL random? Build it as a linked-in driver?

    Thanks, Joel

--
http://wagerlabs.com/tech


Reply | Threaded
Open this post in threaded view
|

Cryptographically strong random

Claes Wikström
On Mon, Apr 18, 2005 at 12:58:50PM +0300, joel reymont wrote:
> Folks,
>
> I understand that SSL in Erlang is based on OpenSSL. That library also
> comes with a cryptographically strong random implementation but that
> bit is not included in Erlang SSL.
>
> Is there a cryptographically strong implementation for Erlang?


We do:


random_ascii_str(Length) ->
    random_ascii_str(Length, os:cmd("dd if=/dev/urandom count=1"), [], 0).
random_ascii_str(Length, _,Ret, Length) ->
    Ret;
random_ascii_str(Length, [H|T], Ack, Sofar) ->
    if
        $a =< H,
        H =< $z ->
            random_ascii_str(Length, T, [H|Ack], Sofar+1);
        $A =< H,
        H =< $Z ->
            random_ascii_str(Length, T, [H|Ack], Sofar+1);
        true ->
            random_ascii_str(Length, T, Ack, Sofar)
    end;
random_ascii_str(Length, [], Ack, Sofar) ->
    random_ascii_str(Length, os:cmd("dd if=/dev/urandom count=1"),Ack, Sofar).





>
> What is the easiest way to hook up into the Erlang SSL to bring in
> OpenSSL random? Build it as a linked-in driver?
>


Yes, or hack the code in lib/crypto/c_src and lib/crypto/src
It should be pretty straightforward to extend with the RAND
code from openssl.


/klacke



--
Claes Wikstrom                        -- Caps lock is nowhere and
http://www.hyber.org                  -- everything is under control          


Reply | Threaded
Open this post in threaded view
|

Cryptographically strong random - /dev/urandom ?

Roger Larsson
On Monday 18 April 2005 18.57, klacke wrote:

> On Mon, Apr 18, 2005 at 12:58:50PM +0300, joel reymont wrote:
> > Folks,
> >
> > I understand that SSL in Erlang is based on OpenSSL. That library also
> > comes with a cryptographically strong random implementation but that
> > bit is not included in Erlang SSL.
> >
> > Is there a cryptographically strong implementation for Erlang?
>
> We do:
>
>
> random_ascii_str(Length) ->
>     random_ascii_str(Length, os:cmd("dd if=/dev/urandom count=1"), [], 0).

from "man urandom"
       When  read,  /dev/urandom  device  will  return  as  many  bytes as are
       requested.  As a result, if there is  not  sufficient  entropy  in  the
       entropy  pool,  the  returned  values are theoretically vulnerable to a
       cryptographic attack on the algorithms used by the  driver.   Knowledge
       of how to do this is not available in the current non-classified liter?
       ature, but it is theoretically possible that such an attack may  exist.
       If this is a concern in your application, use /dev/random instead.

/RogerL


Reply | Threaded
Open this post in threaded view
|

Cryptographically strong random - /dev/urandom ?

Luke Gorrie-3
Roger Larsson <roger.larsson> writes:

> On Monday 18 April 2005 18.57, klacke wrote:
> > On Mon, Apr 18, 2005 at 12:58:50PM +0300, joel reymont wrote:
> > > Folks,
> > >
> > > I understand that SSL in Erlang is based on OpenSSL. That library also
> > > comes with a cryptographically strong random implementation but that
> > > bit is not included in Erlang SSL.
> > >
> > > Is there a cryptographically strong implementation for Erlang?
> >
> > We do:
> >
> >
> > random_ascii_str(Length) ->
> >     random_ascii_str(Length, os:cmd("dd if=/dev/urandom count=1"), [], 0).
>
> from "man urandom"
>        When  read,  /dev/urandom  device  will  return  as  many  bytes as are
>        requested.  As a result, if there is  not  sufficient  entropy  in  the
>        entropy  pool,  the  returned  values are theoretically vulnerable to a
>        cryptographic attack on the algorithms used by the  driver.   Knowledge
>        of how to do this is not available in the current non-classified liter?
>        ature, but it is theoretically possible that such an attack may  exist.
>        If this is a concern in your application, use /dev/random instead.

The boring thing with /dev/random is that it can block until you
wiggle the mouse :-)

-Luke (not somebody to take any cryptography advice from)