RNG question

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

RNG question

bashdrew
Hi All,


Can a hardware random number generator replace the
OpenSSL's RNG?  We have an HRNG function which returns
a fix 8-byte random number.  Will this be sufficient
to replace the library's RNG?  If not, why?  Thanks.



Regards,
Andrew




               
__________________________________
Yahoo! Music Unlimited
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: RNG question

Frédéric Donnat-2
Hi,

To replace OpenSSL RNG, you just have to make your own ENGINE.
You have some example of such engine in engines directory of openssl 0.9.8.

regards,

Fred

-----Original Message-----
From: Andrew Amargo [mailto:[hidden email]]
Sent: Thu 10/20/2005 5:35 AM
To: [hidden email]
Cc:
Subject: RNG question
Hi All,


Can a hardware random number generator replace the
OpenSSL's RNG?  We have an HRNG function which returns
a fix 8-byte random number.  Will this be sufficient
to replace the library's RNG?  If not, why?  Thanks.



Regards,
Andrew
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: RNG question

bashdrew

Hi Fred,


Thanks for the info.  Does it mean that we can't just
use our HRNG function to generate random number for
OpenSSL?  May I know the reason since I have not
really grasp the concept of RNG in OpenSSL.  Thanks
again.


Regards,
Andrew






--- Frédéric Donnat <[hidden email]> wrote:

> Hi,
>
> To replace OpenSSL RNG, you just have to make your
> own ENGINE.
> You have some example of such engine in engines
> directory of openssl 0.9.8.
>
> regards,
>
> Fred
>
> -----Original Message-----
> From: Andrew Amargo [mailto:[hidden email]]
> Sent: Thu 10/20/2005 5:35 AM
> To: [hidden email]
> Cc:
> Subject: RNG question
> Hi All,
>
>
> Can a hardware random number generator replace the
> OpenSSL's RNG?  We have an HRNG function which
> returns
> a fix 8-byte random number.  Will this be sufficient
> to replace the library's RNG?  If not, why?  Thanks.
>
>
>
> Regards,
> Andrew
>
______________________________________________________________________
> OpenSSL Project                                
> http://www.openssl.org
> User Support Mailing List                  
> [hidden email]
> Automated List Manager                          
> [hidden email]
>



       
               
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

certificate verification

Manuel Schölling
Hi,

I wanna write an peer2peer vpn client using the linux tun/tap device and
openssl (dtls) but I have a problem with the verification of the peer's
public key:
there is no trust center, so none of the peer's certificate is signed by
anybody else than the peer itself.
so I want to create a file in which all the peer's trusted certificates are
listed.
I think I have to set my own verification callback with SSL_set_verify(),
right?
can anybody give me some hints?

cheers,
Manuel

--
NEU: Telefon-Flatrate f?rs dt. Festnetz! GMX Phone_Flat: 9,99 Euro/Mon.*
F?r DSL-Nutzer. Ohne Providerwechsel! http://www.gmx.net/de/go/telefonie
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

what can be the content type (part of Content info ) other than simple data in Signed data

konark

what can be the content type (part of Content info ) other than simple data in Signed data.

 

 

Structure description ................

 

 

SignedData ::= SEQUENCE {

  version Version,

 

  digestAlgorithms DigestAlgorithmIdentifiers,

  contentInfo ContentInfo,

  certificates

      [0] IMPLICIT ExtendedCertificatesAndCertificates

       OPTIONAL,

  crls

    [1] IMPLICIT CertificateRevocationLists OPTIONAL,

signerInfos SignerInfos }

 

ContentInfo ::= SEQUENCE {
 
contentType ContentType,
  content
    [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }

->It seems to be content type can only be Simple data ( after looking in to the code )

-> Is it possible to put content type other than simple data like enveloped data when authenticated attributes are present .

 

 

 

Regards,

konark

Reply | Threaded
Open this post in threaded view
|

PKCS7: what can be the content type (part of Content info ) other than simple data in Signed data

konark

Hello Steve,

 

Once again Thanks for your last solution ( Digest info ).

 

I have small doubt about ...

 

 

what can be the content type (part of Content info ) other than simple data in Signed data.

 

 

Structure description ................

 

 

SignedData ::= SEQUENCE {

  version Version,

 

  digestAlgorithms DigestAlgorithmIdentifiers,

  contentInfo ContentInfo,

  certificates

      [0] IMPLICIT ExtendedCertificatesAndCertificates

       OPTIONAL,

  crls

    [1] IMPLICIT CertificateRevocationLists OPTIONAL,

signerInfos SignerInfos }

 

ContentInfo ::= SEQUENCE {
 
contentType ContentType,
  content
    [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }

->It seems to be content type can only be Simple data ( after looking in to the code )

-> Is it possible to put content type other than simple data like enveloped data when authenticated attributes are present .

-> I also found that it is checking for other type ( always Octet string ) when simple data ( data type ) is not present

   1. can i assume if simple data is not the type of content info it should go into other type ?

   2. if simple data is not the type of content info i need to encode and save the encoded content . is it so ?

 

 

Regards,

konark

 

Reply | Threaded
Open this post in threaded view
|

PKCS7: what can be the content type (part of Content info ) other than simple data in Signed data

konark

Hello Steve,

 

Once again Thanks for your last solution ( Digest info ).

 

I have small doubt about ...

 

 

what can be the content type (part of Content info ) other than simple data in Signed data.

 

 

Structure description ................

 

 

SignedData ::= SEQUENCE {

  version Version,

 

  digestAlgorithms DigestAlgorithmIdentifiers,

  contentInfo ContentInfo,

  certificates

      [0] IMPLICIT ExtendedCertificatesAndCertificates

       OPTIONAL,

  crls

    [1] IMPLICIT CertificateRevocationLists OPTIONAL,

signerInfos SignerInfos }

 

ContentInfo ::= SEQUENCE {
 
contentType ContentType,
  content
    [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }

->It seems to be content type can only be Simple data ( after looking in to the code )

-> Is it possible to put content type other than simple data like enveloped data when authenticated attributes are present .

-> I also found that it is checking for other type ( always Octet string ) when simple data ( data type ) is not present

   1. can i assume if simple data is not the type of content info it should go into other type ?

   2. if simple data is not the type of content info i need to encode and save the encoded content . is it so ?

 

 

Regards,

konark

 

Reply | Threaded
Open this post in threaded view
|

Re: PKCS7: what can be the content type (part of Content info ) other than simple data in Signed data

Dr. Stephen Henson
On Mon, Nov 14, 2005, Konark wrote:

> Hello Steve,
>
>  
>
> Once again Thanks for your last solution ( Digest info ).
>
>  
>
> I have small doubt about ...
>
>  
>
>  
>
> what can be the content type (part of Content info ) other than simple data
> in Signed data.
>
>  

The high level S/MIME routines have only been tested where the inner content
is of type 'data'. Their behaviour for other types is undefined and it is
quite likely they wont work.

The ASN1 PKCS7 structure should correctly encode other types: its just that
they will largely need to be processed manually.

The syntax of the inner content is one area where S/MIME v2 and S/MIME v3
differ. The V2 syntax is to include the ASN1 structure inside the PKCS#7
structure the V3 syntax encodes the data inside an OCTET STRING in the CMS
structure. V3 is the more sensible thing to do because it avoids possible ASN1
reencoding problems. Doesn't help with OpenSSL though because it only supports
V2.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]