Get good random numbers externally, or by c++ function/lib but not via OS

Question

Get good random numbers externally, or by c++ function/lib but not via OS

jonasstein opened this issue 3 years ago · 3 comments

To not pull random numbers via OS.

Two possible solutions:

a) Unix philosophy: One tool per task.
we drop the key generation by stenc and just provide a manual with shell commands to generate a secure key and explain how to test the random source.
(see also #3)

b) use a proper C++ library
Also include a parameter, which will send a huge amount of the used random to stdout for test purpose:

# user can test, if his library and random source are working.
$> stenc --test-rnd | entropy_checker
Shannon entropy is 8.8

Answer 1 · 2022-04-24T20:08:11.000Z

(b) seems to cause the most work for us without any benefit. I like option (a) most. Users can use their beloved tool to generate the random key. Either a hardware TRNG, a set of tools on the commandline, or whatever. Our key generator will never be better than what the user already has.
But this change should go to a major milestone release, if we go this way. @ninthclowd what Do you think about it?

Answer 2 · 2022-04-25T03:18:28.000Z

Personally I like your idea of dropping key generation and leave it to tools that are built for that purpose. Maybe just update the man pages with an example of how to do so with openssl?

Answer 3 · 2022-04-25T15:20:22.000Z

I also think removing key generation and documenting how to use utilities makes the most sense. Off the top of my head openssl rand -hex 32 or xxd -p -l 32 -c 64 /dev/urandom do the job.