When using openssl I've been taught to use RAND_load_file
and RAND_write_file
to ensure the library uses good entropy at all times. However if RAND_load_file
fails because the file does not exist I need to get get entropy from some other place. Let's assume I use /dev/random or /dev/urandom to do this. Is it good practice to use RAND_write_file
too even though the file did not exist before considering that I get the initial entropy from a "less good source" such as /dev/urandom?
views:
58answers:
1I did some research and using the pieces found in this book and generic sources like this one my conclusion is that a good practice is to always use RAND_write_file
. From the book I get that /dev/random should always be used and second best is using RAND_load_file
. That concludes that even if my application could not read the file this time I should write it for future use by my application or other applications.
That leads to the special case where the file does not exist and /dev/random is not available. If I only use /dev/urandom my seed is potentially weak and if I use RAND_write_file
the seed will in theory be weak. I guess at this point it means that if you're really paranoid you never want to write the file since it would be the result of bad seeding. But if you can know the attacker is not present the first time you should be OK since the attacker cannot know what has happened (i.e. if the file has good or predictable entropy). Also an attacker cannot know how many times the RAND_write_file
has been used by different applications.
So I guess it depends on the paranoia in your environment; using RAND_write_file
is definitly good citizenship, but you don't want to fool other applications that the file contains good entropy if it does not.