suggestions for a hardware random number generator?

Marcus Morgan marcus at ufl.edu
Fri Sep 5 13:38:38 UTC 2008 

Mark,
It took me a little longer than that:

Primary-Name/named:2$~  time /usr/local/bind/sbin/dnssec-keygen -r
/dev/random -a RSASHA1 -b 1024 -n zone example.net
Kexample.net.+005+21756

real    144m15.253s
user    0m0.088s
sys     0m0.008s

The random gathering process can only manage 4 or 5 bits per second.
The only sources of entropy are the disk and ethernet,  which are
mostly unused.  An identical server that has traffic manages to
generate about 1400 bits/second.

You might try:  time rngtest -c 1 < /dev/random

which will tell you how long it takes you to generate 20000 random bits.

Enjoy your disorder,
Marcus


On Thu, Sep 4, 2008 at 10:44 AM, Mark Andrews <Mark_Andrews at isc.org> wrote:
>
>> It takes me about 85 minutes to generate a 1024 bit key for dnssec.
>> I'd like to install a
>> random number generator to speed the process up.  Do you have any
>> suggestions, recommendations or reviews that I might consider?
>>
>> thanks,
>> -Marcus
>
>        Or just ask on a list for your OS on how to properly configure
>        your /dev/random.
>
>        On a properly configured machine you should be able to
>        generate multiple 1024 bit keys a second.
>
> % time dnssec-keygen -r /dev/random -a RSASHA1 -b 1024 -n zone example.net
> Kexample.net.+005+39426
> 0.150u 0.000s 0:00.17 88.2%     476+286k 0+0io 1pf+0w
> %
>
>        Mark
>
>> On Sat, Aug 30, 2008 at 8:17 PM, Mark Andrews <Mark_Andrews at isc.org> wrote:
>> >
>> >> On Sun, 31 Aug 2008 02:40:36 you wrote:
>> >> > > Hello all-
>> >> > >
>> >> > > The following command-
>> >> > >
>> >> > > /usr/local/sbin/dnssec-keygen -r /dev/random -f KSK -a RSASHA1 -b 1024
>>  -n
>> >> > > ZON E
>> >> > > example.com
>> >> > >
>> >> > > stalls. The system is Slackware Linux 12.1 with kernel 2.6.23-11.
>> >> > >
>> >> > > Michael
>> >> >
>> >> >     You need to cause the kernel to gather entropy. The way to
>> >> >     do that is to make the kernel do work.
>> >> >
>> >> >     e.g.
>> >> >             ls -R /
>> >>
>> >> While this does increase the entropy to over 3,000, it still doesn't work
>> (an
>> >> d
>> >> the entropy sinks within a few seconds anyway)
>> >
>> >        When generating large keys I just keep running "ls -R /" until the
>> >        key generation completes.  You can also use the keyboard.  Install
>> >        a hardware random number generator and configure the kernel to use
>> >        it (might require a OS change as I don't know if this is supported
>> >        under Linux).
>> >
>> >        Mark
>> > --
>> > Mark Andrews, ISC
>> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> > PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
>> >
>> >
>>
>>
>>
>> --
>> Marcus Morgan
>> UF/OIT/CNS/NS/S
>> marcus at ufl.edu
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
>



-- 
Marcus Morgan
UF/OIT/CNS/NS/S
marcus at ufl.edu

More information about the bind-users mailing list