Menu
▾
▴
Re: [Ejbca-develop] Private key Generation
|
From: Florent Le S. <f.l...@ke...> - 2016-04-26 17:03:08
|
Hi Andras, Of course, I have no doubt about that. My point was just to make sure I understood correctly his point , and to try to summarize all the steps between pressing on the button in EJBCA and getting a private key. I fully agree that entropy also depends on the Java Runtime implementation. I just have to verify that in my case I use /dev/random, and then if I need, there is plenty of methods to improve the entropy pool. Thanks for your answers, Florent. Le 26/04/2016 18:43, Andreas Kuehne a écrit : > Hi Florent, > > for sure Tomas knows how the ejbca is implemented. But to be sure to > have a good source of entropy for your keys watch out for several > pitfalls: > > - different Java runtime may or may not use /dev/random > - /dev/random has it problems on virtual platforms > - the OS itself may affect the quality of the random source > > If you are reaching out to do serious stuff please consider mixing > several sources of randomness. > > Greetings, > > Andreas >> Hi Tomas, >> >> Thank you for your answer. >> >> I'm not planning to use HSM, so it will be done via EJBCA directly. >> >> So if I understand correctly, the underlying method used by EJBCA to >> generate private key is via the Java class java.util.Random and the >> class java.security.SecureRandom. >> => The key are generated by the method createCryptoToken from the class >> CryptoTokenManagementSessionBean which uses SecureRandom() >> At the end OpenJDK SecureRandom implementation uses /dev/random. >> So the overall entropy is the entropy of /dev/random. >> >> Are those statements correct ? >> >> Thanks, >> Florent. >> >> >> >> Le 26/04/2016 12:33, Tomas Gustavsson a écrit : >>> Hi, >>> >>> If you use an HSM CA key generation is performed in the HSM. >>> >>> As for other randomness you can search for Java Random or SecureRandom. >>> >>> Java random is good, and in general uses the OS random source where needed. >>> >>> Regards, >>> Tomas >>> >>> On 2016-04-25 17:49, Florent Le Saout wrote: >>>> Hi, >>>> >>>> I'm looking for the method used by EJBCA to generate the private keys in >>>> general (CA, Sub-Ca, certificates...). >>>> >>>> _So I have multiple questions, which at the end are all related to the >>>> same thing:_ >>>> >>>> * Is the generation process all done in EJBCA application ? >>>> * Or do they rely on Java EE-based application server random number >>>> generation (in my case Jboss) ? >>>> * Is there a link somewhere with the locally implemented random number >>>> generation, so for instance on Linux /dev/random ? >>>> * What is the level of entropy, and is there some guaranty about a >>>> minimum value, and could we improve it by taking some action while >>>> it's generating a key ? >>>> >>>> >>>> I looked in the documentation and didn't find any informations about >>>> that, but maybe I missed it. >>>> >>>> Thanks for your help, >>>> Florent. >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Find and fix application performance issues faster with Applications Manager >>>> Applications Manager provides deep performance insights into multiple tiers of >>>> your business applications. It resolves application problems quickly and >>>> reduces your MTTR. Get your free trial! >>>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z >>>> >>>> >>>> >>>> _______________________________________________ >>>> Ejbca-develop mailing list >>>> Ejb...@li... >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>> >>> ------------------------------------------------------------------------------ >>> Find and fix application performance issues faster with Applications Manager >>> Applications Manager provides deep performance insights into multiple tiers of >>> your business applications. It resolves application problems quickly and >>> reduces your MTTR. Get your free trial! >>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> >> >> ------------------------------------------------------------------------------ >> Find and fix application performance issues faster with Applications Manager >> Applications Manager provides deep performance insights into multiple tiers of >> your business applications. It resolves application problems quickly and >> reduces your MTTR. Get your free trial! >> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z >> >> >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > -- > Andreas Kühne > phone: +49 177 293 24 97 > mailto: ku...@tr... > > Trustable Ltd. Niederlassung Deutschland Gartenheimstr. 39C - 30659 Hannover Amtsgericht Hannover HRB 212612 > > Director Andreas Kühne > > Company UK Company No: 5218868 Registered in England and Wales > > > ------------------------------------------------------------------------------ > Find and fix application performance issues faster with Applications Manager > Applications Manager provides deep performance insights into multiple tiers of > your business applications. It resolves application problems quickly and > reduces your MTTR. Get your free trial! > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop -- *Florent LE SAOUT* R&D department Embedded Software Developer AUSY contractor for KERLINK |
