========================================== RANDOM SEEDS FOR TLS TRANSMISSION IN DCMTK ========================================== The Transport Layer Security (TLS) protocol relies on a pseudo-random number generator (PRNG) for the creation of session keys. The ability of an attacker (e.g. eavesdropper) to predict the sequence of random numbers issued by the PRNG would facilitate cryptographic attacks against the TLS protected communication. For this reason it is important that the internal state of the PRNG is initialized with true random data which cannot be predicted by an attacker. The OpenSSL library on which DCMTK relies for its TLS functions initially tests whether the PRNG has been seeded with sufficient random data. If this test fails, the a warning is issued and no secure TLS connection can be negotiated: Warning: PRNG for TLS not seeded with sufficient random data. For this reason, all TLS-aware DCMTK applications allow to initialize the PRNG with a random seed which is read from file. Optionally the (modified) state of the PRNG can be written back to file upon termination of the application, providing a new random seed for the next application run. The command line options that control this behaviour for the storescu and storescp applications are: +rs --seed [f]ilename: string seed random generator with contents of [f] +ws --write-seed write back modified seed (only with --seed) +wf --write-seed-file [f]ilename: string (only with --seed) write modified seed to file [f] This document describes sources from which an initial random seed file containing physical random data can be obtained. 1. Kernel Random Number Source Device Some modern Unix operating systems (in particular Linux) have a kernel module that gathers environmental noise from device drivers and other sources and feeds them into an entropy pool. Random data can be read from this entropy pool using the /dev/random and /dev/urandom devices (see random(4) manual page.) For example, the following command creates a 1024 byte file "randseed.bin" that can be used to seed the OpenSSL PRNG: dd if=/dev/urandom of=randseed.bin count=2 2. GUI content The content of the screen on systems with graphical user interface is hardly predictable for an attacker (unless an application is run as a service in the background with a well-predictable blank or login screen.) For this reason, the Win32 version of OpenSSL always seeds the PRNG with the content of the current screen. This feature is built-in and does not require additional user interaction. 3. Entropy Gathering Demon (EGD) Entropy Gathering Demon is a user space application (Perl script) that can be run as a daemon on Unix systems that do not provide a kernel random number source device. EGD is available from http://www.lothar.com/tech/crypto/ On systems where EGD is installed, the "openssl" tool can be used to generate a random seeed for the PRNG from EGD. If the EGD socket is installed as /etc/entropy, the following command creates a 1024 byte file "randseed.bin" that can be used to seed the OpenSSL PRNG: openssl rand -rand /etc/entropy -out randseed.bin 1024 4. Pseudo Random Number Generator Daemon (PRNGD) Pseudo Random Number Generator Daemon is a user space application that "offers an EGD compatible interface to obtain random data and is intented to be used as an entropy source to feed other software, especially software based on OpenSSL. Like EGD it calls system programs to collect entropy. Unlike EGD it does not generate a pool of random bits that can be called from other software. Rather more it feeds the bits gathered into the OpenSSL PRNG from which the "random bits" are obtained when requested. This way, PRNGD is never drained and can never block (unlike EGD), so it is also suitable to seed inetd-started programs. It also features a seed-save file, so that it is immediately usable after system start." PRNGD is available from http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html 5. Pretty Good Privacy (PGP) Pretty Good Privacy contains a random data generator that relies on the time intervals between keystrokes. The following Unix shell commands would cause PGP 2.6.3i to create a file /tmp/random_data/randseed.bin with about 1000 bits of random data, which can be used to seed the OpenSSL PRNG: mkdir /tmp/random_data chmod 700 /tmp/random_data setenv PGPPATH /tmp/random_data pgp -kg 1024 -u random 6. Medical Images Medical image modalities such as CT, MR, Ultrasound or CR produce lots of unpredictable random noise in the background that is perfectly suited to initialize a PRNG, given that the image is never made available to a third party. The following OpenSSL command line would read a DICOM file "image.dcm" and create a 1024 byte file "randseed.bin" that can be used to seed the OpenSSL PRNG: openssl rand -rand image.dcm -out randseed.bin 1024