Generating RSA pairs

[Igor de Oliveira Couto]

On 03/05/2013, at 3:30 AM, Dr. Hawkins <dochawk at gmail.com> wrote:

> I need to generate RSA key pairs (one pair per client).
> 
> I see the openssl key generation possibility, but that's still relying
> on my system for "randomness".  I'd *like* to pull random numbers
> (say, from random.org) and generate the keys from those.
> 
> Does anyone have any experience or suggestions for this?

Dr. Hawkins, while using online services like random.org may provide you with a higher level of randomness, it introduces the old problem of internet reliability. Chances are, that one day your program will need that random number, and the server (or the internet connection) will be down. It is always best to have at least some form of local seed generator as a backup.

There are a few well-documented ways to gather usable, unique seeds, such as:

* getting the user to type for 10-20 seconds, randomly picking chars entered (PGP used this technique when initially generating the keys for the user)
* getting the user to move the cursor on the screen and randomly recording mouse coordinates
* parsing time-based readings - ie., getting 'the millisecons', then combining it with 'the internet time', then picking a few of the characters randomly from the resulting string
* asking the user to select 2 or 3 files in their system, and reading random bits from the files

The safest way would be to try and use a combination of 2 or 3 different techniques to generate the seed - ie., getting the user to type text while also doing a time-based seed calculation, and trying to get a random integer from random.org.

Some frameworks have gone through great lengths in their random number generators - like Cocoa - and it may be possible also to bring some of that functionality into LiveCode via externals (but I'm afraid I can't help you with that!).

I hope this helps.

Kind regards,

--
Igor Couto
Sydney, Australia