Ocotillo PRNG

Ocotillo now has its own home page here.

This software is Copyright 1999,2001 Enhanced Software Techologies Inc. It is released for public use under a BSD-style Open Source license. See the file "LICENSE" for the complete license.

This software is intended only for use on Unix platforms such as Solaris, SCO, or HP/UX that do not have a cryptographically strong PRNG available (normal pseudo-random number generators such as rand() produce a random distribution, but they produce a small number of PREDICTABLE random distributions, which is not what we need for cryptographic purposes -- what use is a "random" key that you can easily guess?).

Obtaining

Ocotillo can be downloaded from the Ocotillo directory at ftp.badtux.net.

The tarball contains complete source, a design document, a README, and this index.html file.

Compiling

If you are compiling on a system with a BSD-style "ps" command, leave the "-DBSD_PS" in the Makefile. Otherwise remove that so that Ocotillo will use the Sys V style 'ps' command.

'make ocrandom' creates an executable 'ocrandom' which in turn creates a named pipe /dev/urandom. Your application then can simply read random bytes as needed by opening /dev/urandom and using normal Unix read() calls.

Usage

ocrandom [-f named-pipe-name ]

Simply put 'ocrandom' in your system startup somewhere. It will make the named pipe /dev/urandom automatically. As of ocrandom version 0.3, it will also clean up its named pipe upon recieving an exit signal.

Bugs and Limitations

*WARNING* If you are on Linux or *BSD, this should be merely an instructional tool, the /dev/random and /dev/urandom available on those operating systems is far more secure because, by having access to OS innards, it has much larger sources of true randomness ("entropy").

If you are on Windows, you should use Bruce Schneier's "Yarrow" (http://www.counterpane.com) for similar reasons.

Please read the file "README" and examine the file "ocotillo-design.ps" prior to use of Ocotillo. Ocotillo was written for one specific application ( as the source for cryptographically strong keys and challenges for BRU Professional backup agents ) and has limits that originate with the needs of that application.

There is an odd interaction with OpenSSH. Upon a system crash, the named pipe /dev/urandom may not be cleaned up by ocrandom. If OpenSSH can open a file named '/dev/urandom', it opens it and tries to read a challenge string. Well, if OpenSSH starts up before Ocotillo does, OpenSSH hangs. On Solaris, at least, this can result in the entire system hanging upon boot. Moral of the story: Either use the "-f" option to move the named pipe somewhere else, or start up Ocotillo before you start up OpenSSH.

Export Warning

This software is hosted and authored in the United States and contains cryptographic components. Export of source code to states on the U.S. Department of State list of proscribed terrorist states is expressly prohibited by U.S. law. Use of this software as a component of your own Open Source software requires an export license. However, use as a component in your closed-source software may NOT require an export license, since it provides no cryptographic functionality as designed. Confused? See crypto.com and the Bureau of Export Administration for more information.

See Also


Eric Lee Green
Last modified: Tue Sept 17 14:58:26 MST 2002