
==========================================
RANDOM SEEDS FOR TLS TRANSMISSION IN DCMTK
==========================================

The Transport Layer Security (TLS) protocol relies on a pseudo-random number 
generator (PRNG) for the creation of session keys.  The ability of an 
attacker (e.g. eavesdropper) to predict the sequence of random numbers 
issued by the PRNG would facilitate cryptographic attacks against the TLS 
protected communication. For this reason it is important that the internal 
state of the PRNG is initialized with true random data which cannot be 
predicted by an attacker. The OpenSSL library on which DCMTK relies for its 
TLS functions initially tests whether the PRNG has been seeded with 
sufficient random data. If this test fails, the a warning is issued and no 
secure TLS connection can be negotiated:

    Warning: PRNG for TLS not seeded with sufficient random data.

For this reason, all TLS-aware DCMTK applications allow to initialize the 
PRNG with a random seed which is read from file. Optionally the (modified) 
state of the PRNG can be written back to file upon termination of the 
application, providing a new random seed for the next application run. The 
command line options that control this behaviour for the storescu and 
storescp applications are:

    +rs   --seed              [f]ilename: string
                              seed random generator with contents of [f]
    +ws   --write-seed        write back modified seed (only with --seed)
    +wf   --write-seed-file   [f]ilename: string (only with --seed)
                              write modified seed to file [f]

This document describes sources from which an initial random seed file 
containing physical random data can be obtained.


1. Kernel Random Number Source Device

Some modern Unix operating systems (in particular Linux) have a kernel 
module that gathers environmental noise from device drivers and other 
sources and feeds them into an entropy pool.  Random data can be read from 
this entropy pool using the /dev/random and /dev/urandom devices (see 
random(4) manual page.) For example, the following command creates a 1024 
byte file "randseed.bin" that can be used to seed the OpenSSL PRNG:

    dd if=/dev/urandom of=randseed.bin count=2


2. GUI content

The content of the screen on systems with graphical user interface is hardly 
predictable for an attacker (unless an application is run as a service in 
the background with a well-predictable blank or login screen.)  For this 
reason, the Win32 version of OpenSSL always seeds the PRNG with the content 
of the current screen. This feature is built-in and does not require 
additional user interaction.


3. Entropy Gathering Demon (EGD)

Entropy Gathering Demon is a user space application (Perl script) that can 
be run as a daemon on Unix systems that do not provide a kernel random 
number source device. EGD is available from http://www.lothar.com/tech/crypto/ 

On systems where EGD is installed, the "openssl" tool can be used to 
generate a random seeed for the PRNG from EGD. If the EGD socket is 
installed as /etc/entropy, the following command creates a 1024 byte 
file "randseed.bin" that can be used to seed the OpenSSL PRNG:

    openssl rand -rand /etc/entropy -out randseed.bin 1024


4. Pseudo Random Number Generator Daemon (PRNGD)

Pseudo Random Number Generator Daemon is a user space application that 
"offers an EGD compatible interface to obtain random data and is intented to 
be used as an entropy source to feed other software, especially software 
based on OpenSSL. Like EGD it calls system programs to collect entropy. 
Unlike EGD it does not generate a pool of random bits that can be called 
from other software. Rather more it feeds the bits gathered into the OpenSSL 
PRNG from which the "random bits" are obtained when requested. This way, 
PRNGD is never drained and can never block (unlike EGD), so it is also 
suitable to seed inetd-started programs. It also features a seed-save file, 
so that it is immediately usable after system start." PRNGD is available 
from http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html


5. Pretty Good Privacy (PGP)

Pretty Good Privacy contains a random data generator that relies on the time 
intervals between keystrokes.  The following Unix shell commands would cause 
PGP 2.6.3i to create a file /tmp/random_data/randseed.bin with about 1000 
bits of random data, which can be used to seed the OpenSSL PRNG:

    mkdir /tmp/random_data
    chmod 700 /tmp/random_data
    setenv PGPPATH /tmp/random_data
    pgp -kg 1024 -u random


6. Medical Images

Medical image modalities such as CT, MR, Ultrasound or CR produce lots of 
unpredictable random noise in the background that is perfectly suited to 
initialize a PRNG, given that the image is never made available to a third 
party.  The following OpenSSL command line would read a DICOM file 
"image.dcm" and create a 1024 byte file "randseed.bin" that can be used to 
seed the OpenSSL PRNG:

    openssl rand -rand image.dcm -out randseed.bin 1024


