[openssl-dev] Work on a new RNG for OpenSSL

Tue Jun 27 12:42:52 UTC 2017

On 26.06.2017 20:51, Salz, Rich via openssl-dev wrote:
>
>> Constructive suggestion:  If you want to see what a RNG looks like when
>> designed by cryptographers, take a look at:
>>   Elaine Barker and John Kelsey,
>>   “Recommendation for Random Number Generation Using Deterministic
>> Random Bit Generators”
>>   http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf
>>
>> That design may look complicated, but if you think you can leave out some of
>> the blocks in their diagram, proceed with caution.  Every one of those blocks
>> is there for a reason.
> Well maybe I can ignore section 10.3?
>  

That's a nice joke Rich, but the Dual_EC_DRBG chapter has been dropped in SP800-90Ar1, which supersedes SP800-90A:

    http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf

But seriously: OpenSSL already has an implementation of the SP800-90A DRBG, but unfortunately it is only part of the
FIPS object module (see reference [1] below). I always wondered why the code was never migrated to OpenSSL master,
(say, replacing the FIPS_drbg_* names by e.g. RAND_drbg_*). Then the SP800-90A DRBG would be usable by everyone
and could be activated by

    RAND_set_rand_method(RAND_drbg_method());

To me, the design and implementation of the DRBG appeals sophisticated and I like its concept for reseeding which is highly
configurable using

    FIPS_drbg_set_reseed_interval()   and
    FIPS_drbg_set_callbacks()

In fact, we are currently using the AES-CTR DRBG in our product (see [2]) because we had the requirement that the random generator
should be seeded periodically from an external entropy source, for example a smart card or a  cryptographic acceleration unit.
This was easily achieved using the aforementioned DRBG callback mechanism.

So I have two questions:

- Do you intend to continue supporting RAND_set_rand_method() or will there only be one 'perfect' random generator and no choice anymore?

- Do you consider the SP800-90A DRBG outdated or will there be a chance that it will be added to the OpenSSL master as
  officially supported RAND method?

- Will the new OpenSSL RNG support a way to configure reseed intervals and external entropy sources in a similar fashion
  as the FIPS DRBG did?

Best regards,

Matthias  St. Pierre

[1] Section 6.1 of the OpenSSL FIPS User Guide 2.0 https://www.openssl.org/docs/fips/UserGuide-2.0.pdf

[2] We link against a FIPS capable OpenSSL 1.0.2 crypto library and use the FIPS DRBG even in the case where FIPS mode
      is not enabled globally: In that case, during initialization we check whether FIPS mode initialization is successfull, then
      and then turn FIPS mode off again and only keep the random generator by calling RAND_set_rand_method(FIPS_drbg_method()).
      For Windows, we had to add some FIPS_drbg_* symbols to  libeay.num to make this work.