[openssl-dev] Work on a new RNG for OpenSSL
Matthias St. Pierre
Matthias.St.Pierre at ncp-e.com
Tue Jun 27 12:42:52 UTC 2017
On 26.06.2017 20:51, Salz, Rich via openssl-dev wrote:
>
>> Constructive suggestion: If you want to see what a RNG looks like when
>> designed by cryptographers, take a look at:
>> Elaine Barker and John Kelsey,
>> “Recommendation for Random Number Generation Using Deterministic
>> Random Bit Generators”
>> http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf
>>
>> That design may look complicated, but if you think you can leave out some of
>> the blocks in their diagram, proceed with caution. Every one of those blocks
>> is there for a reason.
> Well maybe I can ignore section 10.3?
>
That's a nice joke Rich, but the Dual_EC_DRBG chapter has been dropped in SP800-90Ar1, which supersedes SP800-90A:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf
But seriously: OpenSSL already has an implementation of the SP800-90A DRBG, but unfortunately it is only part of the
FIPS object module (see reference [1] below). I always wondered why the code was never migrated to OpenSSL master,
(say, replacing the FIPS_drbg_* names by e.g. RAND_drbg_*). Then the SP800-90A DRBG would be usable by everyone
and could be activated by
RAND_set_rand_method(RAND_drbg_method());
To me, the design and implementation of the DRBG appeals sophisticated and I like its concept for reseeding which is highly
configurable using
FIPS_drbg_set_reseed_interval() and
FIPS_drbg_set_callbacks()
In fact, we are currently using the AES-CTR DRBG in our product (see [2]) because we had the requirement that the random generator
should be seeded periodically from an external entropy source, for example a smart card or a cryptographic acceleration unit.
This was easily achieved using the aforementioned DRBG callback mechanism.
So I have two questions:
- Do you intend to continue supporting RAND_set_rand_method() or will there only be one 'perfect' random generator and no choice anymore?
- Do you consider the SP800-90A DRBG outdated or will there be a chance that it will be added to the OpenSSL master as
officially supported RAND method?
- Will the new OpenSSL RNG support a way to configure reseed intervals and external entropy sources in a similar fashion
as the FIPS DRBG did?
Best regards,
Matthias St. Pierre
[1] Section 6.1 of the OpenSSL FIPS User Guide 2.0 https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
[2] We link against a FIPS capable OpenSSL 1.0.2 crypto library and use the FIPS DRBG even in the case where FIPS mode
is not enabled globally: In that case, during initialization we check whether FIPS mode initialization is successfull, then
and then turn FIPS mode off again and only keep the random generator by calling RAND_set_rand_method(FIPS_drbg_method()).
For Windows, we had to add some FIPS_drbg_* symbols to libeay.num to make this work.
More information about the openssl-dev
mailing list