Proposed change to linux kernel about random numbers

Jakob Bohm jb-openssl at wisemo.com
Wed Sep 18 20:50:16 UTC 2019


On 18/09/2019 20:58, Salz, Rich via openssl-users wrote:
>
> Please take a look at 
> https://lore.kernel.org/lkml/CAHk-=wiGg-G8JFJ=R7qf0B+UtqA_Weouk6v+McmfsLJLRq6AKA@mail.gmail.com/ 
> and consider giving your comments.
>
> TL;DR:  see the comment below.
>
> + * Hacky workaround for the fact that some processes
>
> + * ask for truly secure random numbers and absolutely want
>
> + * to wait for the entropy pool to fill, and others just
>
> + * do "getrandom(0)" to get some ad-hoc random numbers.
>
> + *
>
> + * If you're generating a secure key, you'd better ask for
>
> + * more than 128 bits of randomness. Otherwise it's not
>
> + * really all that secure by definition.
>
> + *
>
> + * We should add a GRND_SECURE flag so that people can state
>
> + * this "I want secure random numbers" explicitly.
>
Well, I guess that comes from library authors suddenly ignoring
proper usage of the original *random* API definitions, as well
as all related compatibility needs.

Until recently, the rules were clear:

1. If a program or library wanted seeding or bits for generating long
   term keys and was willing to wait, it would use /dev/random or (if
   in both running kernel and loaded libc) getrandom(2) with GRND_RANDOM
   (and soon GRND_SECURE).  This includes waiting for the OS to say it
   has actually gathered entropy etc.

2. If a program or library wanted to set up an internal RNG that can
   be reseeded later it would use /dev/urandom or (if in both running
   kernel and loaded libc) getrandom(2) with neither GRND_RANDOM or
   GRND_SECURE, nor waiting for the kernel to estimate having entropy.
   Then reseed later when OS has more entropy, but not so often as to
   keep the system dry.

3. If a multipurpose library or tool (such as OpenSSL and the openssl
   command line tool) uses the random bits in both ways, it needs to
   pass the choice onto the caller, like OpenSSL 1.0.x did with the
   difference between RAND_pseudo_bytes and RAND_bytes.

   For example, a TLS or SSH implementation can use the weaker entropy
   source to start handling incoming calls (with session keys) soon
   after boot, while a tool to set up initial private keys at first
   boot would need to wait for the stronger entropy source (which may
   in fact get initial randomness over such an encrypted early
   connection!).


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded



More information about the openssl-users mailing list