[openssl-dev] Improving OpenSSL default RNG
Dr. Matthias St. Pierre
Matthias.St.Pierre at ncp-e.com
Mon Oct 26 18:01:50 UTC 2015
On 10/24/2015 05:55 PM, Marcus Meissner wrote:
> On Fri, Oct 23, 2015 at 07:19:11PM +0200, Alessandro Ghedini wrote:
>> On Fri, Oct 23, 2015 at 04:34:11PM +0200, Dr. Matthias St. Pierre wrote:
>> ...
>> In general the NIST DRBGs seem fairly complicated (or completely untrustworthy
>> like Dual EC DRBG), so I'd rather have a different implementation as default
>> RNG for OpenSSL.
>
> Well, the Dual EC has been removed from the guidance.
>
> The other 3 modes described in NIST 800-90a make sense though. I suggest to read
> the standard, the main things making it long are all the error handling and
> reseeding strategies.
>
> Ciao, Marcus
I agree, to me it seems to be a rather straightforward implementation of a hybrid RNG. To get an impression of the
essentials, e.g. for the DRBG based on AES-CTR, it helps to have a look at Figures 11 (p.49) and 12 (p.51)
of <http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf>.
The nice part about the DRBG is that one can connect it to an external entropy source and configure
the reseed interval. It also supports prediction resistance on demand, although this feature is not available through
FIPS_drbg_method(), only if one uses FIPS_drbg_generate() directly.
So it would be convenient for us to have it available in the normal OpenSSL library without having to fiddle
with the FIPS object module. It wouldn't have to be the default OpenSSL RNG, though.
Regards, Matthias
More information about the openssl-dev
mailing list