[openssl-dev] Plea for a new public OpenSSL RNG API

Kurt Roeckx kurt at roeckx.be
Tue Aug 29 20:32:33 UTC 2017 

On Tue, Aug 29, 2017 at 06:50:37PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
> On 8/29/17, 12:45, "openssl-dev on behalf of Salz, Rich via openssl-dev" <openssl-dev-bounces at openssl.org on behalf of openssl-dev at openssl.org> wrote:
> 
>     ➢ An other problem with the current implemenation is that the
>     ➢ randomness parameter that's now given to RAND_add() is just
>     ➢ ignored, it assumes it's the same as the length.
>         
>     For what it’s worth, this was done deliberately, make RAND_add and RAND_seed equivalent.
>     
>     I am skeptical of the ability to get that estimate correct.
>     
>     Someone on GH there is a conversation thread about turning that into a percentage, which seems like the best thing to do for any new API.
> 
> 
>  What’s the point of having this potentially harmful parameter? If it weren’t ignored – how would OpenSSL use it?
> 
> If, based on its value, OpenSSL may decide that it now got “enough” entropy and doesn’t need to pull more from other sources before serving randomness to requestors – then it is harmful. “Over-confidence” in this value by the caller can negatively impact the quality of the produced random numbers.

As long as you have sources that don't provide 1 bit of randomness
per bit that you provide you need to have an estimate of how much
randomness it really contains. And you should probably seriously
underestimate it so that you're sure that you collect enough.

The problem with ignoring an existing parameter is that people
could be calling it with for instance the value of 0, knowing it
contains as good as none entropy. Or they could feed the unwithened
output of an TRNG in that with an estimate of randomness it provides.
And OpenSSL used to do the right thing with that.

But now we just ignore it and assume every bit with get contains 1
bit of randomness and we're sundenly seriously overestimating the
amount of randomness we're getting. This is a documented public API,
you can't just go and ignore this parameter.


Kurt

More information about the openssl-dev mailing list