[openssl-dev] Plea for a new public OpenSSL RNG API
Kurt Roeckx
kurt at roeckx.be
Tue Aug 29 21:39:58 UTC 2017
On Tue, Aug 29, 2017 at 08:38:09PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
> > If, based on its value, OpenSSL may decide that it now got “enough” entropy and doesn’t need to
> > pull more from other sources before serving randomness to requestors – then it is harmful.
> > “Over-confidence” in this value by the caller can negatively impact the quality of the produced
> > random numbers.
>
> As long as you have sources that don't provide 1 bit of randomness
> per bit that you provide you need to have an estimate of how much
> randomness it really contains. And you should probably seriously
> underestimate it so that you're sure that you collect enough.
>
> So let me underestimate it to 0. ;-)
>
> The problem with ignoring an existing parameter is that people
> could be calling it with for instance the value of 0, knowing it
> contains as good as none entropy. Or they could feed the unwithened
> output of an TRNG in that with an estimate of randomness it provides.
> And OpenSSL used to do the right thing with that.
>
> I *don’t want* OpenSSL to make *any* estimation of the amount of provided entropy. All I want it to do is to mix these bits into the RNG state. It’s *my* business how much entropy I’m providing – but I don’t want OpenSSL to make any decision regarding pull from other entropy sources based on my input.
>
> Does it sound reasonable? (He, it does to me ;)
But that is not the API that RAND_add() provides. It's a push not
a pull API. With the DRBG you can do this, assuming using it's an
extraction / derivative function.
One of the suggestions I did before is to have RAND_poll_ex() take
a parameter about how much randomness is needed, but I think it's
also a wrong API and I'm thinking about removing it.
> But now we just ignore it and assume every bit with get contains 1
> bit of randomness and we're sundenly seriously overestimating the
> amount of randomness we're getting.
>
> If I had my way, you’d assume that every bit contains 0 bits of entropy, but mix it in regardless because that’s what the user is asking you to do.
Which is why I suggested we use this for the additional data. But
I think that as long as we have both APIs we might actually need
it for the entropy input. If there is no other way to add
randomness, RAND_add() is our current documented way to add it,
and it will need to keep working.
Kurt
More information about the openssl-dev
mailing list