[openssl-dev] Work on a new RNG for OpenSSL

John Denker ssx at av8n.com
Tue Jun 27 04:17:22 UTC 2017


On 06/26/2017 12:41 PM, Salz, Rich wrote:

> We run in many environments, and I don't think it's reasonable to say
> that the RNG on someone's personal web server, perhaps on the
> Internet, is at the same level of criticality, say, as the same RNG
> running on something like a global CDN.  I am not trying to back out
> of our responsibilities here, but rather saying that I think a
> justifiable case can be made for accepting vague words like mediocre
> at times.

That argument cuts the other way, much more acutely.

When writing a low- to mid-level library such as openssl,
the problem is you *don't know* how it will be used.  If
you design a RNG that is good enough for a game of Go Fish,
it is entirely possible that some user will turn around and
use the same RNG to sign a multi-million dollar contract,
or encrypt some life-and-death critical messages.

The days when we could get away with mediocre security are
gone, and have been for quite a while now.

The idea of "provably correct" code has been around for decades
now.  I don't always succeed, but I try to write provably
correct code, even for things that are vastly less critical
than a cryptographic RNG.

In particular, the idea of combining several lousy upstream
sources and hoping for the best is 100% virgin serpentoleum.
It violates every engineering principle known to man, except
for Murphy's law.

The fact that RNGs are hard to test makes it easy to fool your
friends.  Your enemies will not be so easily fooled.  This
just makes it extra-super-important to insist on sound
engineering practices, top to bottom.



More information about the openssl-dev mailing list