[openssl-dev] Work on a new RNG for OpenSSL

Matt Caswell matt at openssl.org
Tue Jun 27 07:28:56 UTC 2017



On 26/06/17 21:18, Kurt Roeckx wrote:
>>   “Recommendation for Random Number Generation Using Deterministic Random Bit Generators”
>>   http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf
>>
>> That design may look complicated, but if you think you can
>> leave out some of the blocks in their diagram, proceed with
>> caution.  Every one of those blocks is there for a reason.
> 
> SP800-90A (or revision 1) can clearly be used as reference on how
> to implement it, even if we don't use an approved algorithm from
> it. And I really think we should look at that document when
> implementing it.
> 
> There should probably also be an option to use an RNG that
> conforms to it.

I am strongly in favour of this approach. We should be led by standards.

> 
>>> Randomness should be whitened.
>>
>> Whitening at the input is neither difficult nor necessary nor sufficient.
>> The hard part is obtaining a reliable lower bound on the amount of
>> useful randomness in the bit-blob when it appears at the input.  Where
>> did the bits come from?  Where did the bound come from?  Do you trust
>> the generic openssl user, who knows nothing about cryptology, to provide
>> either one?
> 
> I think it should by default be provided by the OS, and I don't
> think any OS is documenting how much randomness it can provide.
> 

I also agree that, by default, using the OS provided source makes a lot
of sense.

Matt


More information about the openssl-dev mailing list