[openssl-dev] Work on a new RNG for OpenSSL
Matt Caswell
matt at openssl.org
Tue Jun 27 07:28:56 UTC 2017
On 26/06/17 21:18, Kurt Roeckx wrote:
>> “Recommendation for Random Number Generation Using Deterministic Random Bit Generators”
>> http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf
>>
>> That design may look complicated, but if you think you can
>> leave out some of the blocks in their diagram, proceed with
>> caution. Every one of those blocks is there for a reason.
>
> SP800-90A (or revision 1) can clearly be used as reference on how
> to implement it, even if we don't use an approved algorithm from
> it. And I really think we should look at that document when
> implementing it.
>
> There should probably also be an option to use an RNG that
> conforms to it.
I am strongly in favour of this approach. We should be led by standards.
>
>>> Randomness should be whitened.
>>
>> Whitening at the input is neither difficult nor necessary nor sufficient.
>> The hard part is obtaining a reliable lower bound on the amount of
>> useful randomness in the bit-blob when it appears at the input. Where
>> did the bits come from? Where did the bound come from? Do you trust
>> the generic openssl user, who knows nothing about cryptology, to provide
>> either one?
>
> I think it should by default be provided by the OS, and I don't
> think any OS is documenting how much randomness it can provide.
>
I also agree that, by default, using the OS provided source makes a lot
of sense.
Matt
More information about the openssl-dev
mailing list