[openssl-dev] Work on a new RNG for OpenSSL
Kurt Roeckx
kurt at roeckx.be
Tue Jun 27 16:41:41 UTC 2017
On Mon, Jun 26, 2017 at 09:39:47PM -0700, John Denker via openssl-dev wrote:
>
> I'm not mentioning any names, but some people are *unduly*
> worried about recovery following compromise of the PRNG
> internal state, so they constantly re-seed the PRNG, to
> the point where it becomes a denial-of-service attack
> against the upstream source of randomness.
>
> This is also mostly pointless, because any attack that
> compromises the PRNG state will likely compromise so many
> other things that recovery will be very difficult. All
> future outputs will be suspect.
>
> So please let's not go overboard in that direction.
>
> On the other hand, it seems reasonable to insist on /forward/
> secrecy. That is, we should insist that /previous/ outputs
> should not be compromised. This is achievable at small but
> not-quite-zero cost.
I think that's named backward secrecy?
Kurt
More information about the openssl-dev
mailing list