[openssl-dev] Work on a new RNG for OpenSSL
Theodore Ts'o
tytso at mit.edu
Tue Jun 27 20:40:41 UTC 2017
On Tue, Jun 27, 2017 at 06:55:47PM +0000, Salz, Rich via openssl-dev wrote:
> Getrandom() is a syscall, and I have concerns about the syscall
> performance. I would rather feed getrandom (or /dev/random if
> that’s not available) into a FIPS DRBG generator.
What is your concerns about syscall performance? What are your
performance requirements? I can tell you that Chrome has been using
/dev/urandom (which has the same performance characteristics as the
getrandom system call) directly for all of its random number
generation needs (e.g., it's calling each time in dees to generate a
session key for TLS, etc.) and no one has complained.
My recommendation for Linux is to use getrandom(2) the flags field set
to zero. This will cause it to use a CRNG that will be reseeded every
five minutes from environmental noise gathered primarily from
interrupt timing data. For modern kernels, the CRNG is based on
ChaCha20. For older kernels, it is based on SHA-1.
There are a lot of people who have complained about whether or not
Linux's urandom generator has met with there religious beliefs about
how RNG's should be designed and implemented. One of the things you
will find is that many of these people are very vocal, and in some
cases, their advice will be mutually exclusive. So if you are going
to be trying to design your own RNG for OpenSSL --- welcome to my
world.
(In other words, I do listen to many of the people who have opined on
this thread. I just don't happen to agree with all of them. And I
suspect you will find that in the end, it's impossible to make them
all happy, and they will end up questioning your intelligence,
judgement, and in some cases, your paternity. :-)
- Ted
More information about the openssl-dev
mailing list