[openssl-dev] Work on a new RNG for OpenSSL

Benjamin Kaduk bkaduk at akamai.com
Tue Jun 27 21:12:48 UTC 2017


Hi Ted,

On 06/27/2017 03:40 PM, Theodore Ts'o wrote:
>
> My recommendation for Linux is to use getrandom(2) the flags field set
> to zero.  This will cause it to use a CRNG that will be reseeded every
> five minutes from environmental noise gathered primarily from
> interrupt timing data.  For modern kernels, the CRNG is based on
> ChaCha20.  For older kernels, it is based on SHA-1.
>
> There are a lot of people who have complained about whether or not
> Linux's urandom generator has met with there religious beliefs about
> how RNG's should be designed and implemented.  One of the things you
> will find is that many of these people are very vocal, and in some
> cases, their advice will be mutually exclusive.  So if you are going
> to be trying to design your own RNG for OpenSSL --- welcome to my
> world.
>
> (In other words, I do listen to many of the people who have opined on
> this thread.  I just don't happen to agree with all of them.  And I
> suspect you will find that in the end, it's impossible to make them
> all happy, and they will end up questioning your intelligence,
> judgement, and in some cases, your paternity.  :-)
>

Thanks for the input, and for reading what is being said.

While you're here, would you mind confirming/denying the claim I read
that the reason the linux /dev/random tracks an entropy estimate and
blocks when it gets too low is to preserve backward security in the face
of attacks against SHA1?

I'm happy to respect that there are different opinions, but it would be
nice to know the reasoning behind the behavior, even if I do not
necessarily agree with it.

Thanks,

Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170627/242c6990/attachment.html>


More information about the openssl-dev mailing list