[openssl-dev] Work on a new RNG for OpenSSL

Paul Dale paul.dale at oracle.com
Wed Jun 28 00:24:13 UTC 2017


The hierarchy of RNGs will overcome some of the performance concerns.  Only the root needs to call getrandom().

I do agree that having a DRBG at the root level is a good idea though.

 

Pauli

-- 

Oracle

Dr Paul Dale | Cryptographer | Network Security & Encryption 

Phone +61 7 3031 7217

Oracle Australia

 

From: Salz, Rich via openssl-dev [mailto:openssl-dev at openssl.org] 
Sent: Wednesday, 28 June 2017 4:56 AM
To: Kaduk, Ben <bkaduk at akamai.com>; openssl-dev at openssl.org; Matt Caswell <matt at openssl.org>
Subject: Re: [openssl-dev] Work on a new RNG for OpenSSL

 

For windows RAND_bytes should just call CryptGenRandom (or its equiv).  For modern Linux, probably call getrandom(2).  For OpenBSD call arc4random().

 

Getrandom() is a syscall, and I have concerns about the syscall performance.  I would rather feed getrandom (or /dev/random if that’s not available) into a FIPS DRBG generator.

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170627/9fd462f6/attachment-0001.html>


More information about the openssl-dev mailing list