[openssl-dev] Work on a new RNG for OpenSSL

Peter Waltenberg pwalten at au1.ibm.com
Wed Jun 28 02:55:05 UTC 2017


If the desired outcome is security you must generate instance unique keys 
and elegant software design alone is simply not enough to achieve that. 

And I didn't say solve below I said mitigate. 
You can't solve the problem of someone using already created keys in 
multiple VM's. 
But you can and should reduce the chances that someone will create them 
from a fresh keygen because that simply can't be mitigated anywhere else 
but in your code.

Simillar issues exist with fork(), and again, you should make efforts to 
mitigate that risk because the user can't.

Magic fairy dust like (/dev/hwrng) undoubtedly helps where it exists, but 
you still have to apply it correctly to achieve the desired outcome.

Peter



From:   John Denker via openssl-dev <openssl-dev at openssl.org>
To:     "openssl-dev at openssl.org" <openssl-dev at openssl.org>
Date:   28/06/2017 12:19
Subject:        Re: [openssl-dev] Work on a new RNG for OpenSSL
Sent by:        "openssl-dev" <openssl-dev-bounces at openssl.org>



On 06/27/2017 06:41 PM, Peter Waltenberg wrote:

> Consider most of the worlds compute is now done on VM's where images are 

> cloned, duplicated and restarted as a matter of course. Not vastly 
> different from an embedded system where the clock powers up as 00:00 
> 1-Jan, 1970 on each image. If you can trust the OS to come up with 
unique 
> state each time you can rely solely on the OS RNG - well provided you 
> reseed often enough anyway, i.e. before key generation. That's also why 
> seeding a chain of PRNG's once at startup is probably not sufficient 
here.

That is approximately the last thing openssl should be
fussing over.  There is a set of problems there, with a
set of solutions, none of which openssl has any say over.

===>  The VM setup should provide a virtual /dev/hwrng  <===

Trying to secure a virtual machine without a virtual hwrng
(or the equivalent) is next to impossible.  There may be
workarounds, but they tend to be exceedingly locale-specific,
and teaching openssl to try to discover them would be a
tremendous waste of resources.

So stop trying to operate without /dev/hwrng already.

It reminds me of the old Smith & Dale shtick:
  -- Doctor, doctor, it hurts when I do *this*.
  -- So don't do that.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170628/7299e0f1/attachment.html>


More information about the openssl-dev mailing list