[openssl-project] Entropy seeding the DRBG

Richard Levitte levitte at openssl.org
Sat Apr 7 14:58:06 UTC 2018

In message <8C39CDF4-A91E-4DFB-BE67-6799E07D3AB7 at akamai.com> on Tue, 3 Apr 2018 16:58:17 +0000, "Salz, Rich" <rsalz at akamai.com> said:

rsalz> >    Please note that that 50% extra is only used for
rsalz> >    instantiating the DRBG. On reseed we it only uses 256
rsalz> >    bits.

Instantiating is exactly the problem.  The VMS
rand_pool_acquire_entropy() currently generates 256 bits of entropy on
each call.  No more, no less.  And that's at an estimated 4 bits of
entropy per byte, and estimation that's from long ago.  Either way,
because instantiation demands more than 256 bits, the whole RNG breaks
down, and everything related to it in some way along with it.  In
other words, OpenSSL on VMS dies.

rsalz> True.  And now we're finding that VMS won't work.  And I bet
rsalz> there are other systems that will also find this amount
rsalz> excessive.

I'm thinking that for any platform that can support that, I don't see
a problem, at all.

So the current short term solution for this is to simply default to
AES-128-CTR instead of AES-256-CTR, specifically on VMS, which is
currently sitting in PR#5904.  It seems like the option to make
everyone happy, and everyone ends up with a better randomness
implementation either way (compared to OpenSSL 1.1.0 and older).

In the mean time, I've spent a few days going through the docs on all
kinds of data that you can get out from the VMS kernel, most notably
through a system service called sys$getrmi()...  there's a gazillion
data points, a treasure trove for anyone that's into statistics.  And
I intend to spend some time trying to estimate what kind of entropy I
can get out of them...

... and that's where Kurt came in:

> Can I suggest you try something like
> https://github.com/usnistgov/SP800-90B_EntropyAssessment to at least
> get an idea? You would need to sample 1 variable and feed that into
> it.

And yeah, sure, especially if all it takes is to produce a stream of
bits from a source and feed that to the assessment program.  As long
as I don't have to port a C++11 program to VMS, 'cause unfortunately,
the existing C++ compiler hasn't had a real update for quite a while
:-/ (I'm sure that VSI is quite busy updating all they can, but they
haven't let anything out yet)

But either way, creating a better entropy gatherer is the longer term
goal.  I hope I get that part done before the release.


Richard Levitte         levitte at openssl.org
OpenSSL Project         http://www.openssl.org/~levitte/

More information about the openssl-project mailing list