[openssl-users] Fips CTR_DRBG

Piotr Łobacz piotr.lobacz at radmor.com.pl
Thu Feb 26 14:10:12 UTC 2015

i have read that RAND API will use CTR_DRBG by default but what if i
want to have set seed and than calculate and have the same results on
two different machines? As far as i understand if i set seed - which is
calculated from entropy, nonce and personal string - if it is given i
should get some deterministic value of returned buffer and RAND_bytes
doesn't give me such result it is always different. Correct me if i am

Dnia 2015-02-26, czw o godzinie 13:28 +0000, Dr. Stephen Henson pisze:
> On Thu, Feb 26, 2015, Piotr ??obacz wrote:
> > Hello,
> > i have a question about FIPS CTR_DRBG. I have managed to compile openssl
> > with fips and everything works fine. The method FIPS_mode returns me 1
> > so i am in FIPS mode, but what is my problem i dunno how to use properly
> > FIPS_drbg api.
> If you simply want to use the DRBG in CTR mode then you don't need to do
> anything special: in FIPS mode the DRBG in CTR mode with a 256 bit AES key is
> the default and you can just use the normal RAND APIs.
> Do not use the self test or algorithm test code in applications: you need to
> set up proper entropy gathering callbacks and the test code contains
> deterministic examples which would have zero security in a real application.
> That's what the RAND API will do by default.
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Piotr Łobacz

Biuro Systemów i Oprogramowania


tel. (58) 6996 929

e-mail: piotr.lobacz at radmor.com.pl


RADMOR S.A., ul. Hutnicza 3, 81-212 Gdynia

NIP: 586-010-21-39

REGON: 190432077

KRS: 0000074029 (Sąd Rejonowy Gdańsk-Północ w Gdańsku)

Kapitał zakładowy wpłacony: 9 282 830 PLN

More information about the openssl-users mailing list