[openssl-users] PRNG is not seeded

Jakob Bohm jb-openssl at wisemo.com
Tue Jun 5 06:46:03 UTC 2018

On 04/06/2018 15:56, Michael Wojcik wrote:
> Of course people have been harvesting entropy, or trying to, from network sources for decades. There's a famous paragraph regarding it in RFC 4086, which is an expanded version of a similar statement from RFC 1750 (1994):
>      Other external events, such as network packet arrival times and
>      lengths, can also be used, but only with great care.  In particular,
>      the possibility of manipulation of such network traffic measurements
>      by an adversary and the lack of history at system start-up must be
>      carefully considered.  If this input is subject to manipulation, it
>      must not be trusted as a source of entropy.
> (RFC 4086, 3.5)
> More generally: It's often possible to harvest quite a bit of information that can't be adequately predicted or statistically modeled by an attacker from network sources, and these days distilling CPRNG entropy from such inputs is straightforward thanks to the use of cryptographic compression functions. It's the edge cases that bite you. 4086 mentions attacker manipulation (flooding network sources with known data to flush entropy out of the pool) and start-up (if you don't have persistent storage of adequate seed material). Embedded devices may suffer from too little, or too predictable, network traffic in their limited reception area.
> You can get stronger guarantees from hardware entropy devices, which are cheap (in every sense: component cost, power consumption, size, ...). So there's not a lot of incentive to do more research into gathering entropy from external sources - it makes more sense to lean on device manufacturers, or use add-on devices.
Hence my solution of using a hardware TRNG shared over the
network with devices that lack the ability to have one added


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list