[openssl-users] PEM_write_bio_RSAPrivateKey assure Randomness of PK

Michael Wojcik Michael.Wojcik at microfocus.com
Wed May 23 18:39:29 UTC 2018 

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of redpath
> Sent: Wednesday, May 23, 2018 13:08
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] PEM_write_bio_RSAPrivateKey assure
> Randomness of PK
>
> SO if I add this RAND usage below, em I seeding to assure a different RSA key
> pair each time run of creating a RSA pair.

You'll get a *different* key pair (with high probability) each time, provided you wait at least a second between generating keys. That is, if you get anything at all; you may not, if there isn't enough entropy in the pool.

You'll also get completely pointless keys, because the wall-clock time contains little entropy.

As Viktor wrote: DO NOT DO THIS. If you don't understand why, stop trying to use cryptography until you've learned enough about the subject to be a bit less dangerous.

> I would certainly replace the time with the UUID of the device to be unique
> to the device. You would have to acquire the device to know the seeding.

Or get the UUID through any other means, such as a malicious app.

And generating two key pairs after seeding with UUID || time means the CPRNG state differs only by the 32 bits in time - and most of those will be the same, unless a *long* time has passed. So the joint information of the pairs is high, which is a Bad Thing.

And UUIDs are only 128 bits, so the total seed size is 160 bits; and neither the UUID nor the time are completely random (far from it), so you only have a small amount of entropy. DO NOT DO THIS.

There's no point in using a real cipher if you're going to starve your CPRNG. Just use a toy cipher - it's less work for you, and you won't be making false promises of security.

If you want to do this right:

1) Learn something about cryptography.
2) Gather sufficient entropy from suitable sources. If nothing else, have the user scribble on the touchscreen and track pointer movement. It's still easy to overestimate the entropy of that sort of thing, but it's better than nothing, and indeed better than what many people do for seeding.

Oh, and asking questions about OpenSSL, a smart move is to mention what version of OpenSSL you're using, platform details, and something about the problem you're trying to solve.

--
Michael Wojcik
Distinguished Engineer, Micro Focus

More information about the openssl-users mailing list