[openssl-users] Seeding before RSA key generation

Jakob Bohm jb-openssl at wisemo.com
Thu Oct 4 15:58:43 UTC 2018

On 04/10/2018 17:38, Salz, Rich wrote:
>>     What's supposedly bad about the 1.0.x/1.1.0 OpenSSL RNG other
>      than not being an NSA/NIST design?
> Poor locking; been known to crash.

Simple bug, not a reason to change the algorithm.

> Does not reseed.

But can be reseeded if so desired, subject to locking.

> Global across the process, rather than isolated for private-key generation or per-connection.

This is good, not bad.

> Mixes in getpid and time to get "better" random bytes.

This gives 2 to 5 extra bits on machines with little available entropy,
provided init is not done too early in the machine boot process.  There
seem to be much stronger sources loaded where available.

> Has a "pseudo-rand" feature.

This is a clearly marked feature useful when the entropy sources are
significantly slower than the random bit need, such as on a busy TLS
server with a serial port (or slower) entropy source.

> Never was cryptographically evaluated.

By whom?, I would expect the very public OpenSSL RNG to have been
subjected to lots of 3rd party review outside the Foundation.

The new design is taken from a document that was insufficiently publicly
reviewed and was later found to contain a likely backdoor in one of its
other suggested RNG designs, making the entire document highly dubious.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list