[openssl-users] RNG behavior by default
Dr. Matthias St. Pierre
Matthias.St.Pierre at ncp-e.com
Fri Jan 4 12:46:11 UTC 2019
> So my concerns are:
> 1. Whether I really can count on getting a high-entropy PRNG across these various platforms, without any explicit initialization.
Yes, for the mentioned platforms, the default configuration is `--with-rand-seed=os`, which means the DRBG automatically seeds
and reseeds using os entropy sources.
2. If something goes wrong with PRNG initialization, that it will fail hard rather than fall back to something less secure. And if so how I detect such a failure.
If the (re-)seeding fails, the DRBG enters an error state. When you try to generate random bytes it will detect the error state and try
automatically to heal the error state by reinstantiating. But if reseeding fails, it will return and error code and not generate any pseudo random bytes.
Citing from the manual pages:
OpenSSL comes with a default implementation of the RAND API which is based on the
deterministic random bit generator (DRBG) model as described in [NIST SP 800-90A Rev. 1].
The default random generator will initialize automatically on first use and will be fully functional
without having to be initialized ('seeded') explicitly. It seeds and reseeds itself automatically using
trusted random sources provided by the operating system.
As a normal application developer, you do not have to worry about any details, just use RAND_bytes(3)
to obtain random data. Having said that, there is one important rule to obey: Always check the error
return value of RAND_bytes(3) and do not take randomness for granted.
(See also https://www.openssl.org/docs/man1.1.1/man7/RAND_DRBG.html)
More information about the openssl-users