[openssl-users] RNG behavior by default
Dr Paul Dale
paul.dale at oracle.com
Fri Jan 4 22:45:37 UTC 2019
I know that iOS (which was listed) has a good randomness source (SecRandomCopyBytes <https://developer.apple.com/documentation/security/1399291-secrandomcopybytes>) but I don’t think OpenSSL uses it yet.
I’m not sure about the quality of Android’s sources, but would expect them to be decent.
Pauli
> On 4 Jan 2019, at 10:46 pm, Dr. Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com> wrote:
>
>> So my concerns are:
>> 1. Whether I really can count on getting a high-entropy PRNG across these various platforms, without any explicit initialization.
>
> Yes, for the mentioned platforms, the default configuration is `--with-rand-seed=os`, which means the DRBG automatically seeds
> and reseeds using os entropy sources.
>
> 2. If something goes wrong with PRNG initialization, that it will fail hard rather than fall back to something less secure. And if so how I detect such a failure.
>
> If the (re-)seeding fails, the DRBG enters an error state. When you try to generate random bytes it will detect the error state and try
> automatically to heal the error state by reinstantiating. But if reseeding fails, it will return and error code and not generate any pseudo random bytes.
>
> Citing from the manual pages:
>
> OpenSSL comes with a default implementation of the RAND API which is based on the
> deterministic random bit generator (DRBG) model as described in [NIST SP 800-90A Rev. 1].
> The default random generator will initialize automatically on first use and will be fully functional
> without having to be initialized ('seeded') explicitly. It seeds and reseeds itself automatically using
> trusted random sources provided by the operating system.
>
> As a normal application developer, you do not have to worry about any details, just use RAND_bytes(3)
> to obtain random data. Having said that, there is one important rule to obey: Always check the error
> return value of RAND_bytes(3) and do not take randomness for granted.
>
> https://www.openssl.org/docs/man1.1.1/man7/RAND.html
>
> (See also https://www.openssl.org/docs/man1.1.1/man7/RAND_DRBG.html)
>
> Matthias
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190105/47efb4f1/attachment-0001.html>
More information about the openssl-users
mailing list