[openssl-users] RNG behavior by default

Dr Paul Dale paul.dale at oracle.com
Fri Jan 4 22:45:37 UTC 2019 

I know that iOS (which was listed) has a good randomness source (SecRandomCopyBytes <https://developer.apple.com/documentation/security/1399291-secrandomcopybytes>) but I don’t think OpenSSL uses it yet.
I’m not sure about the quality of Android’s sources, but would expect them to be decent.


Pauli


> On 4 Jan 2019, at 10:46 pm, Dr. Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com> wrote:
> 
>> So my concerns are:
>> 1. Whether I really can count on getting a high-entropy PRNG across these various platforms, without any explicit initialization.
> 
> Yes, for the mentioned platforms, the default configuration is `--with-rand-seed=os`, which means the DRBG automatically seeds
> and reseeds using os entropy sources.
> 
> 2. If something goes wrong with PRNG initialization, that it will fail hard rather than fall back to something less secure. And if so how I detect such a failure.
> 
> If the (re-)seeding fails, the DRBG enters an error state. When you try to generate random bytes it will detect the error state and try
> automatically to heal the error state by reinstantiating. But if reseeding fails, it will return and error code and not generate any pseudo random bytes.
> 
> Citing from the manual pages:
> 
> 	OpenSSL comes with a default implementation of the RAND API which is based on the
> 	deterministic random bit generator (DRBG) model as described in [NIST SP 800-90A Rev. 1].
> 	The default random generator will initialize automatically on first use and will be fully functional
> 	without having to be initialized ('seeded') explicitly. It seeds and reseeds itself automatically using
> 	trusted random sources provided by the operating system.
> 
> 	As a normal application developer, you do not have to worry about any details, just use RAND_bytes(3)
> 	to obtain random data. Having said that, there is one important rule to obey: Always check the error
> 	return value of RAND_bytes(3) and do not take randomness for granted.
> 
> 	https://www.openssl.org/docs/man1.1.1/man7/RAND.html
> 
> (See also https://www.openssl.org/docs/man1.1.1/man7/RAND_DRBG.html)
> 
> Matthias
> 
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190105/47efb4f1/attachment-0001.html>

More information about the openssl-users mailing list