Re: [openssl-users] RNG behavior by default

Fri, 04 Jan 2019 14:46:46 -0800 

I know that iOS (which was listed) has a good randomness source 
(SecRandomCopyBytes 
<https://developer.apple.com/documentation/security/1399291-secrandomcopybytes>)
 but I don’t think OpenSSL uses it yet.
I’m not sure about the quality of Android’s sources, but would expect them to 
be decent.


Pauli


> On 4 Jan 2019, at 10:46 pm, Dr. Matthias St. Pierre 
> <matthias.st.pie...@ncp-e.com> wrote:
> 
>> So my concerns are:
>> 1. Whether I really can count on getting a high-entropy PRNG across these 
>> various platforms, without any explicit initialization.
> 
> Yes, for the mentioned platforms, the default configuration is 
> `--with-rand-seed=os`, which means the DRBG automatically seeds
> and reseeds using os entropy sources.
> 
> 2. If something goes wrong with PRNG initialization, that it will fail hard 
> rather than fall back to something less secure. And if so how I detect such a 
> failure.
> 
> If the (re-)seeding fails, the DRBG enters an error state. When you try to 
> generate random bytes it will detect the error state and try
> automatically to heal the error state by reinstantiating. But if reseeding 
> fails, it will return and error code and not generate any pseudo random bytes.
> 
> Citing from the manual pages:
> 
>       OpenSSL comes with a default implementation of the RAND API which is 
> based on the
>       deterministic random bit generator (DRBG) model as described in [NIST 
> SP 800-90A Rev. 1].
>       The default random generator will initialize automatically on first use 
> and will be fully functional
>       without having to be initialized ('seeded') explicitly. It seeds and 
> reseeds itself automatically using
>       trusted random sources provided by the operating system.
> 
>       As a normal application developer, you do not have to worry about any 
> details, just use RAND_bytes(3)
>       to obtain random data. Having said that, there is one important rule to 
> obey: Always check the error
>       return value of RAND_bytes(3) and do not take randomness for granted.
> 
>       https://www.openssl.org/docs/man1.1.1/man7/RAND.html
> 
> (See also https://www.openssl.org/docs/man1.1.1/man7/RAND_DRBG.html)
> 
> Matthias
> 
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to