On 26.06.2017 20:51, Salz, Rich via openssl-dev wrote:
>
>> Constructive suggestion: If you want to see what a RNG looks like when
>> designed by cryptographers, take a look at:
>> Elaine Barker and John Kelsey,
>> “Recommendation for Random Number Generation Using Deterministic
>> Random Bit Generators”
>> http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf
>>
>> That design may look complicated, but if you think you can leave out some of
>> the blocks in their diagram, proceed with caution. Every one of those blocks
>> is there for a reason.
> Well maybe I can ignore section 10.3?
>
That's a nice joke Rich, but the Dual_EC_DRBG chapter has been dropped in
SP800-90Ar1, which supersedes SP800-90A:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf
But seriously: OpenSSL already has an implementation of the SP800-90A DRBG, but
unfortunately it is only part of the
FIPS object module (see reference [1] below). I always wondered why the code
was never migrated to OpenSSL master,
(say, replacing the FIPS_drbg_* names by e.g. RAND_drbg_*). Then the SP800-90A
DRBG would be usable by everyone
and could be activated by
RAND_set_rand_method(RAND_drbg_method());
To me, the design and implementation of the DRBG appeals sophisticated and I
like its concept for reseeding which is highly
configurable using
FIPS_drbg_set_reseed_interval() and
FIPS_drbg_set_callbacks()
In fact, we are currently using the AES-CTR DRBG in our product (see [2])
because we had the requirement that the random generator
should be seeded periodically from an external entropy source, for example a
smart card or a cryptographic acceleration unit.
This was easily achieved using the aforementioned DRBG callback mechanism.
So I have two questions:
- Do you intend to continue supporting RAND_set_rand_method() or will there
only be one 'perfect' random generator and no choice anymore?
- Do you consider the SP800-90A DRBG outdated or will there be a chance that it
will be added to the OpenSSL master as
officially supported RAND method?
- Will the new OpenSSL RNG support a way to configure reseed intervals and
external entropy sources in a similar fashion
as the FIPS DRBG did?
Best regards,
Matthias St. Pierre
[1] Section 6.1 of the OpenSSL FIPS User Guide 2.0
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
[2] We link against a FIPS capable OpenSSL 1.0.2 crypto library and use the
FIPS DRBG even in the case where FIPS mode
is not enabled globally: In that case, during initialization we check
whether FIPS mode initialization is successfull, then
and then turn FIPS mode off again and only keep the random generator by
calling RAND_set_rand_method(FIPS_drbg_method()).
For Windows, we had to add some FIPS_drbg_* symbols to libeay.num to
make this work.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
