On 26.06.2017 20:51, Salz, Rich via openssl-dev wrote: > >> Constructive suggestion: If you want to see what a RNG looks like when >> designed by cryptographers, take a look at: >> Elaine Barker and John Kelsey, >> “Recommendation for Random Number Generation Using Deterministic >> Random Bit Generators” >> http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf >> >> That design may look complicated, but if you think you can leave out some of >> the blocks in their diagram, proceed with caution. Every one of those blocks >> is there for a reason. > Well maybe I can ignore section 10.3? >
That's a nice joke Rich, but the Dual_EC_DRBG chapter has been dropped in SP800-90Ar1, which supersedes SP800-90A: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf But seriously: OpenSSL already has an implementation of the SP800-90A DRBG, but unfortunately it is only part of the FIPS object module (see reference [1] below). I always wondered why the code was never migrated to OpenSSL master, (say, replacing the FIPS_drbg_* names by e.g. RAND_drbg_*). Then the SP800-90A DRBG would be usable by everyone and could be activated by RAND_set_rand_method(RAND_drbg_method()); To me, the design and implementation of the DRBG appeals sophisticated and I like its concept for reseeding which is highly configurable using FIPS_drbg_set_reseed_interval() and FIPS_drbg_set_callbacks() In fact, we are currently using the AES-CTR DRBG in our product (see [2]) because we had the requirement that the random generator should be seeded periodically from an external entropy source, for example a smart card or a cryptographic acceleration unit. This was easily achieved using the aforementioned DRBG callback mechanism. So I have two questions: - Do you intend to continue supporting RAND_set_rand_method() or will there only be one 'perfect' random generator and no choice anymore? - Do you consider the SP800-90A DRBG outdated or will there be a chance that it will be added to the OpenSSL master as officially supported RAND method? - Will the new OpenSSL RNG support a way to configure reseed intervals and external entropy sources in a similar fashion as the FIPS DRBG did? Best regards, Matthias St. Pierre [1] Section 6.1 of the OpenSSL FIPS User Guide 2.0 https://www.openssl.org/docs/fips/UserGuide-2.0.pdf [2] We link against a FIPS capable OpenSSL 1.0.2 crypto library and use the FIPS DRBG even in the case where FIPS mode is not enabled globally: In that case, during initialization we check whether FIPS mode initialization is successfull, then and then turn FIPS mode off again and only keep the random generator by calling RAND_set_rand_method(FIPS_drbg_method()). For Windows, we had to add some FIPS_drbg_* symbols to libeay.num to make this work. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev