Re: How to use a hardware RNG with openssl?
On 2008.09.22 at 16:37:58 +0200, F. wrote: Any way to collect only from HRNG? You can write your own RAND_METHOD and encapsulate it in the engine module. Then you can load this engine via openssl.cnf and set default rand method to this engine. Really, this is not very good idea, because hardware random number generators are slow. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: How to use a hardware RNG with openssl?
On 2008.09.22 at 16:37:58 +0200, F. wrote: Any way to collect only from HRNG? You can write your own RAND_METHOD and encapsulate it in the engine module. Then you can load this engine via openssl.cnf and set default rand method to this engine. Really, this is not very good idea, because hardware random number generators are slow. Much better to mix in randomness from your hardware source into the OpenSSL PRNG. This is better for several reasons: 1) You can rate-limit how much you mix in. Say you mix in 1KB at startup and 128 bytes every 10 seconds after that. This will provide the same quality of randomness for cryptographic purposes, but will limit the effort. This will protect you against possible denial-of-service attacks where an attacker tries to make you use up more randomness than you have. Many HRNGs are vulnerable to this. 2) The OpenSSL PRNG is well-investigated. If your HRNG's output is not comparable in quality, your security could be compromised. For example, subtle bias in the output could have serious cryptographic consequences. 3) The OpenSSL PRNG is, by design, protected against non-random or defective inputs. So long as it has sufficient good input, no amount of bad input can hurt it. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: RE: How to use a hardware RNG with openssl?
On 2008.11.05 at 00:29:40 -0800, David Schwartz wrote: PRNG. This is better for several reasons: 1) You can rate-limit how much you mix in. Say you mix in 1KB at startup and 128 bytes every 10 seconds after that. This will provide the same quality of randomness for cryptographic purposes, but will limit the effort. This will protect you against possible denial-of-service attacks where an attacker tries to make you use up more randomness than you have. Many HRNGs are vulnerable to this. This typically is not an issue for operations such as generation of long-time private/public key pairs. These operations are performed with user interaction, and usially done as separate process. This process can well be configured to use HWRNG only. 2) The OpenSSL PRNG is well-investigated. If your HRNG's output is not comparable in quality, your security could be compromised. For example, subtle bias in the output could have serious cryptographic consequences. Typically one have to perform much investigations to come out to the market with some cryptography hardware. In Russia, for example this requires goverment certification, and rules are very strict. Of course, good software which use HWRNG should test its proper functioning each time, for example by FIPS-140 tests and just fail if it doesn't pass. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to use a hardware RNG with openssl?
Gerd Schering wrote: Lutz Jaenicke wrote: Gerd Schering wrote: Hello, we purchased a hrng for the generation of RSA keys for instance. It is an USB device an shows up as /dev/qrandom. So, in order to generate rsa keys, is it sufficient to use it as a replacement for /dev/urandom and to call genrsa as openssl genrsa -rand /dev/qrandom 2048 ? Yes, it is sufficient. Please note that a source not having a definite EOF (End Of File) will lead to an infinite loop reading from the source. It may therefore be necessary to read a specified amount of entropy first into an intermediate file to be fed via -rand. So , if I get it right: we have a true random source to seed the PRNG and this produces true random numbers? To my best knowledge there does not exist a mathematical proof for the quality of the used entropy pool with hash mixing PRNG. We believe that it is of very high quality. You may also have a look into the thread Fix VIA Padlock RNG support on the openssl-dev mailing list. It discusses the point that OpenSSL does handle RNGs provided via engine interface in fact completely replace the built-in PRNG with the external entropy source. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to use a hardware RNG with openssl?
F. wrote: If the true random generator is in /dev/random, and I want use only this device for random data using openssl.cnf: RANDFILE = /dev/random Is this correct? This is nearly correct. OpenSSL will read 2048 bytes from it (2048 is hardcoded for device files to avoid endless loops, seems my statement below was not completely up-to-date). The first attempt to generate a pseudo random number will however still read an additonal amount of bytes from /dev/urandom. Best regards, Lutz El vie, 19-09-2008 a las 23:21 +0200, Gerd Schering escribió: Yes, it is sufficient. Please note that a source not having a definite EOF (End Of File) will lead to an infinite loop reading from the source. It may therefore be necessary to read a specified amount of entropy first into an intermediate file to be fed via -rand. So , if I get it right: we have a true random source to seed the PRNG and this produces true random numbers? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to use a hardware RNG with openssl?
F. wrote: Any way to collect only from HRNG? This can be a choice or not? e_os.h #ifndef DEVRANDOM /* set this to a comma-separated list of 'random' device files to try out. * My default, we will try to read at least one of these files */ #define DEVRANDOM /dev/random #endif Yes, this will assure that additional entropy will be mixed in from /dev/random only. Please not that still the OpenSSL internal PRNG will be used, it is just the seed that is used from specific sources. If you add seed explicitly the part loaded via DEVRANDOM is only on top. We also add process ids, system time etc for good measure just to stir the pool as on top does not hurt. If you do not agree with this policy you can add an engine code to provide the internally used random numbers according to your policy. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to use a hardware RNG with openssl?
Gerd Schering wrote: So , if I get it right: we have a true random source to seed the PRNG and this produces true random numbers? No. There is no such guarantee using any PRNG. PRNGs provide a much higher bitrate than hardware RNGs or system sources of entropy. They use cryptographic hash functions to whiten data, i.e., these hash functions have the property that a change in a single bit of input changes, on average, half the output bits. Presumably you want a source of nicely-distributed random bits which are computationally infeasible for another party to predict. If you want a security guarantee (reduction proof that if PRNG is insecure, it implies SHA1 is insecure, etc.), then there are design and operational constraints to consider (e.g. generating only 2^N bits with 2^M bits of input from a RBG). Oh, and you'll have to supply the proof -- it's missing on all the commonly used PRNGs. - Michael __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to use a hardware RNG with openssl?
If the true random generator is in /dev/random, and I want use only this device for random data using openssl.cnf: RANDFILE= /dev/random Is this correct? El vie, 19-09-2008 a las 23:21 +0200, Gerd Schering escribió: Yes, it is sufficient. Please note that a source not having a definite EOF (End Of File) will lead to an infinite loop reading from the source. It may therefore be necessary to read a specified amount of entropy first into an intermediate file to be fed via -rand. So , if I get it right: we have a true random source to seed the PRNG and this produces true random numbers? -- -- Publicidad http://www.pas-world.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to use a hardware RNG with openssl?
Lutz Jaenicke wrote: Gerd Schering wrote: Hello, we purchased a hrng for the generation of RSA keys for instance. It is an USB device an shows up as /dev/qrandom. So, in order to generate rsa keys, is it sufficient to use it as a replacement for /dev/urandom and to call genrsa as openssl genrsa -rand /dev/qrandom 2048 ? Yes, it is sufficient. Please note that a source not having a definite EOF (End Of File) will lead to an infinite loop reading from the source. It may therefore be necessary to read a specified amount of entropy first into an intermediate file to be fed via -rand. So , if I get it right: we have a true random source to seed the PRNG and this produces true random numbers? regards, Gerd __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to use a hardware RNG with openssl?
Gerd Schering wrote: Hello, we purchased a hrng for the generation of RSA keys for instance. It is an USB device an shows up as /dev/qrandom. So, in order to generate rsa keys, is it sufficient to use it as a replacement for /dev/urandom and to call genrsa as openssl genrsa -rand /dev/qrandom 2048 ? Yes, it is sufficient. Please note that a source not having a definite EOF (End Of File) will lead to an infinite loop reading from the source. It may therefore be necessary to read a specified amount of entropy first into an intermediate file to be fed via -rand. Note: if /dev/urandom is available, OpenSSL will read an additional amount of random bytes from it whether an explicit seed source is available or not. This however does not reduce the quality of the entropy provided by your source. I am not shure about the role of /dev/urandom: does it deliver a (pseudo) random number or the salt for the PRNG? It is used to seed OpenSSL's internal PRNG. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to use a hardware RNG with openssl?
* Lutz Jaenicke wrote on Fri, Sep 19, 2008 at 14:22 +0200: we purchased a hrng for the generation of RSA keys for instance. It is an USB device an shows up as /dev/qrandom. Note: if /dev/urandom is available, OpenSSL will read an additional amount of random bytes from it whether an explicit seed source is available or not. This however does not reduce the quality of the entropy provided by your source. I am not shure about the role of /dev/urandom: does it deliver a (pseudo) random number or the salt for the PRNG? It is used to seed OpenSSL's internal PRNG. This means the internal PRNG is seeded with /dev/urandom data, but it is not used at all and /dev/urandom is not used elsewhere (if external entropy source is used) -- is this correct? oki, Steffen About Ingenico Throughout the world businesses rely on Ingenico for secure and expedient electronic transaction acceptance. Ingenico products leverage proven technology, established standards and unparalleled ergonomics to provide optimal reliability, versatility and usability. This comprehensive range of products is complemented by a global array of services and partnerships, enabling businesses in a number of vertical sectors to accept transactions anywhere their business takes them. www.ingenico.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to use a hardware RNG with openssl?
Steffen DETTMER wrote: * Lutz Jaenicke wrote on Fri, Sep 19, 2008 at 14:22 +0200: we purchased a hrng for the generation of RSA keys for instance. It is an USB device an shows up as /dev/qrandom. Note: if /dev/urandom is available, OpenSSL will read an additional amount of random bytes from it whether an explicit seed source is available or not. This however does not reduce the quality of the entropy provided by your source. I am not shure about the role of /dev/urandom: does it deliver a (pseudo) random number or the salt for the PRNG? It is used to seed OpenSSL's internal PRNG. This means the internal PRNG is seeded with /dev/urandom data, but it is not used at all and /dev/urandom is not used elsewhere (if external entropy source is used) -- is this correct? All random values used by OpenSSL like keys generated with genrsa are generated using OpenSSL's internal PRNG. This internal PRNG is seeded from different sources. These external sources can be provided explicitly (as with the -rand option of genrsa) or via RAND_add() within an application. As on several occasions people were given bad advice to abuse -rand or RAND_add() with bad entropy sources we have decided to always add additional bytes from /dev/urandom if available on the system. OpenSSL's internal PRNG uses a 1024 byte pool mixing entropy with SHA-1 so the more bytes a mixed in, the better. At least it cannot hurt to add any input to it as the entropy in the pool can never decrease by mixing in more bytes. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to use a hardware RNG with openssl?
Hi, thanks a lot for your detailed explanation. * Lutz Jaenicke wrote on Fri, Sep 19, 2008 at 16:46 +0200: OpenSSL's internal PRNG uses a 1024 byte pool mixing entropy with SHA-1 so the more bytes a mixed in, the better. At least it cannot hurt to add any input to it as the entropy in the pool can never decrease by mixing in more bytes. ok, I just think that at least the last sentence is not neccesarily correct, namely when the entropy sources depend on each other. I guess if SHA-1 is assumed perfect here (and because of the kind of mix which is using it) it might be impossible to construct the data dependency in a way to abuse that because no reversion of SHA-1 should be know, so practically no impact. But in another (general) case it could harm, for instance in worst case the mix function could be an XOR and the dependency of input sources could be a symbolic link, leading to infinite zeros as entropy. Of course this is very artificial, but maybe other dependencies could lead to a weakness of entropy when mixing it with dependent/derived entropy? oki, Steffen About Ingenico Throughout the world businesses rely on Ingenico for secure and expedient electronic transaction acceptance. Ingenico products leverage proven technology, established standards and unparalleled ergonomics to provide optimal reliability, versatility and usability. This comprehensive range of products is complemented by a global array of services and partnerships, enabling businesses in a number of vertical sectors to accept transactions anywhere their business takes them. www.ingenico.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to use a hardware RNG with openssl?
Steffen DETTMER wrote: * Lutz Jaenicke wrote on Fri, Sep 19, 2008 at 16:46 +0200: OpenSSL's internal PRNG uses a 1024 byte pool mixing entropy with SHA-1 so the more bytes a mixed in, the better. At least it cannot hurt to add any input to it as the entropy in the pool can never decrease by mixing in more bytes. ok, I just think that at least the last sentence is not neccesarily correct, namely when the entropy sources depend on each other. We assume independent sources here. I guess if SHA-1 is assumed perfect here (and because of the kind of mix which is using it) it might be impossible to construct the data dependency in a way to abuse that because no reversion of SHA-1 should be know, so practically no impact. But in another (general) case it could harm, for instance in worst case the mix function could be an XOR and the dependency of input sources could be a symbolic link, leading to infinite zeros as entropy. Of course this is very artificial, but maybe other dependencies could lead to a weakness of entropy when mixing it with dependent/derived entropy? This seems to be quite artificial. The logic behind it is a bit different you can XOR any information into a random stream without reducing the entropy of the random stream: the stream will look different but it will be as unpredictable as before. The setup you describe here indeed has a systematic flaw in that XOR would kill of the entropy from the random stream... From the mathematical point of view the analysis should still be correct. As the XORed bytes would be the same as the random ones, the random ones would not contain entropy: they are predictibly identical to the XORed bytes. Having this said: the SHA-1'ed pool should be resistant to this problem. Best regards, Lutz oki, Steffen About Ingenico Throughout the world businesses rely on Ingenico for secure and expedient electronic transaction acceptance. Ingenico products leverage proven technology, established standards and unparalleled ergonomics to provide optimal reliability, versatility and usability. This comprehensive range of products is complemented by a global array of services and partnerships, enabling businesses in a number of vertical sectors to accept transactions anywhere their business takes them. www.ingenico.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to use a hardware RNG with openssl?
Hello, [EMAIL PROTECTED] wrote on 09/09/2008 10:20:48 AM: Hello, we purchased a hrng for the generation of RSA keys for instance. It is an USB device an shows up as /dev/qrandom. So, in order to generate rsa keys, is it sufficient to use it as a replacement for /dev/urandom and to call genrsa as openssl genrsa -rand /dev/qrandom 2048 ? I am not shure about the role of /dev/urandom: does it deliver a (pseudo) random number or the salt for the PRNG? Salt (32 bytes) for the PRNG Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]