It may have been unreliable, our version isn't. We hook the RNG callbacks and direct them into our own code. That makes some sense of why OpenSSL hasn't fixed those problems, but that probably should be done now you have decent DRBG's.
As for the prime generation, I'll try to dig up a reference, but I'd put relying on a NIST DRBG solely for RSA key generation on the list of things to avoid ?.
i.e. A few months back and assuming everything was working you'd have picked the strongest DRBG (Dual-EC) and generated server keys from that .
As a sequence generator those DRBG's are very good, and I don't think anything but Dual-EC has real problems, but seriously, you have to ask why you want real entropy for generating long lived keys rather than a sequence generator, particularly a NIST specified one ?.
FIPS 186-4 (page 23) states an approved (pseudo) random generator shall be used, the wording implies either. Running a DRBG in prediction resistance mode (continual reseed) satisfies the criteria (mainly the approved bit), AND calms my paranoia, but doesn't help you with the entropy rate issues.
Peter
-----owner-openssl-...@openssl.org wrote: -----
To: openssl-dev@openssl.org
From: Joseph Birr-Pixton
Sent by: owner-openssl-...@openssl.org
Date: 05/27/2014 07:14PM
Subject: Re: Prime generation
From: Joseph Birr-Pixton
Sent by: owner-openssl-...@openssl.org
Date: 05/27/2014 07:14PM
Subject: Re: Prime generation
On 27 May 2014 08:45, Peter Waltenberg <pwal...@au1.ibm.com> wrote:
> ...
> I did change the RNG sources for some of the OpenSSL code in our hacked
> version to help with the performance problems using the wrong source causes,
> for example RSA blinding data can safely come from a DRBG
> (pseudo_rand_bytes()).
I assume you mean RAND_pseudo_bytes. In which case you should know
that RAND_pseudo_bytes has a broken interface and cannot ever be used
safely in a way which makes it different from RAND_bytes.
To restate:
Callers of RAND_pseudo_bytes are either unreliable, or equivalent to
RAND_bytes. Do not use it.
Cheers,
Joe
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
> ...
> I did change the RNG sources for some of the OpenSSL code in our hacked
> version to help with the performance problems using the wrong source causes,
> for example RSA blinding data can safely come from a DRBG
> (pseudo_rand_bytes()).
I assume you mean RAND_pseudo_bytes. In which case you should know
that RAND_pseudo_bytes has a broken interface and cannot ever be used
safely in a way which makes it different from RAND_bytes.
To restate:
Callers of RAND_pseudo_bytes are either unreliable, or equivalent to
RAND_bytes. Do not use it.
Cheers,
Joe
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
