Hi, I was hoping someone could give information about the limitations of the RAND_pseudo_bytes function based on its implementation, or links to any papers that have examined its limitations. I looked at the code (don't have what version) in July of 2012, so I am also interested how the situation has changed since then. Based on looking at the source code, I came to the following conclusions (which may or may not be correct):
1) if OpenSSL is configured to use the MD PRNG (default) with SHA1 (in openssl/crypto/rand/md_rand.c), the collisions are between 2^80 and 2^51 (http://eprint.iacr.org/2008/469.pdf http://en.wikipedia.org/wiki/Cryptographic_hash_function#Cryptographic_hash_algorithms). 2) if OpenSSL was compiled in FIPS mode, it uses ANSI X9.31 RNG and would have collisions based on 3DES (not sure how often collisions happen then). Also, my understanding is that RAND_bytes collisions should be driven due to entropy sources, but if there were any papers that showed what the collisions should be in practice based on common entropy input, that would be interesting. I am wondering what the performance of RAND_bytes is in practice, based on theory. Thanks, Michael
