[openssl-users] RNG behavior by default

[Mike Blaguszewski]

I am using the EVP API (version 1.1.1) for performing public key and symmetric 
key operations across a variety of platforms (macOS, Windows, Linux, iOS and 
Android). I am currently not doing anything to explicitly seed OpenSSL’s random 
number generator. My understanding is that the default behavior 
 should be 
cryptographically secure.

So my concerns are:
1. Whether I really can count on getting a high-entropy PRNG across these 
various platforms, without any explicit initialization.
2. If something goes wrong with PRNG initialization, that it will fail hard 
rather than fall back to something less secure. And if so how I detect such a 
failure.

Our current implementation uses libsodium, which relies on the usual system 
calls to generate entropy, so if I can count on OpenSSL always doing this then 
I’m happy. 

Thanks,
Mike-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Problems with deriving EC public key from private

[Mike Blaguszewski]

On Dec 17, 2018, at 11:42 PM, Billy Brumley  wrote:
> 
> But 0.4% is suspiciously close to 1/256, so I'm willing to bet your
> problem surrounds your size assumptions in various functions. Check
> the manpage of e.g. EC_POINT_point2oct and grep for usage in the
> library, but the idea is to pass NULL first, then malloc, then pass
> that pointer. BN_bn2bin is different. Probably the size won't be fixed
> (e.g., there is a 1/256 chance you'll have one byte less, i.e. leading
> zero).

Thanks so much! That was exactly it. Switching from BN_bn2bin() to 
EC_KEY_priv2oct() resolves the problem. (As does BN_bn2binpad(), but using the 
more standard binary format seems preferable.) I will also look into 
pre-flighting the calls with a NULL buffer.

Mike

P.S. not sure why it crashed for you, but I’d guess some combination of 
different OpenSSL versions and an error return being ignored by the sample 
code. I appreciate you taking a look despite that.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Problems with deriving EC public key from private

[Mike Blaguszewski]

Some code of mine reads a NIST P256 private key from bytes and derives the 
public key from it, and this derived public key is incorrect about 0.4% of the 
time. I’ve attached a sample program that does the following.

1. Generate a key-pair of type NID_X9_62_prime256v1
2. Write the public and private components to memory
3. Read the private key back from memory, derive the public key, and write that 
back out.
4. Compare this “round-tripped” public key to the public key generated in step 
2.

The public key from step 2 almost always matches the public key from step 3, 
but about 0.4% of the time they will differ. (The sample program runs a loop to 
determine this.) Further experiments suggest it’s the private_key_from_binary() 
function that is the problem, where I derive the public key using 
EC_POINT_mul(). The sample program omits error checking, but in the production 
code no errors are reported.

Does anyone see a flaw in my logic, especially in how I’m deriving the public 
key from the private key? Also let me know if this would be better submitted as 
a GitHub issue, or even if it needs to be handled as a paid support request.

Thanks,
Mike



ec_key_example.cxx
Description: Binary data
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users