Re: [openssl-dev] Plea for a new public OpenSSL RNG API
I like this PR. Thank you! > On Sep 3, 2017, at 17:53, Dr. Matthias St. Pierre >wrote: > >> >> The 'RAND_add()/RAND_bytes()' pattern is broken >> === >> >> In OpenSSL, the classical way for the RNG consumer to add his own randomness >> is to call 'RAND_add()' before >> calling 'RAND_bytes()'. If the new 'RAND_OpenSSL()' method (the >> "compatibility layer" hiding the public >> RAND_DRBG instance) is the default, then this does not work as expected >> anymore: >> >> The reason is that a call to 'RAND_add()' adds the provided randomness only >> to a global buffer >> ('rand_bytes'), from which it will be pulled during the next reseed. But no >> reseed is triggered. So the next >> RAND_bytes() call will be unaffected from the RAND_add(), which is not what >> the consumer expected. (The same >> holds for 'RAND_seed()', since 'drbg_seed()' only calls into 'drbg_add()') >> >> Reseeding of DRBGs occurs only at the following occasions: >> >> * immediately after a 'fork()' (new) >> * if the 'reseed_counter' exceeds the 'reseed_interval' >> * if 'RAND_DRBG_generate()' is called requesting 'prediction_resistance' >> * 'RAND_DRBG_reseed()' is called explicitely >> >> *Note:* Currently it looks like the situation is even worse: if 'RAND_add()' >> is called multiple times before >> a reseed occurs, then the result of the previous call is overwritten. > > > I just posted GitHub PR #4328 related to this issue > > [openssl/openssl] WIP: Fix the RAND_add() reseeding issue (#4328) > > > Matthias St. Pierre -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
> > The 'RAND_add()/RAND_bytes()' pattern is broken > === > > In OpenSSL, the classical way for the RNG consumer to add his own randomness > is to call 'RAND_add()' before > calling 'RAND_bytes()'. If the new 'RAND_OpenSSL()' method (the > "compatibility layer" hiding the public > RAND_DRBG instance) is the default, then this does not work as expected > anymore: > > The reason is that a call to 'RAND_add()' adds the provided randomness only > to a global buffer > ('rand_bytes'), from which it will be pulled during the next reseed. But no > reseed is triggered. So the next > RAND_bytes() call will be unaffected from the RAND_add(), which is not what > the consumer expected. (The same > holds for 'RAND_seed()', since 'drbg_seed()' only calls into 'drbg_add()') > > Reseeding of DRBGs occurs only at the following occasions: > > * immediately after a 'fork()' (new) > * if the 'reseed_counter' exceeds the 'reseed_interval' > * if 'RAND_DRBG_generate()' is called requesting 'prediction_resistance' > * 'RAND_DRBG_reseed()' is called explicitely > > *Note:* Currently it looks like the situation is even worse: if 'RAND_add()' > is called multiple times before > a reseed occurs, then the result of the previous call is overwritten. I just posted GitHub PR #4328 related to this issue [openssl/openssl] WIP: Fix the RAND_add() reseeding issue (#4328) Matthias St. Pierre smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
To access a PKCS#11 randomness source, it would be necessary to have an engine that implemented whatever new RNG API is defined which in turn talks to the P11 device. Possibly not ideal but workable. As for the entropy argument to RAND_add et al, the callee will use it in a manner suitable to it. For a DRBG, the buffer will likely be added as additional data and the argument ignored. Other RNGs could use it differently. NIST 800-90B 3.1.5.1.2 specifies the minimum amount of entropy that must be input in order achieve a desired output. In this case the RNG would accumulate the entropy arguments until it achieves the requisite level. The trust issue is both harder and easier. I agree completely that working out if you trust the assessed entropy or not is an incredibly difficult (impossible) task. However, we're a library and the user is telling us what _they_ trust. It isn't OpenSSL's place to try to second guess this, issue a warning at best. We don't stop users choosing poor passwords, using zero as an IV or generating a sixteen bit RSA key. As for the new RNG engine API, I've been considering the benefits of having two calls: one to get random bytes, the other to request entropy. The first can be whitened or produced by a DRBG etc, the second also returns an estimate as to the quality. Essentially the difference between RDRAND and RDSEED. Pauli -- Oracle Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia -Original Message- From: Blumenthal, Uri - 0553 - MITLL [mailto:u...@ll.mit.edu] Sent: Thursday, 31 August 2017 12:27 AM To: openssl-dev@openssl.org Subject: Re: [openssl-dev] Plea for a new public OpenSSL RNG API On 8/30/17, 00:59, "openssl-dev on behalf of Paul Dale" <openssl-dev-boun...@openssl.org on behalf of paul.d...@oracle.com> wrote: >My thoughts are that the new RNG API should be made public once it has >been properly designed. We've a chance to get this right, let's take the > time >and make an effort to do so. There is no rush. Not quite. If there is an RNG involved in generating long-term keys now – users better be able to control/affect it now. > I also feel that having an engine interface to the new RNG API is > worthwhile. +1 > It allows hardware sources to be used via the same API. I rather doubt this. For example, my smartcard (accessible via PKCS#11) is a hardware source, which I occasionally use. How do you see it used with the same API? >I would like to see an entropy argument to the equivalent to RAND_add. > Anyone is welcome to always pass zero in but there should be the option to > not. > Consider an hardware source with _provable_ output quality, why shouldn't > it be > allowed to meaningfully contribute? What’s the purpose of passing the entropy argument? How is the callee (the RNG) going to use it? Why should the OpenSSL code in general trust the received value (how can OpenSSL tell that the received randomness is indeed from a hardware source with provable output quality)? Finally, what does it matter? And they all “meaningfully contribute”. The only question is whether this contribution should prevent RNG from acquiring more entropy from other sources. My opinion is resounding no. > I like the idea of two independent global RNGs. +1 ;-) > This does increase seeding requirements however. If you can seed one, you can seed two. -Original Message- From: Dr. Matthias St. Pierre [mailto:matthias.st.pie...@ncp-e.com] Sent: Tuesday, 29 August 2017 7:45 PM To: openssl-dev@openssl.org Subject: [openssl-dev] Plea for a new public OpenSSL RNG API Hi everybody, on the [openssl-dev] mailing list, there has been a long ongoing discussion about the new RAND_DRBG API and comparing it with the old RAND_METHOD API (see "[openssl-dev] Work on a new RNG for OpenSSL"). Two of the most controversal questions were: - Do we really need a new RNG API? Should the RAND_DRBG API be made public or kept private? (Currently, it's exported from libcrypto but only used internally by libssl.) - How much control should the user (programmer) be given over the reseeding process and/or should he be allowed to add his own additional randomness? Many developers seem to be realizing the interesting possibilities of the DRBG API and are asking for public access to this new and promising API. One of the driving forces behind it is the question about how to do seeding and reseeding right. Among others, Uri Blumenthal asked for making the DRBG API public. Currently, the OpenSSL core members seem to be reluctant to make the API public, at least at this early stage. I understand Rich Salz's viewpoint that this requires a thorough discussion, because a public interface can't be easil
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
> -Ursprüngliche Nachricht- > Von: openssl-dev [mailto:openssl-dev-boun...@openssl.org] Im Auftrag von > Blumenthal, Uri - 0553 - MITLL > Gesendet: Mittwoch, 30. August 2017 17:23 > An: openssl-dev@openssl.org > Betreff: Re: [openssl-dev] Plea for a new public OpenSSL RNG API > > ... > > The only tricky part was to deal with temporary failures of the entropy > > source. > > Did you experience that often? How did you deal with it? > 1) If the SmartCard is missing when our VPN service starts at boot time, the initial instantiation of the DRBG fails. This error is ignored, the DRBG remains uninstantiated. 2) If the SmartCard is pulled after the VPN connection is established and a rekey occurs, the DRBG fails, because it pulls entropy on every generate request and the entropy source fails. The NIST standard demands that this is a fatal error and the DRBG has to be uninstantiated. So we uninstantiate and our custom drbg_bytes() returns an error, which leads to a VPN disconnect. In order to account for 1) and 2), in our custom drbg_bytes() implementation 3) we do a just-in-time (re-)instantiation of the DRBG before calling RAND_DRBG_generate(). Note that everything said above applies to the legacy setup of libcrypto 1.0.2x with FIPS DRBG. In the future, we would use RAND_DRBG_generate() directly. Regards, Matthias smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
>> I would do exactly the opposite. “Normal” entropy is fetched from the default sources (/dev/urandom). But >> when a sensitive (aka long-term) keys are generated, a (portable :) hardware RNG is plugged in and used with >> RAND_add() equivalent. Reason – in my setup reliable trusted hardware RNG is not always on. If it were, I’d >> use it as the main entropy source and be done with it. > >In general, I would agree with you. In our case, it was a requirement of the > government to trust only the SmartCard RNG. Since we use it for VPN > connections with SmartCard authentication this was no problem, because > the SmartCard must be present in order to initiate the IKEv2 exchange. Ah, that makes a lot of difference. > The only tricky part was to deal with temporary failures of the entropy > source. Did you experience that often? How did you deal with it? smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
> > We have a similar situation, on a small hardware device with little > own entropy > > but with a smartcard reader. > > Yes, but in most cases you cannot count on the smartcard (or smartcard-like > device) being in the reader. > Which is why in my opinion this is an ideal case for “additional input” > source, but rather poor as the > “main” entropy source. > > ... > >> We implemented a get_entropy() call which fetches the entropy via > PKCS#11, and >> modified the rand_method such that RAND_DRBG_generate() is always > called with >> prediction_resistance=1. So every generate() triggers a reseed(), the > entropy is fetched >> from the smartcard and it is immediately postprocessed by the AES-CTR > DRBG. >> The /dev/urandom device was only used as additional input. >> So we didn't feel the need for an extra API call. > > I would do exactly the opposite. “Normal” entropy is fetched from the default > sources (/dev/urandom). But > when a sensitive (aka long-term) keys are generated, a (portable :) hardware > RNG is plugged in and used with > RAND_add() equivalent. Reason – in my setup reliable trusted hardware RNG is > not always on. If it were, I’d > use it as the main entropy source and be done with it. In general, I would agree with you. In our case, it was a requirement of the government to trust only the SmartCard RNG. Since we use it for VPN connections with SmartCard authentication this was no problem, because the SmartCard must be present in order to initiate the IKEv2 exchange. The only tricky part was to deal with temporary failures of the entropy source. Matthias smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
On 8/30/17, 00:59, "openssl-dev on behalf of Paul Dale"wrote: >My thoughts are that the new RNG API should be made public once it has >been properly designed. We've a chance to get this right, let's take the > time >and make an effort to do so. There is no rush. Not quite. If there is an RNG involved in generating long-term keys now – users better be able to control/affect it now. > I also feel that having an engine interface to the new RNG API is > worthwhile. +1 > It allows hardware sources to be used via the same API. I rather doubt this. For example, my smartcard (accessible via PKCS#11) is a hardware source, which I occasionally use. How do you see it used with the same API? >I would like to see an entropy argument to the equivalent to RAND_add. > Anyone is welcome to always pass zero in but there should be the option to > not. > Consider an hardware source with _provable_ output quality, why shouldn't > it be > allowed to meaningfully contribute? What’s the purpose of passing the entropy argument? How is the callee (the RNG) going to use it? Why should the OpenSSL code in general trust the received value (how can OpenSSL tell that the received randomness is indeed from a hardware source with provable output quality)? Finally, what does it matter? And they all “meaningfully contribute”. The only question is whether this contribution should prevent RNG from acquiring more entropy from other sources. My opinion is resounding no. > I like the idea of two independent global RNGs. +1 ;-) > This does increase seeding requirements however. If you can seed one, you can seed two. -Original Message- From: Dr. Matthias St. Pierre [mailto:matthias.st.pie...@ncp-e.com] Sent: Tuesday, 29 August 2017 7:45 PM To: openssl-dev@openssl.org Subject: [openssl-dev] Plea for a new public OpenSSL RNG API Hi everybody, on the [openssl-dev] mailing list, there has been a long ongoing discussion about the new RAND_DRBG API and comparing it with the old RAND_METHOD API (see "[openssl-dev] Work on a new RNG for OpenSSL"). Two of the most controversal questions were: - Do we really need a new RNG API? Should the RAND_DRBG API be made public or kept private? (Currently, it's exported from libcrypto but only used internally by libssl.) - How much control should the user (programmer) be given over the reseeding process and/or should he be allowed to add his own additional randomness? Many developers seem to be realizing the interesting possibilities of the DRBG API and are asking for public access to this new and promising API. One of the driving forces behind it is the question about how to do seeding and reseeding right. Among others, Uri Blumenthal asked for making the DRBG API public. Currently, the OpenSSL core members seem to be reluctant to make the API public, at least at this early stage. I understand Rich Salz's viewpoint that this requires a thorough discussion, because a public interface can't be easily changed and wrong decisions in the early phase can become a heavy burdon. Nevertheless, I agree with Uri Blumenthal that the DRBG API should be made public. So here comes my == Plea for a new public OpenSSL RNG API: == The new RAND_DRBG is the superior API. It shouldn't be kept private and hidden behind the ancient RAND_METHOD API. The philosophy of the two APIs is not very well compatible, in particular when it comes to reseeding and adding additional unpredictable input. Hiding the RAND_DRBG behind the RAND_METHOD API only causes problems. Also, it will force people to patch their OpenSSL copy if they want to use the superior API. The RAND_DRBG API should become the new public OpenSSL RNG API and the old RAND_METHOD API should be deprecated in the long run. This transition does not need to be rushed, but it would be good if there would be early consent on the road map. I am thinking of a smooth transition with a phase of coexistence and a compatibility layer mapping the default RAND_METHOD to the default public RAND_DRBG instance. (This compatibility layer already exists, it's the 'RAND_OpenSSL()' method.) Historical Background = As Rich already mentioned in his blog post, the RAND_DRBG isn't new. It's been a part of OpenSSL for a long time, hidden in the FIPS 2.0 Object Module. I have been working with the FIPS DRBG for quite a while now, using a FIPS-capable OpenSSL 1.0.2x crypto library. The reason why our company switched to the FIPS DRBG is that one of our products runs on a small hardware device which does not have a reliable
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
> -Ursprüngliche Nachricht- > Von: openssl-dev [mailto:openssl-dev-boun...@openssl.org] Im Auftrag von Matt > Caswell > Gesendet: Dienstag, 29. August 2017 16:36 > An: openssl-dev@openssl.org > Betreff: Re: [openssl-dev] Plea for a new public OpenSSL RNG API > > > > On 29/08/17 15:02, Salz, Rich via openssl-dev wrote: > > > > dev asap. If there are problems with it we can always revert it before > > it makes it into a release. > > > > Someone on the OMC called that “flip-flopping” and seemed to be against > > this kind of thing. > > > > If we are going to have an additional API, then we should at least see a > > draft of the header file first. > > Matthias, would you be willing to create such a draft as a github PR > (marked as WIP for now)? > > Matt Oh thanks, that's a great honor to be asked to do this. I will give it a thought. Currently, the RAND_add()/RAND_bytes() problem needs to fixed first, so it will take a little while. Matthias smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
> I realize that reseed() not only mixes my “additional input” but also > replaces the entire state. NIST does > not specify interface to “just” mix the “additional input” into the state > without replacing the whole state > with some fresh entropy by calling Get_entropy_input(). Maybe we can provide > such a function call (that’s > what I think RAND_add() is supposed to do), but I’m not certain here… The reseed() operation pulls fresh entropy, but the old state is not discarded. Instead, the fresh entropy is mixed in, just like the additional input (and the reseed_counter is reset). Have a look at ctr_update() and ctr_df() and you will see that the 'entropy' and the 'adin' input are treated the same way to change the internal state. The derivation function treats 'entropy' and 'adin' equally, it's just a difference in interpretation (trusted vs. untrusted randomness). The NIST document has also a lot of nice graphics to explain the inner workings. This helped me a lot to understand the details. Matthias smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
>> I *don’t want* OpenSSL to make *any* estimation of the amount of provided >> entropy. All I want it to do is to mix these bits into the RNG state. It’s >> *my* business how much entropy I’m providing – but I don’t want OpenSSL to >> make any decision regarding pull from other entropy sources based on my >> input. >> >> Does it sound reasonable? (He, it does to me ;) > > But that is not the API that RAND_add() provides. Yes, I realize that, sort of. But nonetheless, that’s the interface/behavior that I think an RNG should offer. > It's a push not > a pull API. With the DRBG you can do this, assuming using it's an > extraction / derivative function. Not sure I understand. But “…you can do this…” sounds encouraging. ;-) > One of the suggestions I did before is to have RAND_poll_ex() take > a parameter about how much randomness is needed, but I think it's > also a wrong API and I'm thinking about removing it. There are two aspects: The RNG itself keeping track of how much entropy it has in its pool/state, and thus when to pull its (standard) entropy sources for more (and specifically for how much more). I don’t want to interfere with this part. The user-visible/accessible interface to RNG that allows: Forcing the “reseed”, making the RNG to to its sources for “fresh” entropy regardless of what’s up with its internal state; Telling the RNG to immediately mix the given bits into its state, without adjusting its count of available/present entropy. >> If I had my way, you’d assume that every bit contains 0 bits of entropy, but >> mix it in regardless because that’s what the user is asking you to do. > > Which is why I suggested we use this for the additional data. Yes, precisely. That’s exactly what I plan to use this interface for - mixing in additional data. NIST 800-90A Rev1 has “additional input” only as part of Reseed() or Generate(). I can live with that (i.e., with the fact that right before my randomness is mixed in, the entire state s replaced). Though ideally we’d have “RAND_add_ex()” or such that does not require replacing the entire state with fresh data from entropy source (because if that capability is needed, it is easy to emulate by issuing two calls: “Reseed(); Add_ex();" > But > I think that as long as we have both APIs we might actually need > it for the entropy input. If there is no other way to add > randomness, RAND_add() is our current documented way to add it, > and it will need to keep working. It’s perfectly OK for me if RAND_add() keeps working. What I’d like to change about it is exactly when the mixing occurs. I’d like the state updated immediately upon RAND_add(), not when the RNG in question decides that it needs to replenish its entropy supply. I think this change would only improve security of applications that use it. TNX!-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
➢ > Sure I can. Because the DRBG seeds from the system anyway ➢ You can't assume that will work for all users. And for places where the systesm doen’t have enough randomness, there is nothing we can do. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
On Tue, Aug 29, 2017 at 08:38:09PM +, Blumenthal, Uri - 0553 - MITLL wrote: > > If, based on its value, OpenSSL may decide that it now got “enough” entropy > > and doesn’t need to > > pull more from other sources before serving randomness to requestors – then > > it is harmful. > > “Over-confidence” in this value by the caller can negatively impact the > > quality of the produced > > random numbers. > > As long as you have sources that don't provide 1 bit of randomness > per bit that you provide you need to have an estimate of how much > randomness it really contains. And you should probably seriously > underestimate it so that you're sure that you collect enough. > > So let me underestimate it to 0. ;-) > > The problem with ignoring an existing parameter is that people > could be calling it with for instance the value of 0, knowing it > contains as good as none entropy. Or they could feed the unwithened > output of an TRNG in that with an estimate of randomness it provides. > And OpenSSL used to do the right thing with that. > > I *don’t want* OpenSSL to make *any* estimation of the amount of provided > entropy. All I want it to do is to mix these bits into the RNG state. It’s > *my* business how much entropy I’m providing – but I don’t want OpenSSL to > make any decision regarding pull from other entropy sources based on my input. > > Does it sound reasonable? (He, it does to me ;) But that is not the API that RAND_add() provides. It's a push not a pull API. With the DRBG you can do this, assuming using it's an extraction / derivative function. One of the suggestions I did before is to have RAND_poll_ex() take a parameter about how much randomness is needed, but I think it's also a wrong API and I'm thinking about removing it. > But now we just ignore it and assume every bit with get contains 1 > bit of randomness and we're sundenly seriously overestimating the > amount of randomness we're getting. > > If I had my way, you’d assume that every bit contains 0 bits of entropy, but > mix it in regardless because that’s what the user is asking you to do. Which is why I suggested we use this for the additional data. But I think that as long as we have both APIs we might actually need it for the entropy input. If there is no other way to add randomness, RAND_add() is our current documented way to add it, and it will need to keep working. Kurt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
➢ But now we just ignore it and assume every bit with get contains 1 ➢ bit of randomness and we're sundenly seriously overestimating the ➢ amount of randomness we're getting. This is a documented public API, ➢ you can't just go and ignore this parameter. Sure I can. Because the DRBG seeds from the system anyway -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
> If, based on its value, OpenSSL may decide that it now got “enough” entropy > and doesn’t need to > pull more from other sources before serving randomness to requestors – then > it is harmful. > “Over-confidence” in this value by the caller can negatively impact the > quality of the produced > random numbers. As long as you have sources that don't provide 1 bit of randomness per bit that you provide you need to have an estimate of how much randomness it really contains. And you should probably seriously underestimate it so that you're sure that you collect enough. So let me underestimate it to 0. ;-) The problem with ignoring an existing parameter is that people could be calling it with for instance the value of 0, knowing it contains as good as none entropy. Or they could feed the unwithened output of an TRNG in that with an estimate of randomness it provides. And OpenSSL used to do the right thing with that. I *don’t want* OpenSSL to make *any* estimation of the amount of provided entropy. All I want it to do is to mix these bits into the RNG state. It’s *my* business how much entropy I’m providing – but I don’t want OpenSSL to make any decision regarding pull from other entropy sources based on my input. Does it sound reasonable? (He, it does to me ;) But now we just ignore it and assume every bit with get contains 1 bit of randomness and we're sundenly seriously overestimating the amount of randomness we're getting. If I had my way, you’d assume that every bit contains 0 bits of entropy, but mix it in regardless because that’s what the user is asking you to do. This is a documented public API, you can't just go and ignore this parameter. :-) smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
On Tue, Aug 29, 2017 at 06:50:37PM +, Blumenthal, Uri - 0553 - MITLL wrote: > On 8/29/17, 12:45, "openssl-dev on behalf of Salz, Rich via openssl-dev" >wrote: > > ➢ An other problem with the current implemenation is that the > ➢ randomness parameter that's now given to RAND_add() is just > ➢ ignored, it assumes it's the same as the length. > > For what it’s worth, this was done deliberately, make RAND_add and > RAND_seed equivalent. > > I am skeptical of the ability to get that estimate correct. > > Someone on GH there is a conversation thread about turning that into a > percentage, which seems like the best thing to do for any new API. > > > What’s the point of having this potentially harmful parameter? If it weren’t > ignored – how would OpenSSL use it? > > If, based on its value, OpenSSL may decide that it now got “enough” entropy > and doesn’t need to pull more from other sources before serving randomness to > requestors – then it is harmful. “Over-confidence” in this value by the > caller can negatively impact the quality of the produced random numbers. As long as you have sources that don't provide 1 bit of randomness per bit that you provide you need to have an estimate of how much randomness it really contains. And you should probably seriously underestimate it so that you're sure that you collect enough. The problem with ignoring an existing parameter is that people could be calling it with for instance the value of 0, knowing it contains as good as none entropy. Or they could feed the unwithened output of an TRNG in that with an estimate of randomness it provides. And OpenSSL used to do the right thing with that. But now we just ignore it and assume every bit with get contains 1 bit of randomness and we're sundenly seriously overestimating the amount of randomness we're getting. This is a documented public API, you can't just go and ignore this parameter. Kurt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
On 8/29/17, 15:22, "openssl-dev on behalf of Salz, Rich via openssl-dev"wrote: ➢ I’d like to suggest that any approach other than “immediately mix the received randomness into the RNG state” is bad. If a user does RAND_add() now, as opposed to 100 source code lines before, there may be a reason for that. >I think the only way to do that in the DRBG model is to treat it as > “additional input” and >do a generate call. I think that would achieve the same effect, but it > wouldn’t delay any >possible seeding of randomness that the DRBG itself needs at some point. That is OK if the application manually invokes generate(). If it’s the RNG responsible for feeding key generators (who would call generate() transparently to user), then the only way I see is DRBG reseed(). Even though it implies a complete state replacement. AFAIK, there are three cases when randomness source(s) is pulled: a. At the instantiation time (page 29 of NIST SP 800-90A Rev1 draft). b. Upon reseed call (pages 30-31). c. During generation call(pages 32-36). “Additional input” (i.e., what I’m after :) is present in two of the above: reseeding, and generation (pages 19 and 23). The draft is very clear that this “additional input” shall not be counted towards the “official” entropy (aka calculations when to pull the “official” entropy sources). Which suits my purposes just fine. ;-) I realize that reseed() not only mixes my “additional input” but also replaces the entire state. NIST does not specify interface to “just” mix the “additional input” into the state without replacing the whole state with some fresh entropy by calling Get_entropy_input(). Maybe we can provide such a function call (that’s what I think RAND_add() is supposed to do), but I’m not certain here… Wonder what others think? Do you believe that if you want to mix some more randomness into the RNG state to improve upon less-than-perfect entropy sources, you must also replace the entire state with the fresh pull from those sources? Or is it OK to just “spice” the current state with “additional input”? Note that regardless of the answer to the above, IMHO reseed() should be able to take “additional input”. (NIST considers it optional, but sensitive/critical applications don’t. ;) ➢One “API” is how to get a reference/pointer/instance/whatever to the DRBG object responsible for the operation I’m now concerned with, ➢ and that I want to influence/improve. This would probably differ between per-SSL DRBG and per-thread DRBG, etc. I haven’t even ➢ thought about this part of the API (and I’m sure others on the team have more experience and understanding of the OpenSSL code ➢ to do it better than I would anyway). > Yes, it is separate. But I want to make sure that if we are doing a > comprehensive RAND overhaul that this is included in the requirements. Yes, it should be included. But don’t let it stop us from defining/reviewing the “clearer” part of the API. ;-) smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
In message <168cef3c-d655-47bf-9874-048308154...@ll.mit.edu> on Tue, 29 Aug 2017 19:04:48 +, "Blumenthal, Uri - 0553 - MITLL"said: uri> uri> Could you please be more specific wrt. DRBG organization that in your opinion could impact the UI? uri> uri> Are you talking about the UI API or something else? uri> uri> No-no-no, just the UI API. uri> uri> I used the term “UI” to emphasize that this is the “public” part of the API, exposed to the user, expected to be called by the user, and (probably) designed to be stable for some (hopefully considerable) time. Ah, ok. In an OpenSSL context, this gets a bit confusing since there is an API called UI ( ). -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
➢ I’d like to suggest that any approach other than “immediately mix the received randomness into the RNG state” is bad. If a user does RAND_add() now, as opposed to 100 source code lines before, there may be a reason for that. I think the only way to do that in the DRBG model is to treat it as “additional input” and do a generate call. I think that would achieve the same effect, but it wouldn’t delay any possible seeding of randomness that the DRBG itself needs at some point. ➢ One “API” is how to get a reference/pointer/instance/whatever to the DRBG object responsible for the operation I’m now concerned with, and that I want to influence/improve. This would probably differ between per-SSL DRBG and per-thread DRBG, etc. I haven’t even thought about this part of the API (and I’m sure others on the team have more experience and understanding of the OpenSSL code to do it better than I would anyway). Yes, it is separate. But I want to make sure that if we are doing a comprehensive RAND overhaul that this is included in the requirements. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
On 8/29/17, 11:33, "openssl-dev on behalf of Salz, Rich via openssl-dev"wrote: Could you please be more specific wrt. DRBG organization that in your opinion could impact the UI? > From your use-case: you want to add entropy into a specific DRBG. Yes. > You want to push it, as opposed to the DRBG “pull when needed” model. I’d like to suggest that any approach other than “immediately mix the received randomness into the RNG state” is bad. If a user does RAND_add() now, as opposed to 100 source code lines before, there may be a reason for that. Would you agree? Besides possible but probably negligible performance difference – why would you ever want to delay mixing the received “additional input” in? > That’s an additional API. I wouldn’t call it “additional”. It may be a change from the current behavior – but I think everybody would welcome such a change. IMHO it can only help, never hurt. > Also from your use-case: you want to specify which DRBG instance gets that entropy. Yeah, but that probably isn’t a part of the API that DRBG “object” exposes. One “API” is how to get a reference/pointer/instance/whatever to the DRBG object responsible for the operation I’m now concerned with, and that I want to influence/improve. This would probably differ between per-SSL DRBG and per-thread DRBG, etc. I haven’t even thought about this part of the API (and I’m sure others on the team have more experience and understanding of the OpenSSL code to do it better than I would anyway). Another “API” is how to tell this specific DRBG instance what exactly I want from it now. E.g., mix more randomness that I provide into its state, give me some random bits, whatever. This part probably can stay close to what it currently is. I think 90A would be satisfied with 3-4 interface calls here… > If we move to a pair per thread, as opposed to one per SSL and two in the global space, how do we make sure that API still works and does the right thing. Yeah. That’s the “other” part of the API. I think the two API “groups” are pretty (completely?) orthogonal – independent from each other. >Does that makes sense, and does it answer your question? Yeah… What do you think of my reasoning above? smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
IMHO this interface is a way for the user to improve the quality of the randomness it would get from the given RNG, *not* to replace (or diminish) its other sources. My proposal is to abolish this parameter, especially since now it is simply ignored (and IMHO – for a good reason). That's a fine proposal ... it just can't be implemented until a major release boundary, when our ABI stability policy permits such breaking changes. And that is fine. The sooner the better, but ABI stability makes sense too. My main point is: RAND_add() and whatever similar in purpose interface calls we may define in the future should exhibit the following behavior: Mix the provided randomness into the RNG state *immediately*, and Keep pulling other sources and mixing them into the state – don’t subtract from the “needed entropy” count the amount you presumably got from the user. Frankly, the need to provide double entropy argument doesn’t bother me all that much – especially if the value 0 is accepted there. ;-) smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
uri> Could you please be more specific wrt. DRBG organization that in your opinion could impact the UI? Are you talking about the UI API or something else? No-no-no, just the UI API. I used the term “UI” to emphasize that this is the “public” part of the API, exposed to the user, expected to be called by the user, and (probably) designed to be stable for some (hopefully considerable) time. smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
➢ IMHO this interface is a way for the user to improve the quality of the randomness it would get from the given RNG, *not* to replace (or diminish) its other sources. My proposal is to abolish this parameter, especially since now it is simply ignored (and IMHO – for a good reason). We cannot do this in a minor release; we have to wait until 1.2 -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
On 08/29/2017 01:50 PM, Blumenthal, Uri - 0553 - MITLL wrote: > IMHO this interface is a way for the user to improve the quality of the > randomness it would get from the given RNG, *not* to replace (or diminish) > its other sources. My proposal is to abolish this parameter, especially since > now it is simply ignored (and IMHO – for a good reason). That's a fine proposal ... it just can't be implemented until a major release boundary, when our ABI stability policy permits such breaking changes. -Ben -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
On 8/29/17, 12:45, "openssl-dev on behalf of Salz, Rich via openssl-dev"wrote: ➢ An other problem with the current implemenation is that the ➢ randomness parameter that's now given to RAND_add() is just ➢ ignored, it assumes it's the same as the length. For what it’s worth, this was done deliberately, make RAND_add and RAND_seed equivalent. I am skeptical of the ability to get that estimate correct. Someone on GH there is a conversation thread about turning that into a percentage, which seems like the best thing to do for any new API. What’s the point of having this potentially harmful parameter? If it weren’t ignored – how would OpenSSL use it? If, based on its value, OpenSSL may decide that it now got “enough” entropy and doesn’t need to pull more from other sources before serving randomness to requestors – then it is harmful. “Over-confidence” in this value by the caller can negatively impact the quality of the produced random numbers. If this value is not used to guide OpenSSL when to stop pulling entropy sources and start serving randomness – then it causes no harm, but what’s its purpose? IMHO this interface is a way for the user to improve the quality of the randomness it would get from the given RNG, *not* to replace (or diminish) its other sources. My proposal is to abolish this parameter, especially since now it is simply ignored (and IMHO – for a good reason). smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
➢ An other problem with the current implemenation is that the ➢ randomness parameter that's now given to RAND_add() is just ➢ ignored, it assumes it's the same as the length. For what it’s worth, this was done deliberately, make RAND_add and RAND_seed equivalent. I am skeptical of the ability to get that estimate correct. Someone on GH there is a conversation thread about turning that into a percentage, which seems like the best thing to do for any new API. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
On Tue, Aug 29, 2017 at 01:05:21PM +, Dr. Matthias St. Pierre wrote: > > Currently it's only possible to customize the callbacks but not the > deterministic algorithm. IMHO this is sufficient for the needs of a standard > OpenSSL user who only wants control over the entropy source. A true new > algorithm (like e.g. CHACHA2_DRBG) should be implemented by experts and added > mainstream. So I don't see any advantage of having an engine over using the > 'vtable' approach from the FIPS DRBG, which has been removed. I've been looking at implementing a chacha20 based DRBG, which isn't that hard. But there are various choices you can make, and every chacha20 RNG that I've seen seems to take a random set of those choices. I really wish there was some standardized version. Kurt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
On Tue, Aug 29, 2017 at 11:31:03AM +, Dr. Matthias St. Pierre wrote: > > -Ursprüngliche Nachricht- > > Von: openssl-dev [mailto:openssl-dev-boun...@openssl.org] Im Auftrag von > > Matt Caswell > > Gesendet: Dienstag, 29. August 2017 12:17 > > An: openssl-dev@openssl.org > > Betreff: Re: [openssl-dev] Plea for a new public OpenSSL RNG API > > > > > > On 29/08/17 10:45, Dr. Matthias St. Pierre wrote > > > ... > > > The 'RAND_add()/RAND_bytes()' pattern is broken > > > === > > > > > > In OpenSSL, the classical way for the RNG consumer to add his own > > > randomness is to call 'RAND_add()' before calling 'RAND_bytes()'. If > > > the new 'RAND_OpenSSL()' method (the "compatibility layer" hiding the > > > public RAND_DRBG instance) is the default, then this does not work > > > as expected anymore: > > > ... > > > > Is there a potential security vulnerability here? Applications using the > > "old" APIs expect RAND_add() to behave in a particular way. If we have > > silently changed this behaviour in 1.1.1 are they exposed? > > Don't worry, this issue is new, the global 'rand_bytes' buffer has only been > introduced by the DRBG port to master in August. I don't think it's a big > deal to fix it. The reason I mentioned it here was to emphasize, that it is > really hard to get the different philosophies (push vs. pull) of the two APIs > working together correctly. The code was reviewed by several people and > nobody noticed it. By the way: the approach using the fixed size global > 'rand_bytes' buffer has another issue, which I will try to write down on > GitHub within the next days. I've actually noticed how this works and I have already partially rewritten it, but I'm still not very happy about it. I think by RAND_add() should not be called internally. But the question then is what to do when an application calls RAND_add(), we should be doing something with the buffer that's given. I think the best way to deal with it is with the DRBG API is used, RAND_add() is used for additional data. We now have 2 global DRBGs, and I think I want to have 1 of them chain to the other. RAND_add() could then be used for the master. An other problem with the current implemenation is that the randomness parameter that's now given to RAND_add() is just ignored, it assumes it's the same as the length. Kurt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
I actually plan to work on most of not all the things you mention. This will probably result in the API changing before it's made public. I'm probably slow, so please be patient. Kurt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
Could you please be more specific wrt. DRBG organization that in your opinion could impact the UI? From your use-case: you want to add entropy into a specific DRBG. You want to push it, as opposed to the DRBG “pull when needed” model. That’s an additional API. Also from your use-case: you want to specify which DRBG instance gets that entropy. If we move to a pair per thread, as opposed to one per SSL and two in the global space, how do we make sure that API still works and does the right thing. Does that makes sense, and does it answer your question? -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
Could you please be more specific wrt. DRBG organization that in your opinion could impact the UI? NIST 90Ar1 seems specific enough on what functionality DRBG can provide to users, and it doesn't seem like a very elaborate or rich interface. Why would it change, regardless of what you may need to do with it internally? Regards, Uri Sent from my iPhone > On Aug 29, 2017, at 10:03, Salz, Rich via openssl-dev >wrote: > > >dev asap. If there are problems with it we can always revert it before >it makes it into a release. > > Someone on the OMC called that “flip-flopping” and seemed to be against this > kind of thing. > > If we are going to have an additional API, then we should at least see a > draft of the header file first. > > Keep in mind that the current DRBG organization might change, and we don’t > want to lose that freedom. > > > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
On 29/08/17 15:02, Salz, Rich via openssl-dev wrote: > > dev asap. If there are problems with it we can always revert it before > it makes it into a release. > > Someone on the OMC called that “flip-flopping” and seemed to be against this > kind of thing. > > If we are going to have an additional API, then we should at least see a > draft of the header file first. Matthias, would you be willing to create such a draft as a github PR (marked as WIP for now)? Matt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
dev asap. If there are problems with it we can always revert it before it makes it into a release. Someone on the OMC called that “flip-flopping” and seemed to be against this kind of thing. If we are going to have an additional API, then we should at least see a draft of the header file first. Keep in mind that the current DRBG organization might change, and we don’t want to lose that freedom. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
In message <3a54fcefd17d4735920426d21b3b8...@ex13.ncp.local> on Tue, 29 Aug 2017 13:39:02 +, "Dr. Matthias St. Pierre"said: Matthias.St.Pierre> Just a sudden inspiration: If the RAND_DRBG becomes a truly independent API it might be better to strip the RAND_ prefix and redesign the API such that one has Matthias.St.Pierre> Matthias.St.Pierre> - a DRBG_CTX structure for the data members Matthias.St.Pierre> - a DRBG_METHOD structure for its methods Matthias.St.Pierre> Matthias.St.Pierre> Would this look more OpenSSL-like to you? Yes. And per fairly recent recommendations to avoid cluttering the name space, that would be OSSL_DRGB_CTX and OSSL_DRGB_METHOD, btw. -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
On Tue, Aug 29, 2017, Richard Levitte wrote: > I'm late in the game, having only followed the development very > superficially... > > If I understand correctly, the RAND_DRBG API is really a completely > separate API that has nothing to do with the RAND_METHOD API pers se, > i.e. any association between the two is more or less "accidental"? > > Frankly, I cannot see anything wrong with making that a public API. I > wonder, though, if this is going to be an implementation that's kinda > sorta built-in only, or if other implementations of the basic stuff > will be possible... or in other words, will we have a "method" > structure like we have with so many other APIs? In saying this, I'm > counting in the possibility that some implementations could come in > the form of engines, is this something that's been thought about? I > do notive the DRGB_CTX structure, but that doesn't quite follow the > usual "method" pattern we have... > In terms of future FIPS 140-2 compliance having a way to redirect all PRNG operations to a FIPS compliant version is essential. This would require some kind of method. We can redirect via RAND_METHOD but that currently means that any ENGINE supplied PRNG is severely restricted (one global PRNG only) compared to the built in DRBG. We could resolve that via a DRBG_METHOD or some extended RAND_METHOD. That's for the future though: there wont be a new FIPS module for some time that will need this functionality. In terms of the API itself. We could make RAND_DRBG public and I can see reasons both for and against that. The main objection I can see is that it commits us to DRBG like PRNGs: that is if we (or an ENGINE) in future wants to use a RNG that isn't a good fit for the DRBG API it's a problem. We're partially hitting that now because the DRBG API is not a good fit for the older RAND API. One alternative is to expand RAND_METHOD so it treats a DRBG as a special case of the expanded API and it is flexible enough to handle any future needs. That would (for example) have extended RAND APIs which can be passed an "instance" of a PRNG (something like RAND_CTX which is analagous to the DRBG instance structure we currently have). That is tricky because RAND_METHOD is alas not an opaque structure and can't be made so before OpenSSL 1.2.0. Tricky but not impossible. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
In messageon Tue, 29 Aug 2017 13:27:20 +, "Dr. Matthias St. Pierre" said: Matthias.St.Pierre> > Essentially, the argument for your last remark is in-structure vtable Matthias.St.Pierre> > vs refered to vtable. I tend to prefer the latter (and that's the Matthias.St.Pierre> > usual OpenSSL pattern too, even though there are exceptions). Matthias.St.Pierre> Matthias.St.Pierre> You are the experts and much more familiar with Matthias.St.Pierre> the code then I am. My role was only to give the Matthias.St.Pierre> starting shot, the rest is up to you. Fair enough! :-) -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
> Essentially, the argument for your last remark is in-structure vtable > vs refered to vtable. I tend to prefer the latter (and that's the > usual OpenSSL pattern too, even though there are exceptions). You are the experts and much more familiar with the code then I am. My role was only to give the starting shot, the rest is up to you. Regards, Matthias smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
In message <0e062727611c44bb8039170bbec11...@ex13.ncp.local> on Tue, 29 Aug 2017 13:05:21 +, "Dr. Matthias St. Pierre"said: Matthias.St.Pierre> > Frankly, I cannot see anything wrong with making that a public API. I Matthias.St.Pierre> > wonder, though, if this is going to be an implementation that's kinda Matthias.St.Pierre> > sorta built-in only, or if other implementations of the basic stuff Matthias.St.Pierre> > will be possible... or in other words, will we have a "method" Matthias.St.Pierre> > structure like we have with so many other APIs? In saying this, I'm Matthias.St.Pierre> > counting in the possibility that some implementations could come in Matthias.St.Pierre> > the form of engines, is this something that's been thought about? I Matthias.St.Pierre> > do notive the DRGB_CTX structure, but that doesn't quite follow the Matthias.St.Pierre> > usual "method" pattern we have... Matthias.St.Pierre> Matthias.St.Pierre> Currently it's only possible to customize the callbacks but not the deterministic algorithm. IMHO this is sufficient for the needs of a standard OpenSSL user who only wants control over the entropy source. A true new algorithm (like e.g. CHACHA2_DRBG) should be implemented by experts and added mainstream. So I don't see any advantage of having an engine over using the 'vtable' approach from the FIPS DRBG, which has been removed. Essentially, the argument for your last remark is in-structure vtable vs refered to vtable. I tend to prefer the latter (and that's the usual OpenSSL pattern too, even though there are exceptions). -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
I'm late in the game, having only followed the development very superficially... If I understand correctly, the RAND_DRBG API is really a completely separate API that has nothing to do with the RAND_METHOD API pers se, i.e. any association between the two is more or less "accidental"? Frankly, I cannot see anything wrong with making that a public API. I wonder, though, if this is going to be an implementation that's kinda sorta built-in only, or if other implementations of the basic stuff will be possible... or in other words, will we have a "method" structure like we have with so many other APIs? In saying this, I'm counting in the possibility that some implementations could come in the form of engines, is this something that's been thought about? I do notive the DRGB_CTX structure, but that doesn't quite follow the usual "method" pattern we have... Cheers, Richard In messageon Tue, 29 Aug 2017 09:45:26 +, "Dr. Matthias St. Pierre" said: Matthias.St.Pierre> Hi everybody, Matthias.St.Pierre> Matthias.St.Pierre> on the [openssl-dev] mailing list, there has been a long ongoing discussion about the new RAND_DRBG API and comparing it with the old RAND_METHOD API (see "[openssl-dev] Work on a new RNG for OpenSSL"). Two of the most controversal questions were: Matthias.St.Pierre> Matthias.St.Pierre> - Do we really need a new RNG API? Should the RAND_DRBG API be made public or kept private? (Currently, it's exported from libcrypto but only used internally by libssl.) Matthias.St.Pierre> - How much control should the user (programmer) be given over the reseeding process and/or should he be allowed to add his own additional randomness? Matthias.St.Pierre> Matthias.St.Pierre> Many developers seem to be realizing the interesting possibilities of the DRBG API and are asking for public access to this new and promising API. One of the driving forces behind it is the question about how to do seeding and reseeding right. Among others, Uri Blumenthal asked for making the DRBG API public. Matthias.St.Pierre> Matthias.St.Pierre> Currently, the OpenSSL core members seem to be reluctant to make the API public, at least at this early stage. I understand Rich Salz's viewpoint that this requires a thorough discussion, because a public interface can't be easily changed and wrong decisions in the early phase can become a heavy burdon. Matthias.St.Pierre> Matthias.St.Pierre> Nevertheless, I agree with Uri Blumenthal that the DRBG API should be made public. So here comes my Matthias.St.Pierre> Matthias.St.Pierre> == Matthias.St.Pierre> Plea for a new public OpenSSL RNG API: Matthias.St.Pierre> == Matthias.St.Pierre> Matthias.St.Pierre> The new RAND_DRBG is the superior API. It shouldn't be kept private and hidden behind the ancient RAND_METHOD API. Matthias.St.Pierre> The philosophy of the two APIs is not very well compatible, in particular when it comes to reseeding and adding Matthias.St.Pierre> additional unpredictable input. Hiding the RAND_DRBG behind the RAND_METHOD API only causes problems. Matthias.St.Pierre> Also, it will force people to patch their OpenSSL copy if they want to use the superior API. Matthias.St.Pierre> Matthias.St.Pierre> The RAND_DRBG API should become the new public OpenSSL RNG API and the old RAND_METHOD API should be deprecated Matthias.St.Pierre> in the long run. This transition does not need to be rushed, but it would be good if there would be early consent Matthias.St.Pierre> on the road map. I am thinking of a smooth transition with a phase of coexistence and a compatibility layer Matthias.St.Pierre> mapping the default RAND_METHOD to the default public RAND_DRBG instance. (This compatibility layer already exists, Matthias.St.Pierre> it's the 'RAND_OpenSSL()' method.) Matthias.St.Pierre> Matthias.St.Pierre> Matthias.St.Pierre> Matthias.St.Pierre> Historical Background Matthias.St.Pierre> = Matthias.St.Pierre> Matthias.St.Pierre> As Rich already mentioned in his blog post, the RAND_DRBG isn't new. It's been a part of OpenSSL for a long time, hidden in the FIPS 2.0 Object Module. Matthias.St.Pierre> Matthias.St.Pierre> I have been working with the FIPS DRBG for quite a while now, using a FIPS-capable OpenSSL 1.0.2x crypto library. The reason why our company switched to the FIPS DRBG is that one of our products runs on a small hardware device which does not have a reliable entropy source, but the product has to meet high security standards, in particular w.r.t. its RNG. So we decided to use the SmartCard RNG as primary entropy source for a deterministic AES-CTR based RNG and use /dev/urandom as additional input. Reseeding should occur on every generate request. Using the FIPS DRBG, these requirements were easily met, because the API
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
> -Ursprüngliche Nachricht- > Von: openssl-dev [mailto:openssl-dev-boun...@openssl.org] Im Auftrag von Matt > Caswell > Gesendet: Dienstag, 29. August 2017 12:17 > An: openssl-dev@openssl.org > Betreff: Re: [openssl-dev] Plea for a new public OpenSSL RNG API > > > On 29/08/17 10:45, Dr. Matthias St. Pierre wrote > > ... > > The 'RAND_add()/RAND_bytes()' pattern is broken > > === > > > > In OpenSSL, the classical way for the RNG consumer to add his own > > randomness is to call 'RAND_add()' before calling 'RAND_bytes()'. If > > the new 'RAND_OpenSSL()' method (the "compatibility layer" hiding the > > public RAND_DRBG instance) is the default, then this does not work > > as expected anymore: > > ... > > Is there a potential security vulnerability here? Applications using the > "old" APIs expect RAND_add() to behave in a particular way. If we have > silently changed this behaviour in 1.1.1 are they exposed? Don't worry, this issue is new, the global 'rand_bytes' buffer has only been introduced by the DRBG port to master in August. I don't think it's a big deal to fix it. The reason I mentioned it here was to emphasize, that it is really hard to get the different philosophies (push vs. pull) of the two APIs working together correctly. The code was reviewed by several people and nobody noticed it. By the way: the approach using the fixed size global 'rand_bytes' buffer has another issue, which I will try to write down on GitHub within the next days. Matthias smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Plea for a new public OpenSSL RNG API
On 29/08/17 10:45, Dr. Matthias St. Pierre wrote > Currently, the OpenSSL core members seem to be reluctant to make the > API public, at least at this early stage. I understand Rich Salz's > viewpoint that this requires a thorough discussion, because a public > interface can't be easily changed and wrong decisions in the early > phase can become a heavy burdon. FWIW, I am not against making the API public although I too understand Rich's reluctance. However it seems inevitable to me that sooner or later this API will have to be made accessible and I see little benefit in delaying that and plenty of reasons for doing it now (it only frustrates those that know the functionality is there but can't get at it :-)). There is always a risk with every API added that you get it wrong, and then you are stuck with it for ever more. The only real answers to this are: 1) Make sure you "design" your API to start with and get it reviewed 2) Encourage people to try the API while it is still in dev i.e. so we can still change it before the final release. I'm not really convinced that keeping the API hidden now will mean that it will be better in some future release. It just delays the point at which we have the realisation of "if only we had designed it like *this* it would have been s much better". Better is to make it public in dev asap. If there are problems with it we can always revert it before it makes it into a release. > The 'RAND_add()/RAND_bytes()' pattern is broken > === > > In OpenSSL, the classical way for the RNG consumer to add his own > randomness is to call 'RAND_add()' before calling 'RAND_bytes()'. If > the new 'RAND_OpenSSL()' method (the "compatibility layer" hiding the > public RAND_DRBG instance) is the default, then this does not work > as expected anymore: > > The reason is that a call to 'RAND_add()' adds the provided > randomness only to a global buffer ('rand_bytes'), from which it will > be pulled during the next reseed. But no reseed is triggered. So the > next RAND_bytes() call will be unaffected from the RAND_add(), which > is not what the consumer expected. (The same holds for 'RAND_seed()', > since 'drbg_seed()' only calls into 'drbg_add()') > > Reseeding of DRBGs occurs only at the following occasions: > > * immediately after a 'fork()' (new) * if the 'reseed_counter' > exceeds the 'reseed_interval' * if 'RAND_DRBG_generate()' is called > requesting 'prediction_resistance' * 'RAND_DRBG_reseed()' is called > explicitely > > *Note:* Currently it looks like the situation is even worse: if > 'RAND_add()' is called multiple times before a reseed occurs, then > the result of the previous call is overwritten. > > Reseeding the 'DRBG' whenever the user calls 'RAND_add()' does not > seem a good solution. It would be too expensive, in particular if > system entropy is pulled for reseeding. Of course it is possible to > fix this issue, but the DRBG provides for a much simpler solution: it > lets the consumer contribute to the entropy of the internal state by > providing additional input. If the user input contains entropy, > that's fine, if it's "snake oil", no harm. The additional input is > mixed into the internal state in just the same way as the entropy > buffer using the 'ctr_df()' derivation function. One might think of > the 'entropy' input as trusted randomness and 'adin' as untrusted > randomness. > > For this reason, I would like to see the 'RAND_add()/RAND_bytes()' > pattern deprecated and the 'RAND_DRBG_generate() with additional > input' pattern advertised instead. Deprecation itself would probably have to wait for a 1.2.0 release. We have a binary/source compatibility guarantee for 1.1.0 which would not be met for builds using "--api" or "no-deprecated". Is there a potential security vulnerability here? Applications using the "old" APIs expect RAND_add() to behave in a particular way. If we have silently changed this behaviour in 1.1.1 are they exposed? Matt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev