[Cryptography] Fwd: Underhanded Crypto

Ben Laurie ben at links.org
Wed Dec 3 15:31:27 EST 2014

And list dropped again.

---------- Forwarded message ---------
From: Ben Laurie <ben at links.org>
Date: Wed Dec 03 2014 at 8:28:30 PM
Subject: Re: [Cryptography] Underhanded Crypto
To: John Denker <jsd at av8n.com>

On Wed Dec 03 2014 at 6:55:15 PM John Denker <jsd at av8n.com> wrote:

> Hash: SHA1
> On Wed Dec 03 2014 at 7:22:18 AM Ray Dillinger <bear at sonic.net> wrote:
> >> [....] relying on uninitialized memory alone,
> >> or even mostly, to produce a good PRNG state is crayzee.
> On 12/03/2014 05:20 AM, Ben Laurie retorted:
> > So crayzee its not what was going on. In fact, what was going on is what
> > you just described. Which you would've known if you actually bothered to
> > understand the issue.
> >
> > But do carry on bloviating. It is _so_ enlightening.
> How firmly has it been established that there is no craziness
> is going on?  It seems to me that OpenSSL is a library.  The
> code in question
>   https://github.com/openssl/openssl/blob/master/crypto/rand/
> md_rand.c#L206
>   https://github.com/openssl/openssl/blob/master/crypto/rand/
> md_rand.c#L302
> is not called from within OpenSSL AFAICT, so presumably it gets
> called from some higher layer.  Has somebody checked all possible
> applications to verify that whenever purify complains about an
> uninitialized seed, the app is doing things correctly?  If so,
> please cite a reference so we can all read about it.
> Not as a strict proof, but as a plausible inference, experience
> suggests that folks who use an uninitialized seed are doing so
> because they don't trust their other seed-sources.  So at least
> sometimes, it is a blind man clutching at a straw that isn't there.
> Conversely, if there is a proof that uninitialized seeds are used
> only when they are not needed, please explain.

That is not the converse, and this is the core point.

We all know that low entropy sucks. Throwing in some extra entropy never

There is the orthogonal question of what to make of this in the face of
Purify, valgrind et al. which (almost always rightly) view this entirely
harmless practice as evil.

As you point out, it may mask other problems. OpenSSL provides the -DPURIFY
option to remove the code that might mask, at the cost of losing any
entropy that might have been available. Your call.

Don't blame OpenSSL for the failure of dynamic analysis perfection.

> Two wrongs do not make a right ... and fixing one wrong does not
> fix the other.  Reverting an iatrogenic error does not mean that
> the patient is cured;  the presenting complaint is still there.
> Version: GnuPG v1
> iQIVAwUBVH9XP/O9SFghczXtAQI9pg//WKhp0R7zP4lojjLaeg0SWYUNWtVv60DO
> KR1R6mWmbp8LcKsWNFCS9WBrbIPFP5k0lelTQZTqvoUtlM452KIHDmFCxm+/Tdpj
> aDZzu1CixLBCCnsL+xU5KSDGTicogO1q1cSwvyyIV6yPK2gC+xt0/heTITJHC2nh
> +Wy+MAEwrhHZcM25aORbWnuJgjHWuLA0Y/Boy3AcYCXqkgO+3a49VdqS/+QuCgzu
> +GLF6DX2jyyBrLPt/z1Xvjy+BK+qx4iddqEr5i5db+OfxNn3zcshBDvl1cKEd4vu
> KILQqghzZGl0DzM6Y7Vwdk/QdtyOxvBGoGioYDnQVMQ06t4Nn9Y0wcKz4C6IeuAj
> THuB7UDbeM3rtL5c/pCGVvonKH09/peycM2q+U/SI/gZ0Ow+u6U2/Whq22OTzbeq
> NyKyJl48UsrVHAyk3PSZUNFfz8EpDP+qRVtZ5lkvLb4CPArqVXrq6XAYpifwpoJZ
> Ra4uhYptMjHMunWW/wZzCCQMUGjUNx1nIyi06ITfOtKoX2mT4zOf0/yWmUocu+4X
> fRPMwalh+9cT9TCwIqTZAuugDgBWqCjPGO12z6AuhL7hugHIeAwKB4gxS77v8MiB
> eZHc3ChvOE3WN0FEotZkrBWGLZlbyEHInydyVovVT/9Wof9cMCZDkYbVoSKOVAb2
> bk3WvNvq6+4=
> =gevo
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141203/ef50593f/attachment.html>

More information about the cryptography mailing list