[Cryptography] OpenSSL and random
Nico Williams
nico at cryptonector.com
Thu Dec 1 19:39:46 EST 2016
On Wed, Nov 30, 2016 at 04:17:29PM -0500, Theodore Ts'o wrote:
> On Wed, Nov 30, 2016 at 10:23:06AM -0800, Ray Dillinger wrote:
> > [elided text regarding getrandom() blocking prior to initial seeding]
> [...]
>
> P.S. Silly bit of trivia: the reason why Python was reading fom
> /dev/urandom was to initialize a hash directory to prevent DOS attacks
> when Python was being used from a CGI script. Not an issue when it is
> being used as a system generator, but.... and that's why you
> shouldn't panic when there are reports that system'd udev and Openwrt
> are reading from /dev/urandom during early boot. In some cases, it's
> for completely innocuous things. Like lint warnings, though, it's good
> to check them and if possible silence them so when someone is creating
> long-term public keys immediately after a device is first powered up,
> people are more likely to notice...
The problem is that if it's a library or a language run-time (e.g.,
Python's here), and if that library/run-time only seeds an internal PRNG
once, and the process using this is long-lived... it might not be just
innocuous things. How would you know? Or maybe it's innocuous today
but not in the next release.
It might be nice to be get an indication of entropy quality from the OS.
At minimum a boolean (true -> real entropy, false -> meh entropy).
_Perhaps_ also an indication of when was the last time new entropy was
stirred in. (Anything more would be overkill and hard to use well.)
Keying a hash table function will work well enough with meh entropy.
Keying a critical cryptosystem with meh entropy will not.
Nico
--
More information about the cryptography
mailing list