[Cryptography] OpenSSL and random
Nico Williams
nico at cryptonector.com
Fri Dec 2 12:26:50 EST 2016
On Fri, Dec 02, 2016 at 11:24:45AM +0000, Peter Gutmann wrote:
> Ray Dillinger <bear at sonic.net> writes:
> >As written, it regards 128 bits as sufficient initial entropy.
>
> Why 128 bits? What if it's less? Lets say you never block, which means you
> could run on, say, 32 bits of entropy early on. Given the information
> "somewhere on the Internet there may be a system that may be running with
> lowered entropy in the RNG", how would an attacker exploit this?
For a sufficiently-low number of bits we'd have a number of recognizable
SSH host keys and such. How low is that? 16 bits is too low for sure.
20 bits is still too low. 30 bits is probably also too low in that, if
you compute all the SSH host keys that could result, store them, then
scan the network for them, and there are many devices generating SSH
hostkeys with 30 bits or less... 64 bits is quite safe from this sort
of attack. So we're looking at a minimum well above 30 and closer to
64.
What I really want is an API that lets me specify my app's minimum
entropy requirement, and returns an error if that minimum cannot be met.
Two or three values will do: "meh" and "cryptographically-secure", or
"meh", "low-value", and "high-value cryptographically-secure". "Meh"
would always be available. A number of required bits of entropy will
also do, but IMO it's overkill.
One more thing: entropy in a CSPRNG pool is never depleted, only
stretched. Once seeded then pool must be available for
cryptograpically-secure outputs without blocking ever again.
Nico
--
More information about the cryptography
mailing list