[Cryptography] OpenSSL and random
Bill Frantz
frantz at pwpconsult.com
Fri Dec 2 21:26:58 EST 2016
On 12/2/16 at 3:24 AM, pgut001 at cs.auckland.ac.nz (Peter Gutmann) wrote:
>Ray Dillinger <bear at sonic.net> writes:
>
>>For those who don't chase email links ever, or who do but didn't recognize
>>the above host so refrained, the short version of the story is that
>>getrandom() blocks unless sufficient initial entropy has been collected, but
>>is nonblocking forever after. Which is, IMO, the right thing.
>
>As others have pointed out, it's not the right thing, because it turns
>getrandom() into make_application_crash_at_random() (if your application hangs
>then to users it's crashed, no matter what you may want to call it). Would
>you want to ship a product to customers that calls
>make_application_crash_at_random()?
This is the wrong characterization of the problem. Once
getrandom() has been seeded, it will remain seeded until the
computer is rebooted, and not cause hangs. The hangs are far
from random since they only occur soon after boot. What we
actually have is that if a program which uses getrandom() is run
too soon, it will hang. If it is critical part of the boot
process the system boot is likely not to not complete. If it is
not a critical part, it is likely that getrandom() will be
seeded by other activity and the program will finish. Here the
details of how randomness is collected and accounted for is
critical. Those details are the proper area the system integrators.
As a practical matter, for those systems which have hardware
random sources, which I think includes all modern x86 chips,
this is not a problem. getrandom() will not block for long. As
John points out, it can also be made a non-problem if there is a
sound card and a number of other UI devices. The most common
systems that may have a problem are Raspberry Pis, Beaglebones,
and many IOT devices.
In mitigating these problems, it may be useful to consider when
what John calls "squish" is good enough. Clearly it isn't good
enough for generating long-term SSH keys, but is it good enough
for randomizing hash tables? Can we use a weaker source of
random bits for these less critical cases which can be made
available before the random pool has been properly initialized?
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | I like the farmers' market | Periwinkle
(408)356-8506 | because I can get fruits and | 16345
Englewood Ave
www.pwpconsult.com | vegetables without stickers. | Los Gatos,
CA 95032
More information about the cryptography
mailing list