[Cryptography] OpenSSL and random

Bill Frantz frantz at pwpconsult.com
Fri Dec 2 21:26:58 EST 2016


On 12/2/16 at 3:24 AM, pgut001 at cs.auckland.ac.nz (Peter Gutmann) wrote:

>Ray Dillinger <bear at sonic.net> writes:
>
>>For those who don't chase email links ever, or who do but didn't recognize
>>the above host so refrained, the short version of the story is that
>>getrandom() blocks unless sufficient initial entropy has been collected, but
>>is nonblocking forever after.  Which is, IMO, the right thing.
>
>As others have pointed out, it's not the right thing, because it turns
>getrandom() into make_application_crash_at_random() (if your application hangs
>then to users it's crashed, no matter what you may want to call it).  Would
>you want to ship a product to customers that calls
>make_application_crash_at_random()?

This is the wrong characterization of the problem. Once 
getrandom() has been seeded, it will remain seeded until the 
computer is rebooted, and not cause hangs. The hangs are far 
from random since they only occur soon after boot. What we 
actually have is that if a program which uses getrandom() is run 
too soon, it will hang. If it is critical part of the boot 
process the system boot is likely not to not complete. If it is 
not a critical part, it is likely that getrandom() will be 
seeded by other activity and the program will finish. Here the 
details of how randomness is collected and accounted for is 
critical. Those details are the proper area the system integrators.

As a practical matter, for those systems which have hardware 
random sources, which I think includes all modern x86 chips, 
this is not a problem. getrandom() will not block for long. As 
John points out, it can also be made a non-problem if there is a 
sound card and a number of other UI devices. The most common 
systems that may have a problem are Raspberry Pis, Beaglebones, 
and many IOT devices.

In mitigating these problems, it may be useful to consider when 
what John calls "squish" is good enough. Clearly it isn't good 
enough for generating long-term SSH keys, but is it good enough 
for randomizing hash tables? Can we use a weaker source of 
random bits for these less critical cases which can be made 
available before the random pool has been properly initialized?

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | I like the farmers' market   | Periwinkle
(408)356-8506      | because I can get fruits and | 16345 
Englewood Ave
www.pwpconsult.com | vegetables without stickers. | Los Gatos, 
CA 95032



More information about the cryptography mailing list