[Cryptography] OpenSSL and random

Ray Dillinger bear at sonic.net
Sat Dec 3 01:11:02 EST 2016



On 12/02/2016 06:26 PM, Bill Frantz wrote:

> In mitigating these problems, it may be useful to consider when what
> John calls "squish" is good enough. Clearly it isn't good enough for
> generating long-term SSH keys, but is it good enough for randomizing
> hash tables? Can we use a weaker source of random bits for these less
> critical cases which can be made available before the random pool has
> been properly initialized?

I don't think we need to provide a special device to interface with "low
quality randomness."  The system libraries of every development
environment that exists have got it covered and people do use those
library calls when they're not doing crypto.

When you need faux nondeterminism for non-security purposes, the normal
thing to do is to seed the PRNG from your standard library ("random" in
C++ for example) with some transient value like the time or whatever,
and get a sequence of numbers.

The Mersenne Twister, Lagged-Fibonacci generators, the modular sum of
three linear congruential generators, Arcfour, etc - whatever the
library provides.  These sources are repeatable and predictable (most of
them _easily_ predictable).  They are the wrong thing for cryptography,
but still entirely adequate for hash tables, simulations, etc.

And now that I think of it I haven't seen for at least a few years
anyone mistakenly using those generators for cryptography.  **

I used to have to gently inform people using the "random()" PRNG for
crypto purposes was a mistake about once a month, but I think this is a
lesson that has finally filtered down to the rank & file.  So, um, yay?
Also passwords are averaging 1.5 to 3 characters longer than they were
in 1985.  They're getting there in baby steps....

				Bear

**There's been an instance where I had to tell someone that
   their online gambling games needed real randomness too,
   and then the bridge tournament shuffling program that got
   broken last year.  So we still see library PRNG's being
   misused in security contexts, but that's not exactly crypto.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161202/80fb494a/attachment.sig>


More information about the cryptography mailing list