[Cryptography] [FORGED] Re: OpenSSL and random
Bill Cox
waywardgeek at gmail.com
Tue Nov 29 17:00:27 EST 2016
On Tue, Nov 29, 2016 at 10:20 AM, Salz, Rich <rsalz at akamai.com> wrote:
>
> > Real developers are not generally crypto geeks. They need an alarm bell
> like this to go off to let them know when something is wrong.
>
> And if the alarm bell is "apache won't start" they will throw out openssl
> or swamp us with email or perhaps fall back to plaintext.
>
> Servers do not have keyboards or screens that can be scraped for a source
> of entropy.
>
I'll stick with my current advice: Nothing needs to change in OpenSSL when
running on Linux until something first changes in Linux.
Here's a pretty good article on /dev/urandom
<http://www.2uo.de/myths-about-urandom/>, which strongly advocates for
moving to using /dev/urandom for crypto. However, it includes this
statement:
"FreeBSD does the right thing: they don't have the distinction between
/dev/random and /dev/urandom, both are the same device. At startup
/dev/random blocks once until enough starting entropy has been gathered.
Then it won't block ever again."
This is the correct behavior. If you switch to using /dev/urandom on Linux
now, we'll likely see more OpenWRT-like PWNing. I can't recommend that.
This is a Linux flaw, and reading from /dev/random remains the simplest
work-around. A less simple work-around would be to read from /dev/random
for some number of bits (>= 256?) and then switch to /dev/urandom. This is
not perfect, but better than just reading from /dev/random, while remaining
secure on Linux while being a noop on FreeBSD.
Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161129/d4d17392/attachment.html>
More information about the cryptography
mailing list