[Cryptography] [FORGED] Re: OpenSSL and random

Bill Cox waywardgeek at gmail.com
Tue Nov 29 17:00:27 EST 2016

On Tue, Nov 29, 2016 at 10:20 AM, Salz, Rich <rsalz at akamai.com> wrote:

> > Real developers are not generally crypto geeks.  They need an alarm bell
> like this to go off to let them know when something is wrong.
> And if the alarm bell is "apache won't start" they will throw out openssl
> or swamp us with email or perhaps fall back to plaintext.
> Servers do not have keyboards or screens that can be scraped for a source
> of entropy.

I'll stick with my current advice: Nothing needs to change in OpenSSL when
running on Linux until something first changes in Linux.

Here's a pretty good article on /dev/urandom
<http://www.2uo.de/myths-about-urandom/>, which strongly advocates for
moving to using /dev/urandom for crypto.  However, it includes this

"FreeBSD does the right thing: they don't have the distinction between
/dev/random and /dev/urandom, both are the same device. At startup
/dev/random blocks once until enough starting entropy has been gathered.
Then it won't block ever again."

This is the correct behavior.  If you switch to using /dev/urandom on Linux
now, we'll likely see more OpenWRT-like PWNing.  I can't recommend that.
This is a Linux flaw, and reading from /dev/random remains the simplest
work-around.  A less simple work-around would be to read from /dev/random
for some number of bits (>= 256?) and then switch to /dev/urandom.  This is
not perfect, but better than just reading from /dev/random, while remaining
secure on Linux while being a noop on FreeBSD.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161129/d4d17392/attachment.html>

More information about the cryptography mailing list