[Cryptography] OpenSSL and random

Ray Dillinger bear at sonic.net
Wed Nov 30 13:23:06 EST 2016

On 11/30/2016 02:56 AM, Mark Steward wrote:

> Before you hit reply again, go read
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c6e9d6f3

I know it wasn't me you were replying to, but thank you.  I did not know
that.  I have (and up to now have been recommending) code which does the
same thing by checking to see if /dev/random is blocking then reading
/dev/urandom.  Now I will start using this interface instead.

For those who don't chase email links ever, or who do but didn't
recognize the above host so refrained, the short version of the story is
that getrandom() blocks unless sufficient initial entropy has been
collected, but is nonblocking forever after.  Which is, IMO, the right
thing.  I would happily alias urandom to this, but as TT pointed out in
the checkin, changing the behavior of urandom could break userspace

As written, it regards 128 bits as sufficient initial entropy.  That's
striking a "reasonable" balance between being usable very early and
having enough bits to generate secure keys.  I can think of about three
reasons why I'd prefer to see it at 256 or 384 bits instead (256 at
minimum if we are moving into a post-Quantum Cryptanalysis world), but
the 128 bits is sufficient at this time for generating that very first
key, and after that (in the nonblocking state) the pool does continue to
collect bits from a variety of sources.  Subsequent keys will benefit
from the unpredictability of those additional bits.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161130/6ff460ed/attachment.sig>

More information about the cryptography mailing list