[Cryptography] OpenSSL CSPRNG work

Ron Garret ron at flownet.com
Tue Jun 27 20:44:02 EDT 2017


On Jun 27, 2017, at 10:42 AM, Nemo <nemo at self-evident.org> wrote:

> "Salz, Rich" <rsalz at akamai.com> writes:
> 
>> We're starting to work on a new CSPRNG for OpenSSL release 1.1.1 (the
>> main point of that release is TLS 1.3, so we think it will have a lot
>> of uptake).
> 
> Have you read "Cryptographic Right Answers" from Thomas Ptacek, who
> actually knows what he is talking about?
> 
> https://gist.github.com/tqbf/be58d2d39690c3b366ad
> 
>    Use /dev/urandom.
> 
>    Avoid: userspace random number generators, havaged, prngd, egd,
>    /dev/random
> 
> Why on earth would you put something as critical as random number
> generation into some complex userspace monstrosity?
> 
> I am fairly confident you will ignore this advice, but could you please
> do me one small favor? Go ask on crypto.stackexchange.com and see what
> kind of response you get

Thomas may know what he’s talking about, but his advice is based on some tacit assumptions which may not always be true, and which a reasonable person might choose not to accept.

Thomas’s argument is: there are a zillion ways to screw up a CSPRNG, so it’s best to just have one very carefully vetted implementation that everyone uses.  That is /dev/urandom.

It’s a reasonable argument if you’re a security expert, less so if you’re a user.  If you’re a security expert you know how to vet your /dev/urandom, so if everyone uses /dev/urandom you have now eliminated multiple possible points of failure.  If you’re a user, you have either N vendors (one for each of your security-dependent applications) or N+1 vendors (one for each of your security-dependent applications plus one for your /dev/urandom driver).  If you have the choice of trusting N vendors vs trusting N+1 vendors it is not unreasonable to choose the former, particularly if N is small.

rg



More information about the cryptography mailing list