[Cryptography] OpenSSL CSPRNG work
Ron Garret
ron at flownet.com
Tue Jun 27 20:44:02 EDT 2017
On Jun 27, 2017, at 10:42 AM, Nemo <nemo at self-evident.org> wrote:
> "Salz, Rich" <rsalz at akamai.com> writes:
>
>> We're starting to work on a new CSPRNG for OpenSSL release 1.1.1 (the
>> main point of that release is TLS 1.3, so we think it will have a lot
>> of uptake).
>
> Have you read "Cryptographic Right Answers" from Thomas Ptacek, who
> actually knows what he is talking about?
>
> https://gist.github.com/tqbf/be58d2d39690c3b366ad
>
> Use /dev/urandom.
>
> Avoid: userspace random number generators, havaged, prngd, egd,
> /dev/random
>
> Why on earth would you put something as critical as random number
> generation into some complex userspace monstrosity?
>
> I am fairly confident you will ignore this advice, but could you please
> do me one small favor? Go ask on crypto.stackexchange.com and see what
> kind of response you get
Thomas may know what he’s talking about, but his advice is based on some tacit assumptions which may not always be true, and which a reasonable person might choose not to accept.
Thomas’s argument is: there are a zillion ways to screw up a CSPRNG, so it’s best to just have one very carefully vetted implementation that everyone uses. That is /dev/urandom.
It’s a reasonable argument if you’re a security expert, less so if you’re a user. If you’re a security expert you know how to vet your /dev/urandom, so if everyone uses /dev/urandom you have now eliminated multiple possible points of failure. If you’re a user, you have either N vendors (one for each of your security-dependent applications) or N+1 vendors (one for each of your security-dependent applications plus one for your /dev/urandom driver). If you have the choice of trusting N vendors vs trusting N+1 vendors it is not unreasonable to choose the former, particularly if N is small.
rg
More information about the cryptography
mailing list