[Cryptography] OpenSSL CSPRNG work

Wed Jun 28 18:36:07 EDT 2017

On 28/06/2017 02:44, Ron Garret wrote:

> On Jun 27, 2017, at 10:42 AM, Nemo <nemo at self-evident.org> wrote:
>
>> "Salz, Rich" <rsalz at akamai.com> writes:
>>
>>> We're starting to work on a new CSPRNG for OpenSSL release 1.1.1 (the
>>> main point of that release is TLS 1.3, so we think it will have a lot
>>> of uptake).
>> Have you read "Cryptographic Right Answers" from Thomas Ptacek, who
>> actually knows what he is talking about?
>>
>> https://gist.github.com/tqbf/be58d2d39690c3b366ad
>>
>>     Use /dev/urandom.
>>
>>     Avoid: userspace random number generators, havaged, prngd, egd,
>>     /dev/random
>>
>> Why on earth would you put something as critical as random number
>> generation into some complex userspace monstrosity?
>>
>> I am fairly confident you will ignore this advice, but could you please
>> do me one small favor? Go ask on crypto.stackexchange.com and see what
>> kind of response you get
> Thomas may know what he’s talking about, but his advice is based on some tacit assumptions which may not always be true, and which a reasonable person might choose not to accept.
>
> Thomas’s argument is: there are a zillion ways to screw up a CSPRNG, so it’s best to just have one very carefully vetted implementation that everyone uses.  That is /dev/urandom.
>
> It’s a reasonable argument if you’re a security expert, less so if you’re a user.  If you’re a security expert you know how to vet your /dev/urandom, so if everyone uses /dev/urandom you have now eliminated multiple possible points of failure.  If you’re a user, you have either N vendors (one for each of your security-dependent applications) or N+1 vendors (one for each of your security-dependent applications plus one for your /dev/urandom driver).  If you have the choice of trusting N vendors vs trusting N+1 vendors it is not unreasonable to choose the former, particularly if N is small.

I would say precisely the reverse.  If you're a security expert you have 
a good chance in hell of doing a good PRNG.  If you're a user you have 
no chance.

I use chance here quite productively - hashes and encryption algorithms 
are delivered with testing numbers, so as long as you get the numbers to 
work, you're in good company.  Literally.  Users can do this.

Whereas PRNGs come with no good numbers.  There is no objective positive 
test.  There are only negative tests.  So the only way to know your PRNG 
is good is with a lot of care, and reference to the state of the art in 
thinking about PRNGs.

This is not for users.  For them, trusting a platform is far far safer, 
by orders of magnitude.

Now, you say now they are at the mercy of platforms.  This is true. But 
this mercy scales.  Millions of users will be dependent, and will 
observe and will yell loudly and get it fixed.  Each platform. And, 
those fixes will flow to all the other millions without them noticing.

I'm with Thomas on this one.  Both of them, and a host of others.

http://iang.org/ssl/hard_truths_hard_random_numbers.html
https://www.2uo.de/myths-about-urandom/
https://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/

iang