[Cryptography] OpenSSL CSPRNG work

Nemo nemo at self-evident.org
Wed Jun 28 18:55:14 EDT 2017


John Denker <jsd at av8n.com> writes:

> Current reality ain't that simple.  Not even close.

Actually, it is...

> The xenial 16.04 LTS manpage for getrandom(2) says quite explicitly:
>
>>> Unnecessarily reading large quantities  of data will have a
>>> negative impact on other users of the /dev/random and /dev/urandom
>>> devices.
>
> And that's an understatement.  Whether unnecessary or not, reading
> not-particularly-large quantities of data is tantamount to a
> denial of service attack against /dev/random and against its
> upstream sources of randomness.

Nonsense. Default behavior of getrandom() is to pull from the
/dev/urandom (i.e. cryptographic pseudo-random) pool, not the
/dev/random pool. No amount of reading from /dev/urandom is going to
deny service to other processes reading /dev/urandom.

Seeding the generation of session keys and the like is precisely what
/dev/urandom / getrandom() is for. If it is not useful for this purpose,
it is not useful, period.

Rich Salz says he is worried about system call overhead. Modern systems
are much, much better about this than your typical 1985 SunOS box; I
doubt it would even be measurable relative to the overhead of using
OpenSSL in the first place. But if you are really worried, read blocks
of 256 or 1024 or 4096 bytes from getrandom() and parcel them out in
pieces. (Yes above 256 you would have to handle EINTR and loop, just
like every call to read() in every production Unix application ever.)

Of course, the only reason even to use getrandom() instead of
/dev/urandom is Linux's laughable misdesign of handing out bytes before
the generator was properly seeded. But, you know, here we are.

I do not much care what you do for older platforms, because the set of
systems running 10-year-old OSes that are going to install the
next-generation OpenSSL is empty.

Anyway... Whatever clever user-space machinery you come up with, can you
please just disable it completely by default on any system with
getrandom() / getentropy()? TIA

 - Nemo


More information about the cryptography mailing list