[Cryptography] OpenSSL CSPRNG work
Joachim Strömbergson
joachim at strombergson.com
Thu Jun 29 05:43:42 EDT 2017
Aloha!
Salz, Rich via cryptography wrote:
> We’re starting to work on a new CSPRNG for OpenSSL release 1.1.1 (the
> main point of that release is TLS 1.3, so we think it will have a lot of
> uptake).
Unless FIPS compliance is a hard requirement I would look at ChaCha as
the CSPRNG. (fwiw, we use it in the Cryptech HSM as CSPRNG).
Since ChaCha20 will appear due to TLS 1.3, reuse the same function makes
sense to me. ChaCha provides really good cycles/byte, allow jumping in
the stream, can be parallelized both at quarterround_level and by having
multiple CSPRNGs generating different keystream blocks in the same
keystream.
If one would like to increase performance on modern 64-bit architctures,
the version of ChaCha by Aumasson called BlaBla might be something to
look at. Very much less analyzed and tested though I assume.
https://github.com/veorq/blabla
I like the suggestion to have different streams for different processes.
But not sure how much it adds protections compared to the cost of doing
it in terms of context switching.
One thing we have looked at in Cryptech is to reseed with some output
from the CSPRNG. The idea is to extract some values from the csprng and
then keep them until new seed is to be created. The values are mixed
with the entropy from the entropy source (sources). This will make the
new seed depend on values extracted, created at different times. This
makes it much harder for an attacker to cause an expected effect on the
seed by attacking the entropy source prior to reseeding.
Just a thought.
Yours
JoachimS
More information about the cryptography
mailing list