[Cryptography] OpenSSL CSPRNG work
Nemo
nemo at self-evident.org
Fri Jun 30 13:02:36 EDT 2017
Ben Laurie <benl at google.com> writes:
> If you have effective mixing, what is the problem with mixing in
> potentially non-random sources?
That depends... Might any of those sources know something about your
internal state?
https://blog.cr.yp.to/20140205-entropy.html
But really this is just a detail. In the bigger picture, your question
itself is wrong.
For cryptographic code, every additional piece of machinery makes the
design harder to analyze rigorously. Every extra line of implementation
is just another opportunity to make a subtle mistake.
Unnecessary mechanism does not create "defense in depth"; it merely
increases the attack surface.
Since every piece of complexity is a liability, the right question is
not "Does this do any harm?", but rather "Is this necessary?" Each
additional mechanism should contribute in a clear (ideally: provable)
and meaningful (ideally: quantifiable) way to the security of the
system. Otherwise, leave it out.
Again, I humbly request that, whatever clever userspace machinery you
devise, please disable it completely by default on any system with
getrandom() / getentropy() / etc. (Key words are "by default". Sure,
provide APIs for enabling whatever you want... But by default, please
just use the system's provided mechanisms.)
- Nemo
More information about the cryptography
mailing list