Another RAND question...

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Another RAND question...

OpenSSLGRT

When calling RAND_pseudo_bytes is it correct that the PRNG will not give the same result even though I have the same seed (I thought if I had the same seed I could get the same results each time)?

Thank you!

 

The below produces two different random numbers:

 

#include <openssl/ssl.h>

#include <openssl/err.h>

#include <openssl/rand.h>

 

RAND_cleanup();

 

unsigned char buf1[8];

unsigned char buf2[8];

 

unsigned char prng_seed[8] =

{ 0x6b, 0xa3, 0x4f, 0x07, 0xe4, 0x2a, 0xb0, 0xc };

RAND_seed( prng_seed, sizeof(prng_seed) );

 

RAND_pseudo_bytes( buf1, sizeof(buf1) );

RAND_pseudo_bytes( buf2, sizeof(buf2) );

 

for (int i=0; i<sizeof(buf1); i++)

printf("%02x", buf1[i]);

printf("\n\r");

 

for (int i=0; i<sizeof(buf2); i++)

printf("%02x", buf2[i]);

 

RAND_cleanup();

 

 

Reply | Threaded
Open this post in threaded view
|

Re: Another RAND question...

Brian Candler
On Fri, Mar 03, 2006 at 02:02:46PM -0500, OpenSSLGRT wrote:
>    When calling RAND_pseudo_bytes is it correct that the PRNG will not
>    give the same result even though I have the same seed (I thought if I
>    had the same seed I could get the same results each time)?

From 'man RAND_seed'

       RAND_add() mixes the num bytes at buf into the PRNG state.
...
       RAND_seed() is equivalent to RAND_add() when num == entropy.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Another RAND question...

OpenSSLGRT
I did see that but I think I misunderstood, so ...
I still am not sure then how I would accomplish the following:
1.) Take a seed and the known output of the PRNG with that seed.
2.) Seed the PRNG with the seed and get a RAND
3.) See if that RAND in step 2 I sthe same as the one in Step 1

The below always produces two different random numbers:

#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/rand.h>

RAND_cleanup();

unsigned char buf1[8];
unsigned char buf2[8];

unsigned char prng_seed[8] =
        { 0x6b, 0xa3, 0x4f, 0x07, 0xe4, 0x2a, 0xb0, 0xc };
RAND_seed( prng_seed, sizeof(prng_seed) );

RAND_pseudo_bytes( buf1, sizeof(buf1) );
RAND_pseudo_bytes( buf2, sizeof(buf2) );

//bu1 never equals buf2

RAND_cleanup();


-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Brian Candler
Sent: Friday, March 03, 2006 2:33 PM
To: OpenSSLGRT
Cc: [hidden email]
Subject: Re: Another RAND question...

On Fri, Mar 03, 2006 at 02:02:46PM -0500, OpenSSLGRT wrote:
>    When calling RAND_pseudo_bytes is it correct that the PRNG will not
>    give the same result even though I have the same seed (I thought if I
>    had the same seed I could get the same results each time)?

>From 'man RAND_seed'

       RAND_add() mixes the num bytes at buf into the PRNG state.
...
       RAND_seed() is equivalent to RAND_add() when num == entropy.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Another RAND question...

Dr. Stephen Henson
On Fri, Mar 03, 2006, OpenSSLGRT wrote:

> I did see that but I think I misunderstood, so ...
> I still am not sure then how I would accomplish the following:
> 1.) Take a seed and the known output of the PRNG with that seed.
> 2.) Seed the PRNG with the seed and get a RAND
> 3.) See if that RAND in step 2 I sthe same as the one in Step 1
>

The standard PRNG mixes in various random sources of data at various points
and its output depends on its internal state which is affected by explicit
calls to seed it and calls to obtain random data from it.

BTW if this is for FIPS then you can't use the standard OpenSSL PRNG because
it isn't FIPS compliant, that's why an alternative PRNG in the FIPS module
in 0.9.7.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Another RAND question...

OpenSSLGRT
Hi --

Thanks for the below info.

Below is some info on why I have been asking questions that are FIPs
oriented. I'd appretiate if anything you see here that is not correct you
would comment on -- we are new to FIPs process, which is, no doubt, probably
obvious if you saw my other posts :)

***We are not trying to get/make a FIPs validated version of the OpenSSL
Library -- its our PDA app that we are hoping to get submitted to a testing
lab. That application is what we are trying to get FIPs validated. The
application will use OpenSSL but OpenSSL will not itself validated.
 
We have one of the well-known FIPs consulting companies guiding us in the
process.  As we have move through the process of preparing the application
we have had a variety of requirements. One is that we force TLS and the
correct cipher suite (3DES, RSA, SHA). We use OpenSSL 0.9.8a to accomplish
that. Since FIPs requires alogorithm tests we did our own KATs for the
OpenSSL and also we must do the PRNG tests. I'd like to use OpenSSL 0.9.7
since th etests are internal there  but I have to use 0.9.8a since I have
that in good working order on Windows CE 4.2 and 5.0.

***I am writing the tests outside of the OpenSSL -- I did not modify 0.9.8a
but rather I when the app starts I call OpenSSL functions to do the KATs,
etc.

I am not sure what will happen with this project but the consultants we have
say that we can use OpenSSL non-FIPs version provided we do the requirements
(KATs, startup tests for the app and the openssl dlls, and PRNG tests, as
well as all the other FIPs requirements). ***I assume that is correct since
people must have gotten apps validated that used OpenSSL before OpenSSL had
a FIPs version.

With the above in mind I am trying to determine particularly how to do he
PRNG seed value test -- outside of OpenSSL like I did the KATs.

Also I am still wondering about the PRNG startup test: if I do seed, rand1,
rand2 they do not come out the same. I think the requirement is to seed and
get a rand and then to get a rand again using that seed and ensure they are
the same. They are never the same -- I am missing why that does not work?

Thank you for your time and expertise -- please comment on any of the above
as it would be greatly appretiated!

Best regards

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Dr. Stephen Henson
Sent: Friday, March 03, 2006 6:58 PM
To: [hidden email]
Subject: SPAM-URL Re: Another RAND question...

On Fri, Mar 03, 2006, OpenSSLGRT wrote:

> I did see that but I think I misunderstood, so ...
> I still am not sure then how I would accomplish the following:
> 1.) Take a seed and the known output of the PRNG with that seed.
> 2.) Seed the PRNG with the seed and get a RAND
> 3.) See if that RAND in step 2 I sthe same as the one in Step 1
>

The standard PRNG mixes in various random sources of data at various points
and its output depends on its internal state which is affected by explicit
calls to seed it and calls to obtain random data from it.

BTW if this is for FIPS then you can't use the standard OpenSSL PRNG because
it isn't FIPS compliant, that's why an alternative PRNG in the FIPS module
in 0.9.7.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Another RAND question...

Kyle Hamilton
Ummm....

have you even looked at the FIPS testing criteria?  Have you looked at
the FIPS 140-2 standard?  Just because you have a well-known FIPS
company guiding you through the process doesn't mean you're going to
get certified -- and, in fact, they may well steer you wrong just to
collect more consulting fees.  (Which seems to be what they're doing.)

FIPS requires certain deterministic random number generation
algorithms, as well as certain ciphers.  Once you go into FIPS mode,
you cannot use anything else.  This is why the FIPS random number code
had to be added to 0.9.7 -- because the code that was already
implemented (and is implemented in 0.9.8a) isn't FIPS-compliant.

You need to look at the documents yourself, and understand what they
say.  You can't skate by on "oh, this'll pass" from another FIPS
vendor, and then get your test results back saying "you fail!".
That's not due diligence.

But, it's your checkbook.  All I can say is it took years to get
OpenSSL FIPS-certified, and it's still not completely there yet.  (All
of its technical tests passed, as far as I'm aware, but I'm not in the
loop and there's a lot of private info that's passed between the
testing companies and the vendors.)

-Kyle H

On 3/3/06, OpenSSLGRT <[hidden email]> wrote:

> Hi --
>
> Thanks for the below info.
>
> Below is some info on why I have been asking questions that are FIPs
> oriented. I'd appretiate if anything you see here that is not correct you
> would comment on -- we are new to FIPs process, which is, no doubt, probably
> obvious if you saw my other posts :)
>
> ***We are not trying to get/make a FIPs validated version of the OpenSSL
> Library -- its our PDA app that we are hoping to get submitted to a testing
> lab. That application is what we are trying to get FIPs validated. The
> application will use OpenSSL but OpenSSL will not itself validated.
>
> We have one of the well-known FIPs consulting companies guiding us in the
> process.  As we have move through the process of preparing the application
> we have had a variety of requirements. One is that we force TLS and the
> correct cipher suite (3DES, RSA, SHA). We use OpenSSL 0.9.8a to accomplish
> that. Since FIPs requires alogorithm tests we did our own KATs for the
> OpenSSL and also we must do the PRNG tests. I'd like to use OpenSSL 0.9.7
> since th etests are internal there  but I have to use 0.9.8a since I have
> that in good working order on Windows CE 4.2 and 5.0.
>
> ***I am writing the tests outside of the OpenSSL -- I did not modify 0.9.8a
> but rather I when the app starts I call OpenSSL functions to do the KATs,
> etc.
>
> I am not sure what will happen with this project but the consultants we have
> say that we can use OpenSSL non-FIPs version provided we do the requirements
> (KATs, startup tests for the app and the openssl dlls, and PRNG tests, as
> well as all the other FIPs requirements). ***I assume that is correct since
> people must have gotten apps validated that used OpenSSL before OpenSSL had
> a FIPs version.
>
> With the above in mind I am trying to determine particularly how to do he
> PRNG seed value test -- outside of OpenSSL like I did the KATs.
>
> Also I am still wondering about the PRNG startup test: if I do seed, rand1,
> rand2 they do not come out the same. I think the requirement is to seed and
> get a rand and then to get a rand again using that seed and ensure they are
> the same. They are never the same -- I am missing why that does not work?
>
> Thank you for your time and expertise -- please comment on any of the above
> as it would be greatly appretiated!
>
> Best regards
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Dr. Stephen Henson
> Sent: Friday, March 03, 2006 6:58 PM
> To: [hidden email]
> Subject: SPAM-URL Re: Another RAND question...
>
> On Fri, Mar 03, 2006, OpenSSLGRT wrote:
>
> > I did see that but I think I misunderstood, so ...
> > I still am not sure then how I would accomplish the following:
> > 1.) Take a seed and the known output of the PRNG with that seed.
> > 2.) Seed the PRNG with the seed and get a RAND
> > 3.) See if that RAND in step 2 I sthe same as the one in Step 1
> >
>
> The standard PRNG mixes in various random sources of data at various points
> and its output depends on its internal state which is affected by explicit
> calls to seed it and calls to obtain random data from it.
>
> BTW if this is for FIPS then you can't use the standard OpenSSL PRNG because
> it isn't FIPS compliant, that's why an alternative PRNG in the FIPS module
> in 0.9.7.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: SPAM-URL Re: Another RAND question...

OpenSSLGRT
Hi --

Thanks for your reply and info.

***
The part of all this that I do not understand is one key question: how was
anyone who had an app that used OpenSSL prior to OpenSSL FIPs version ever
successfully certified?
***

What I have done is compiled OpenSSL 0.9.8a for WinCE and then I use its
funcs to do work. So for example my application sets up a socket, then my
app calls funcs in the OpenSSL DLL to do work: init OpenSSL, select only
TLS, select only the allowed cipher suite, connect to the server, check the
cert, if all is OK OpenSSL funcs put the data on the wire.
This part I think is OK.

I did KATs tests by again using my app and calling OpenSSL funcs to test
OpenSSL's RSA, DES, and HMACSHA.
This part I think is OK.

The part about the PRNG is in question? How did people pre-OpenSSL FIPs get
validated when they used OpenSSL?  Did they have to modify the OpenSSL code
and add their own PRNG that would pass?

Thank for you continued ideas on this!

p.s. you said: "All I can say is it took years to get OpenSSL
FIPS-certified, and it's still not completely there yet." Our app is much
much  simpiler than OpenSSL (it just collects data on PDA in the field and
transmits it up to a server). I hope three years from now I am not saying
ahhh well at least Kyle warned us :)

Thanks again for your expertise and info!

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Kyle Hamilton
Sent: Friday, March 03, 2006 11:03 PM
To: [hidden email]
Subject: SPAM-URL Re: Another RAND question...

Ummm....

have you even looked at the FIPS testing criteria?  Have you looked at
the FIPS 140-2 standard?  Just because you have a well-known FIPS
company guiding you through the process doesn't mean you're going to
get certified -- and, in fact, they may well steer you wrong just to
collect more consulting fees.  (Which seems to be what they're doing.)

FIPS requires certain deterministic random number generation
algorithms, as well as certain ciphers.  Once you go into FIPS mode,
you cannot use anything else.  This is why the FIPS random number code
had to be added to 0.9.7 -- because the code that was already
implemented (and is implemented in 0.9.8a) isn't FIPS-compliant.

You need to look at the documents yourself, and understand what they
say.  You can't skate by on "oh, this'll pass" from another FIPS
vendor, and then get your test results back saying "you fail!".
That's not due diligence.

But, it's your checkbook.  All I can say is it took years to get
OpenSSL FIPS-certified, and it's still not completely there yet.  (All
of its technical tests passed, as far as I'm aware, but I'm not in the
loop and there's a lot of private info that's passed between the
testing companies and the vendors.)

-Kyle H

On 3/3/06, OpenSSLGRT <[hidden email]> wrote:
> Hi --
>
> Thanks for the below info.
>
> Below is some info on why I have been asking questions that are FIPs
> oriented. I'd appretiate if anything you see here that is not correct you
> would comment on -- we are new to FIPs process, which is, no doubt,
probably
> obvious if you saw my other posts :)
>
> ***We are not trying to get/make a FIPs validated version of the OpenSSL
> Library -- its our PDA app that we are hoping to get submitted to a
testing

> lab. That application is what we are trying to get FIPs validated. The
> application will use OpenSSL but OpenSSL will not itself validated.
>
> We have one of the well-known FIPs consulting companies guiding us in the
> process.  As we have move through the process of preparing the application
> we have had a variety of requirements. One is that we force TLS and the
> correct cipher suite (3DES, RSA, SHA). We use OpenSSL 0.9.8a to accomplish
> that. Since FIPs requires alogorithm tests we did our own KATs for the
> OpenSSL and also we must do the PRNG tests. I'd like to use OpenSSL 0.9.7
> since th etests are internal there  but I have to use 0.9.8a since I have
> that in good working order on Windows CE 4.2 and 5.0.
>
> ***I am writing the tests outside of the OpenSSL -- I did not modify
0.9.8a
> but rather I when the app starts I call OpenSSL functions to do the KATs,
> etc.
>
> I am not sure what will happen with this project but the consultants we
have
> say that we can use OpenSSL non-FIPs version provided we do the
requirements
> (KATs, startup tests for the app and the openssl dlls, and PRNG tests, as
> well as all the other FIPs requirements). ***I assume that is correct
since
> people must have gotten apps validated that used OpenSSL before OpenSSL
had
> a FIPs version.
>
> With the above in mind I am trying to determine particularly how to do he
> PRNG seed value test -- outside of OpenSSL like I did the KATs.
>
> Also I am still wondering about the PRNG startup test: if I do seed,
rand1,
> rand2 they do not come out the same. I think the requirement is to seed
and
> get a rand and then to get a rand again using that seed and ensure they
are
> the same. They are never the same -- I am missing why that does not work?
>
> Thank you for your time and expertise -- please comment on any of the
above

> as it would be greatly appretiated!
>
> Best regards
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Dr. Stephen Henson
> Sent: Friday, March 03, 2006 6:58 PM
> To: [hidden email]
> Subject: SPAM-URL Re: Another RAND question...
>
> On Fri, Mar 03, 2006, OpenSSLGRT wrote:
>
> > I did see that but I think I misunderstood, so ...
> > I still am not sure then how I would accomplish the following:
> > 1.) Take a seed and the known output of the PRNG with that seed.
> > 2.) Seed the PRNG with the seed and get a RAND
> > 3.) See if that RAND in step 2 I sthe same as the one in Step 1
> >
>
> The standard PRNG mixes in various random sources of data at various
points
> and its output depends on its internal state which is affected by explicit
> calls to seed it and calls to obtain random data from it.
>
> BTW if this is for FIPS then you can't use the standard OpenSSL PRNG
because

> it isn't FIPS compliant, that's why an alternative PRNG in the FIPS module
> in 0.9.7.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: SPAM-URL Re: Another RAND question...

Richard Salz
> The part about the PRNG is in question? How did people pre-OpenSSL FIPs
get
> validated when they used OpenSSL?  Did they have to modify the OpenSSL
code
> and add their own PRNG that would pass?

Are there any FIPS certified apps that use openssl?

If there are any, the short answer is that yes, they replaced the
non-compliant code with code and got that certified.

Depending on how the organization, if they already had a FIPS library,
they probably ripped out most of openssl and treated the TLS library as an
application that used their own crypto.

I'm just speculating, mind you.

        /r$

--
SOA Appliance Group
IBM Application Integration Middleware

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]