OpenSSL › OpenSSL - User

Dual_EC_DRBG

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

5 messages Options

yustein

Dual_EC_DRBG

Hi,

Does OpenSSL use this by default, if not where do a user choose which method to use for CSPRNG?

Thanks,
Tony

Dr. Stephen Henson

Re: Dual_EC_DRBG

On Mon, Sep 23, 2013, yustein wrote:

> Hi,
>
> Does OpenSSL use this by default, if not where do a user choose which method
> to use for CSPRNG?
>

The default DRBG for OpenSSL is 256 bit AES CTR_DRBG.

The default can be changed by using the compile time flags:

-DOPENSSL_DRBG_DEFAULT_TYPE=type
-DOPENSSL_DRBG_DEFAULT_FLAG=flags

The default DRBG type can also be set at runtime before any other operations
are performed by calling:

void RAND_set_fips_drbg_type(int type, int flags);

Where "type" and "flags" have the same values as those indicated in the user
guide (section 6.1.2).

Future versions of OpenSSL will fail if an attempt is made to use the Dual EC
DRBG.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]

yustein

Re: Dual_EC_DRBG

Thanks a lot! :)

Tony

Sent from my iPhone

> On Sep 24, 2013, at 2:27 PM, "Dr. Stephen Henson" <[hidden email]> wrote:
>
>> On Mon, Sep 23, 2013, yustein wrote:
>>
>> Hi,
>>
>> Does OpenSSL use this by default, if not where do a user choose which method
>> to use for CSPRNG?
>
> The default DRBG for OpenSSL is 256 bit AES CTR_DRBG.
>
> The default can be changed by using the compile time flags:
>
> -DOPENSSL_DRBG_DEFAULT_TYPE=type
> -DOPENSSL_DRBG_DEFAULT_FLAG=flags
>
> The default DRBG type can also be set at runtime before any other operations
> are performed by calling:
>
> void RAND_set_fips_drbg_type(int type, int flags);
>
> Where "type" and "flags" have the same values as those indicated in the user
> guide (section 6.1.2).
>
> Future versions of OpenSSL will fail if an attempt is made to use the Dual EC
> DRBG.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [hidden email]
> Automated List Manager [hidden email]

smime.p7s (3K) Download Attachment

Steve Marquess-3

Re: Dual_EC_DRBG

In reply to this post by Dr. Stephen Henson

On 09/24/2013 07:27 AM, Dr. Stephen Henson wrote:
> ...
>
> Future versions of OpenSSL will fail if an attempt is made to use the Dual EC
> DRBG.

Note we're also looking into removing Dual EC DRBG from the OpenSSL FIPS
Object Module, a more difficult proposition as there are strict
restrictions on changes to FIPS 140-2 validated modules even to address
security issues.

For the typical user of the FIPS module accessing it via the "FIPS
capable" OpenSSL the presence or absence of Dual EC DRBG in the FIPS
module itself will be moot once it disappears from OpenSSL proper. But,
in a few cases the FIPS module is used directly.

Incidentally, I was the one who advocated the implementation of that
DRBG, along with the other three in SP800-90, on the grounds that a) it
was after all an official standard, b) OpenSSL already implements some
weak algorithms, and c) the deficiencies were so well known that surely
no one would be stupid enough to actually use it for any serious real
world applications. I was profoundly wrong about that.

-Steve M.

--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
[hidden email]
[hidden email]
gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]

yustein

Re: Dual_EC_DRBG

Thanks :)

Sent from my iPhone

On Sep 24, 2013, at 4:28 PM, "Steve Marquess-3 [via OpenSSL]" <[hidden email]> wrote:

On 09/24/2013 07:27 AM, Dr. Stephen Henson wrote:
> ...
>
> Future versions of OpenSSL will fail if an attempt is made to use the Dual EC
> DRBG.

Note we're also looking into removing Dual EC DRBG from the OpenSSL FIPS
Object Module, a more difficult proposition as there are strict
restrictions on changes to FIPS 140-2 validated modules even to address
security issues.

For the typical user of the FIPS module accessing it via the "FIPS
capable" OpenSSL the presence or absence of Dual EC DRBG in the FIPS
module itself will be moot once it disappears from OpenSSL proper. But,
in a few cases the FIPS module is used directly.

Incidentally, I was the one who advocated the implementation of that
DRBG, along with the other three in SP800-90, on the grounds that a) it
was after all an official standard, b) OpenSSL already implements some
weak algorithms, and c) the deficiencies were so well known that surely
no one would be stupid enough to actually use it for any serious real
world applications. I was profoundly wrong about that.

-Steve M.

--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
[hidden email]
[hidden email]
gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]

If you reply to this email, your message will be added to the discussion below:
http://openssl.6102.n7.nabble.com/Dual-EC-DRBG-tp46628p46642.html

To unsubscribe from Dual_EC_DRBG, click here.
NAML

smime.p7s (3K) Download Attachment