Seeding before RSA key generation

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Seeding before RSA key generation

Andres Traumann
Hello,

In the documentation it is written: "The pseudo-random number generator
must be seeded prior to calling RSA_generate_key_ex()".

After reading the documentation in
https://wiki.openssl.org/index.php/Random_Numbers and investigating the
source code, it seems that the seeding is in fact done automatically
from /dev/random in systems that have it. Also, when examining the
source code of apps/genrsa.c there does not seem to be any explicit
seeding either.

Do I still need to explicitly seed before calling RSA_generate_key_ex?

Best
Andres

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Seeding before RSA key generation

OpenSSL - User mailing list
Which version of OpenSSL are you using?

1.0.2 and 1.1.0 have a bad random number generator and must be explicitly seeded.  1.1.1 has a good random number generator and auto-seeds.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Seeding before RSA key generation

OpenSSL - User mailing list
On 04/10/2018 17:14, Salz, Rich via openssl-users wrote:
> Which version of OpenSSL are you using?
>
> 1.0.2 and 1.1.0 have a bad random number generator and must be explicitly seeded.  1.1.1 has a good random number generator and auto-seeds.
>
What's supposedly bad about the 1.0.x/1.1.0 OpenSSL RNG other
than not being an NSA/NIST design?

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Seeding before RSA key generation

OpenSSL - User mailing list
>    What's supposedly bad about the 1.0.x/1.1.0 OpenSSL RNG other
    than not being an NSA/NIST design?
 
Poor locking; been known to crash.

Does not reseed.

Global across the process, rather than isolated for private-key generation or per-connection.

Mixes in getpid and time to get "better" random bytes.

Has a "pseudo-rand" feature.

Never was cryptographically evaluated.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Seeding before RSA key generation

Matt Caswell-2
In reply to this post by OpenSSL - User mailing list


On 04/10/18 16:14, Salz, Rich via openssl-users wrote:
> Which version of OpenSSL are you using?
>
> 1.0.2 and 1.1.0 have a bad random number generator and must be explicitly seeded.

This is not correct. The RNG in 1.0.2 and 1.1.0 automatically seeds.
There is no need to explicitly seed it. I also wouldn't describe it as
"bad". 1.1.1 has a much better RNG, but there is no reason not to trust
and use the 1.0.2 and 1.1.0 RNG.

>  1.1.1 has a good random number generator and auto-seeds.
>

1.0.2 and 1.1.0 auto seed. 1.1.1 additionally auto-*re*seeds.

Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Seeding before RSA key generation

OpenSSL - User mailing list
In reply to this post by OpenSSL - User mailing list
On 04/10/2018 17:38, Salz, Rich wrote:
>>     What's supposedly bad about the 1.0.x/1.1.0 OpenSSL RNG other
>      than not being an NSA/NIST design?
>    
> Poor locking; been known to crash.

Simple bug, not a reason to change the algorithm.

>
> Does not reseed.

But can be reseeded if so desired, subject to locking.

>
> Global across the process, rather than isolated for private-key generation or per-connection.

This is good, not bad.

>
> Mixes in getpid and time to get "better" random bytes.

This gives 2 to 5 extra bits on machines with little available entropy,
provided init is not done too early in the machine boot process.  There
seem to be much stronger sources loaded where available.

>
> Has a "pseudo-rand" feature.

This is a clearly marked feature useful when the entropy sources are
significantly slower than the random bit need, such as on a busy TLS
server with a serial port (or slower) entropy source.

>
> Never was cryptographically evaluated.
>

By whom?, I would expect the very public OpenSSL RNG to have been
subjected to lots of 3rd party review outside the Foundation.

The new design is taken from a document that was insufficiently publicly
reviewed and was later found to contain a likely backdoor in one of its
other suggested RNG designs, making the entire document highly dubious.




Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Seeding before RSA key generation

OpenSSL - User mailing list
We disagree, and as I wrote the latest RNG code and docs, I'm biased (sic).  I'll leave on that weak pun.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Seeding before RSA key generation

OpenSSL - User mailing list
In reply to this post by Matt Caswell-2
>    This is not correct.

Thanks for the corrections, Matt.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Seeding before RSA key generation

Andres Traumann
In reply to this post by Matt Caswell-2
Thank you for your help.

Andres

On 10/4/18 6:47 PM, Matt Caswell wrote:

>
> On 04/10/18 16:14, Salz, Rich via openssl-users wrote:
>> Which version of OpenSSL are you using?
>>
>> 1.0.2 and 1.1.0 have a bad random number generator and must be explicitly seeded.
> This is not correct. The RNG in 1.0.2 and 1.1.0 automatically seeds.
> There is no need to explicitly seed it. I also wouldn't describe it as
> "bad". 1.1.1 has a much better RNG, but there is no reason not to trust
> and use the 1.0.2 and 1.1.0 RNG.
>
>>   1.1.1 has a good random number generator and auto-seeds.
>>
> 1.0.2 and 1.1.0 auto seed. 1.1.1 additionally auto-*re*seeds.
>
> Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Seeding before RSA key generation

Paul Dale
Not mentioned thus far is that if you are using 1.0.2 with FIPS support, the random number generator does not self-seed.


Pauli
--
Oracle
Dr Paul Dale | Cryptographer | Network Security & Encryption
Phone +61 7 3031 7217
Oracle Australia


-----Original Message-----
From: Andres Traumann [mailto:[hidden email]]
Sent: Friday, 5 October 2018 3:54 AM
To: [hidden email]
Subject: Re: [openssl-users] Seeding before RSA key generation

Thank you for your help.

Andres

On 10/4/18 6:47 PM, Matt Caswell wrote:

>
> On 04/10/18 16:14, Salz, Rich via openssl-users wrote:
>> Which version of OpenSSL are you using?
>>
>> 1.0.2 and 1.1.0 have a bad random number generator and must be explicitly seeded.
> This is not correct. The RNG in 1.0.2 and 1.1.0 automatically seeds.
> There is no need to explicitly seed it. I also wouldn't describe it as
> "bad". 1.1.1 has a much better RNG, but there is no reason not to
> trust and use the 1.0.2 and 1.1.0 RNG.
>
>>   1.1.1 has a good random number generator and auto-seeds.
>>
> 1.0.2 and 1.1.0 auto seed. 1.1.1 additionally auto-*re*seeds.
>
> Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Seeding before RSA key generation

Dr. Matthias St. Pierre

> -----Ursprüngliche Nachricht-----
> Von: openssl-users <[hidden email]> Im Auftrag von Paul Dale
> Gesendet: Freitag, 5. Oktober 2018 01:33
> An: [hidden email]
> Betreff: Re: [openssl-users] Seeding before RSA key generation
>
> Not mentioned thus far is that if you are using 1.0.2 with FIPS support, the random number generator does not self-seed.

This is true, but it will be fixed in the next letter release 1.0.2q, see commit

https://github.com/openssl/openssl/commit/f58001c35f39c50cb4aabcbc234d871ac740c179

which has been added recently to the OpenSSL_1_0_2-stable branch.

Matthias

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users