[openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Rich Salz via RT
Fixed in bd4850df648bee9d8e0595b7e1147266e6f55a3e

Strict range-checking was added to all app number-parsing. It was mostly
already all there (except for, sigh, rand) but range-checking was not done. Now
it is.
--
Rich Salz, OpenSSL dev team; [hidden email]

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Rich Salz via RT
On Tue, Jan 12, 2016 at 7:02 AM, Rich Salz via RT <[hidden email]> wrote:
> Fixed in bd4850df648bee9d8e0595b7e1147266e6f55a3e

Great to see.

May I suggest the bug also becomes a wish for support for > 2GB
numbers, as that is what the user originally wanted?

/Ole


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Viktor Dukhovni

> On Jan 12, 2016, at 6:35 AM, Ole Tange via RT <[hidden email]> wrote:
>
> On Tue, Jan 12, 2016 at 7:02 AM, Rich Salz via RT <[hidden email]> wrote:
>> Fixed in bd4850df648bee9d8e0595b7e1147266e6f55a3e
>
> Great to see.
>
> May I suggest the bug also becomes a wish for support for > 2GB
> numbers, as that is what the user originally wanted?

key=$(openssl rand -hex 16)
iv=$(openssl rand -hex 16)
cat /dev/zero | openssl enc -aes-128-cbc -K $key -iv $iv

is a better way to produce a random stream of arbitrary length,
it is also hardware accelerated (AESNI) on many systems.

--
--
        Viktor.



_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Rich Salz via RT

> On Jan 12, 2016, at 6:35 AM, Ole Tange via RT <[hidden email]> wrote:
>
> On Tue, Jan 12, 2016 at 7:02 AM, Rich Salz via RT <[hidden email]> wrote:
>> Fixed in bd4850df648bee9d8e0595b7e1147266e6f55a3e
>
> Great to see.
>
> May I suggest the bug also becomes a wish for support for > 2GB
> numbers, as that is what the user originally wanted?

key=$(openssl rand -hex 16)
iv=$(openssl rand -hex 16)
cat /dev/zero | openssl enc -aes-128-cbc -K $key -iv $iv

is a better way to produce a random stream of arbitrary length,
it is also hardware accelerated (AESNI) on many systems.

--
--
        Viktor.




_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Salz, Rich
In reply to this post by Rich Salz via RT
> May I suggest the bug also becomes a wish for support for > 2GB numbers,
> as that is what the user originally wanted?

Unlikely to happen in 1.1 because of portability issues.
Call it multiple times or, better, write a small program to generate a PRNG stream.
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Rich Salz via RT
> May I suggest the bug also becomes a wish for support for > 2GB numbers,
> as that is what the user originally wanted?

Unlikely to happen in 1.1 because of portability issues.
Call it multiple times or, better, write a small program to generate a PRNG stream.


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Rich Salz via RT
In reply to this post by Rich Salz via RT
On Tue, Jan 12, 2016 at 4:58 PM, Viktor Dukhovni via RT <[hidden email]> wrote:

>
>> On Jan 12, 2016, at 6:35 AM, Ole Tange via RT <[hidden email]> wrote:
>>
>> May I suggest the bug also becomes a wish for support for > 2GB
>> numbers, as that is what the user originally wanted?
>
> key=$(openssl rand -hex 16)
> iv=$(openssl rand -hex 16)
> cat /dev/zero | openssl enc -aes-128-cbc -K $key -iv $iv
>
> is a better way to produce a random stream of arbitrary length,
> it is also hardware accelerated (AESNI) on many systems.

Great. But the normal user does not know this, and it is so complex
that even an advanced user like me will have to look it up every time.
Is there any reason why the above is not run instead of what `openssl
rand` runs today?

In other words: Why not change `openssl rand` to run what you would
recommend people run anyway?


/Ole


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Rich Salz via RT
In reply to this post by Rich Salz via RT
On Tue, Jan 12, 2016 at 6:06 PM, Salz, Rich via RT <[hidden email]> wrote:
>> May I suggest the bug also becomes a wish for support for > 2GB numbers,
>> as that is what the user originally wanted?
>
> Unlikely to happen in 1.1 because of portability issues.
> Call it multiple times or, better, write a small program to generate a PRNG stream.

Great. But the normal user does not know this. Why not just use
`openssl rand` as the wrapper that does the above? No need to change
the interface for the functions - simply put the wrapper in `openssl
rand` with a counter and then generate 2 GB at a time (like now) until
enough has been generated.

In other words: Why not change `openssl rand` to run what you would
recommend people run anyway?


/Ole


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Viktor Dukhovni
In reply to this post by Rich Salz via RT
On Wed, Jan 13, 2016 at 12:22:01AM +0000, Ole Tange via RT wrote:

> > key=$(openssl rand -hex 16)
> > iv=$(openssl rand -hex 16)
> > cat /dev/zero | openssl enc -aes-128-cbc -K $key -iv $iv
> >
> > is a better way to produce a random stream of arbitrary length,
> > it is also hardware accelerated (AESNI) on many systems.
>
> Great. But the normal user does not know this, and it is so complex
> that even an advanced user like me will have to look it up every time.
> Is there any reason why the above is not run instead of what `openssl
> rand` runs today?
>
> In other words: Why not change `openssl rand` to run what you would
> recommend people run anyway?

Because "openssl rand" is not at present a stream generator, and
was never intended to be one.  It is also substantially slower
than the above.

There are better crypto-random stream generators like SHAKE256,
but it is faily new, and not yet available in OpenSSL.

In most cases, just overwriting a disk with zeros is as good as
with any other pattern.

--
        Viktor.
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Dr Paul Dale

On Wed, 13 Jan 2016 12:32:39 AM Viktor Dukhovni wrote:

> In most cases, just overwriting a disk with zeros is as good as

> with any other pattern.

 

Peter Gutmann published a paper showing that it is possible to read zeroed bits with the right equipment: https://www.usenix.org/legacy/publications/library/proceedings/sec96/full_papers/gutmann/index.html

 

I remember a report not long after the original paper was published where the writer zeroed a drive and went to several data recovery companies who couldn't retrieve anything (sorry, can't find the reference).

 

Also note that this technique doesn't work on newer drives: http://seclists.org/bugtraq/2005/Jul/464

 

 

If you are protecting against governments or extremely well equipped organisations, a zeroed disc might be recoverable with a large investment of time and effort. If you are in this case and what you are protecting is worth that much, follow use one of the approved secure disc erasure methods -- several times.

 

 

- Pauli

 

--

Oracle

Dr Paul Dale | Cryptographer | Network Security & Encryption

Phone +61 7 3031 7217

Oracle Australia

 


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Kurt Roeckx
On Wed, Jan 13, 2016 at 11:00:09AM +1000, Paul Dale wrote:

> On Wed, 13 Jan 2016 12:32:39 AM Viktor Dukhovni wrote:
> > In most cases, just overwriting a disk with zeros is as good as
> > with any other pattern.
>
> Peter Gutmann published a paper showing that it is possible to read zeroed bits with the right equipment: https://www.usenix.org/legacy/publications/library/proceedings/sec96/full_papers/gutmann/index.html
>
> I remember a report not long after the original paper was published where the writer zeroed a drive and went to several data recovery companies who couldn't retrieve anything (sorry, can't find the reference).
>
> Also note that this technique doesn't work on newer drives: http://seclists.org/bugtraq/2005/Jul/464
>
>
> If you are protecting against governments or extremely well equipped organisations, a zeroed disc might be recoverable with a large investment of time and effort.  If you are in this case and what you are protecting is worth that much, follow use one of the approved secure disc erasure methods -- several times.

There are various ways to do that, including:
http://www.dban.org/
https://wiki.archlinux.org/index.php/Securely_wipe_disk
http://www.killdisk.com/


Kurt

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Hubert Kario
In reply to this post by Rich Salz via RT
On Tuesday 12 January 2016 15:58:59 Viktor Dukhovni via RT wrote:
> > On Jan 12, 2016, at 6:35 AM, Ole Tange via RT <[hidden email]>
> > wrote:
> >
> > On Tue, Jan 12, 2016 at 7:02 AM, Rich Salz via RT <[hidden email]>
wrote:

> >> Fixed in bd4850df648bee9d8e0595b7e1147266e6f55a3e
> >
> > Great to see.
> >
> > May I suggest the bug also becomes a wish for support for > 2GB
> > numbers, as that is what the user originally wanted?
>
> key=$(openssl rand -hex 16)
> iv=$(openssl rand -hex 16)
> cat /dev/zero | openssl enc -aes-128-cbc -K $key -iv $iv
>
> is a better way to produce a random stream of arbitrary length,
> it is also hardware accelerated (AESNI) on many systems.
I would upgrade that to aes-128-ctr, but it's not bad per-se
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

Rich Salz via RT
On Tuesday 12 January 2016 15:58:59 Viktor Dukhovni via RT wrote:
> > On Jan 12, 2016, at 6:35 AM, Ole Tange via RT <[hidden email]>
> > wrote:
> >
> > On Tue, Jan 12, 2016 at 7:02 AM, Rich Salz via RT <[hidden email]>
wrote:

> >> Fixed in bd4850df648bee9d8e0595b7e1147266e6f55a3e
> >
> > Great to see.
> >
> > May I suggest the bug also becomes a wish for support for > 2GB
> > numbers, as that is what the user originally wanted?
>
> key=$(openssl rand -hex 16)
> iv=$(openssl rand -hex 16)
> cat /dev/zero | openssl enc -aes-128-cbc -K $key -iv $iv
>
> is a better way to produce a random stream of arbitrary length,
> it is also hardware accelerated (AESNI) on many systems.
I would upgrade that to aes-128-ctr, but it's not bad per-se
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

signature.asc (1K) Download Attachment