rand interface while upgrading openssl

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

rand interface while upgrading openssl

Chitrang Srivastava
Hi,

I am trying to upgrade openssl for my embedded OS platform. The one we currently use is pretty old i.e. OpenSSL  0.9.6a  , but porting to Openssl 1.1.1b works fine.

I need suggestion regarding random number interface , earlier we were using  RAND_METHOD.
Can I still use the same mechanism? Because I see new code rand folder contains OS  specific implementation of 

rand_pool_acquire_entropy
rand_pool_add_nonce_data
rand_pool_add_additional_data 

As I understand , above function also needs to be ported?
Any document to start with porting random number to any platform.

Thanks
Reply | Threaded
Open this post in threaded view
|

RE: rand interface while upgrading openssl

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf Of Chitrang Srivastava
> Sent: Tuesday, April 16, 2019 08:24

> I need suggestion regarding random number interface , earlier we were using  RAND_METHOD.

That's a mechanism for telling OpenSSL what mechanism to use for its cryptographically-strong pseudorandom number generator (CPRNG).

> Can I still use the same mechanism? Because I see new code rand folder contains OS specific
> implementation of
>
> rand_pool_acquire_entropy
> rand_pool_add_nonce_data
> rand_pool_add_additional_data

That's part of OpenSSL's mechanism for getting entropy for the CPRNG. The CPRNG needs this, but they are not the same thing.

> As I understand , above function also needs to be ported?

I believe you'll need some implementation of them, but I haven't poked around this corner of the OpenSSL 1.1 sources.

> Any document to start with porting random number to any platform.

The CPRNG seeding mechanism is cryptographically sensitive, and should not be implemented by a non-expert. What does your existing implementation do to provide entropy for the OpenSSL CPRNG? If the answer is "nothing" (or something that's not adequately opaque to an attacker), then your product has seriously flawed security. An attacker who can guess the entropy for the CPRNG pool can break your encryption.

It will also be platform-specific (though some mechanisms will exist on multiple platforms), so there can't be much guidance on doing it for "any platform".

The literature on seeding CPRNGs is fairly extensive. It's often a challenge for embedded applications, particularly SOC-based ones which may not have much in the way of internal noise sources such as clock skew. Some CPUs have entropy sources, such as Intel's RDRAND; if you trust them (and in an embedded application you may not have much choice) you can use that.

--
Michael Wojcik
Distinguished Engineer, Micro Focus

Reply | Threaded
Open this post in threaded view
|

Re: rand interface while upgrading openssl

Chitrang Srivastava
Thanks Michael,

I am using ssleay_rand_add function which was present in earlier version of openssl

I don't find this file or function in latest version of openssl.
As I understood recommended way is to use engine method but on embedded system we compile everything in a single elf binary.
No concept of dynamic shared object or engine , so i defined OPENSSL_NO_ENGINE to compile engine thing out.

Is there any default random number like md_rand.c in this version of openssl.
For entropy we will be providing SHA1/SHA2 of a mix of CPU clock and various other thing(serial #, mac, ) to seed.

-Thanks,

On Wed, Apr 17, 2019 at 1:23 AM Michael Wojcik <[hidden email]> wrote:
> From: openssl-users [mailto:[hidden email]] On Behalf Of Chitrang Srivastava
> Sent: Tuesday, April 16, 2019 08:24

> I need suggestion regarding random number interface , earlier we were using  RAND_METHOD.

That's a mechanism for telling OpenSSL what mechanism to use for its cryptographically-strong pseudorandom number generator (CPRNG).

> Can I still use the same mechanism? Because I see new code rand folder contains OS specific
> implementation of
>
> rand_pool_acquire_entropy
> rand_pool_add_nonce_data
> rand_pool_add_additional_data

That's part of OpenSSL's mechanism for getting entropy for the CPRNG. The CPRNG needs this, but they are not the same thing.

> As I understand , above function also needs to be ported?

I believe you'll need some implementation of them, but I haven't poked around this corner of the OpenSSL 1.1 sources.

> Any document to start with porting random number to any platform.

The CPRNG seeding mechanism is cryptographically sensitive, and should not be implemented by a non-expert. What does your existing implementation do to provide entropy for the OpenSSL CPRNG? If the answer is "nothing" (or something that's not adequately opaque to an attacker), then your product has seriously flawed security. An attacker who can guess the entropy for the CPRNG pool can break your encryption.

It will also be platform-specific (though some mechanisms will exist on multiple platforms), so there can't be much guidance on doing it for "any platform".

The literature on seeding CPRNGs is fairly extensive. It's often a challenge for embedded applications, particularly SOC-based ones which may not have much in the way of internal noise sources such as clock skew. Some CPUs have entropy sources, such as Intel's RDRAND; if you trust them (and in an embedded application you may not have much choice) you can use that.

--
Michael Wojcik
Distinguished Engineer, Micro Focus