Re: Seeding the PRNG in withdows with openssl Fips

Thu, 08 Sep 2011 22:26:43 -0700 

Hello, Stephen. Can you answer?

During debugging my program, I saw that RAND_poll is called only once after
first calling RAND_bytes or SSL_CTX_new. After that I called several
RAND_bytes and got at least 20000 bytes but RAND_poll isn't called. It's
worth saying that ssleay_rand_add(RAND_add) operates with internal ring
buffer named "state" and it's size is only 1039
bytes(1023+MD_DIGEST_LENGTH). This is an entropy pool I think. That's why
senselessly to give more than 1024 bytes of random data to RAND_seed
function, because entropy pool will be overwritten. And that's why I think
we must explicitly call RAND_seed from time to time - when RAND_bytes is
used. The question is: when do internal functions of OpenSSL library use
RAND_bytes and how many bytes they are use. Having received the answer to
it, I can exactly know when and how often I must explicitly call RAND_seed.

And how about SSL-TLS programming? Where in my program and how often I must
explicitly call RAND_seed to be sure that all internal functions use
good(cryptographically strong and unpredictable) data?
-----Исходное сообщение----- From: Dr. Stephen Henson 
Sent: Thursday, September 08, 2011 11:37 PM
To: [email protected]
Subject: Re: Seeding the PRNG in withdows with openssl Fips

On Thu, Sep 08, 2011, ricardo brillon wrote:


Steve
I been reading on how to seed the PRNG for my Fips application running on windows. I read that I should use the Win API CryptGenRandom. 
Do you think this is the best way?
Seeding is done automatically on Windows so you don't need to do it manually. 

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager [email protected] 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]

Reply via email to