Thanks for answers, Jeff. But I still have questions:
Why not allow OpenSSL to auto seed itself?
Because on Windows we have not /dev/random and that's why I think that auto
seed will be worse. But if OpenSSL seed PRNG automatically and I must not do
anything else, why in FAQ I see: "On other systems, applications have to
call the RAND_add() or RAND_seed() function with appropriate data before
generating keys or performing public key encryption."?
During debugging my program, I saw that RAND_poll is called only once after
first calling RAND_bytes or SSL_CTX_new. After that I called several
RAND_bytes and got at least 20000 bytes but RAND_poll isn't called. It's
worth saying that ssleay_rand_add(RAND_add) operates with internal ring
buffer named "state" and it's size is only 1039
bytes(1023+MD_DIGEST_LENGTH). This is an entropy pool I think. That's why
senselessly to give more than 1024 bytes of random data to RAND_seed
function, because entropy pool will be overwritten. And that's why I think
we must explicitly call RAND_seed from time to time - when RAND_bytes is
used. The question is: when do internal functions of OpenSSL library use
RAND_bytes and how many bytes they are use. Having received the answer to
it, I can exactly know when and how often I must explicitly call RAND_seed.
If you have an overwhelming desire to provide entropy, why not use Windows
(http://msdn.microsoft.com/en-us/library/aa379942(v=vs.85).aspx)?
I know CryptGenRandom function. But somewhere I read that this function only
seeds PRNG with cryptographically random value and after that it gives data
generated by the typical random number generator such as the one shipped
with C compiler(rand,random). It is far more random only because random
seeding. May be I am wrong. It will be very easy to seed PRNG on Windows if
I am wrong. CryptGenRandom is easy to use. But what about my assumptions,
Jeffrey?
As for the number of bytes required, I don't recall reading anything
for asymmetric key generation. For symmetric ciphers, Gutmann
recommends [key size in bits] + 64 bits (though Gutmann wrote the
paper, I believe I read it from NIST's site).
Thanks for answer.
http://www.openssl.org/docs/crypto/RAND_bytes.html
"RAND_pseudo_bytes() returns 1 if the bytes generated are cryptographically
strong, 0 otherwise". But what about RAND_bytes? Is it also return 0 if the
bytes generated are already not cryptographically strong? Is there a limit
or no? I think must be a limit because entropy pool is limited to 1039
bytes.
And how about SSL-TLS programming? Where in my program and how often I must
explicitly call RAND_seed to be sure that all internal functions use
good(cryptographically strong and unpredictable) data?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org