On 9/19/2011 8:49 AM, alok sharma wrote:
Hi Jacob,
Thanks for such a detailed reply. But I am having one concern that how an application can know whether it si secure or not. Fips uses GetSystemTimeAsFileTime() for PRNG test which is having granuality of 1 ns, but my application is running even at faster rate so same value is being generated for current as well as for last request. Is there any provision inside Openssl which ensures that unique randon numbers will be generated or application need to add some delay for each new connection request.
Regards,
Alok

1. While the GetSystemTimeAsFileTime() returns the calendar date and time in units of 0.1 microsecond (100 ns), the value is NOT really that precise, as it only increments a few hundred or thousand times per second. Besides, anyone with a clock of his own will know the approximate value. Someone more familiar with the OpenSSL version you use should be able to tell you what other (and better!) sources of raw entropy OpenSSL can be configured to use.

2. Random values are not necessarily unique. Getting the same value as before must have exactly the same probability as getting any other specific value. (A random byte will be the same as the previous one 1 time out of 256 on average, a random 16 bit value 1 in 65536 etc.). To be secure, it must be completely unpredictable with actual probabilities equal for all values of a given length.

3. OpenSSL, like most such libraries, use the raw entropy sources (such as GetSystemTimeAsFileTime() and much better ones) as input to a cryptographic random generation algorithm which produces a sequence of almost-unpredictable values even if it does not get new entropy input for some (short) amount of time. This is standard procedure because really good sources of entropy tend to operate quite slowly,
perhaps giving only a few bits of fresh entropy per second.

On Thu, Sep 15, 2011 at 6:02 PM, Jakob Bohm <jb-open...@wisemo.com <mailto:jb-open...@wisemo.com>> wrote:

    On 9/14/2011 6:33 PM, alok sharma wrote:

        Hi,
              I am having my client server on Windows. The server is
        concurrent and
        having each thread for each connection. When the number of
        connection
        increases to 400-500 i.e having high thread load, my server
        crashes. I
        debuged it and found that it gives error (“random number
        generator:FIPS_RAND:prng error") when it tries to invoke
         SSL_accept(). My
        server is Fips compliant.  I looked furthur inside openssl
        code and found
        issue with fips_rand() method (fips/rand/fips_rand.c).
        Following is my
        observation.
             The error is generated at following point
              fips_rand()
               {
        .............................
        ............................

        if (!ctx->test_mode)
                    fips_get_dt(ctx);
                AES_encrypt(ctx->DT, I,&ctx->ks);
                for (i = 0; i<  AES_BLOCK_LENGTH; i++)
                    tmp[i] = I[i] ^ ctx->V[i];
                AES_encrypt(tmp, R,&ctx->ks);
                for (i = 0; i<  AES_BLOCK_LENGTH; i++)
                    tmp[i] = R[i] ^ I[i];
                AES_encrypt(tmp, ctx->V,&ctx->ks);
                /* Continuous PRNG test */
                if (ctx->second)
                    {
                    if (fips_prng_fail){
                        memcpy(ctx->last, R, AES_BLOCK_LENGTH);

    The above line may cause the next test to fail too if
    "fips_prng_fail" was set by something else.

                        RANDerr(RAND_F_FIPS_RAND,RAND_
        R_PRNG_STUCK);
                    }
                    if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH))
        <----------------------------- -------------- The check is
        failing as the
        current encrypted and last one are same
                        {
                            RANDerr(RAND_F_FIPS_RAND,RAND_ R_PRNG_STUCK);
                        ctx->error = 1;
                        fips_set_selftest_fail();
                        return 0;
                        }
                    }
                memcpy(ctx->last, R, AES_BLOCK_LENGTH);
        .............................. ..............................
        ...........
        .............................. ..............................
        ..........

              }

        I think under heavy load openssl continous PRNG test is
        failing. It might be
        generating the same values as it applies AES encryption over
        the data taken
        from fips_get_dt(ctx).

    Yes, that is (technically) how the code tests if the RNG is
    failing badly.
    This is a symptom, not a cause.
    The chance of this happening if the RNG is good for anything is
    1 in 2**128 per test run, thus very unlikely, the chance of this
    happening more
    than once on the same (working) computer is astronomically small.

    So the real problem is that this self-test seems to have found an
    actual
    security problem.  Running this kind of test to discover such security
    problems is a FIPS requirement.

    What the error is apparently saying is that the PRNG as running on
    your
    machine is *not* FIPS quality and must not be used for any government
    work (and probably not for anything else either!).

         For windows platform this function takes
        GetSystemTimeAsFileTime(). like
        ..........
        .........
        #ifdef OPENSSL_SYS_WIN32
            GetSystemTimeAsFileTime(&ft);
            buf[0] = (unsigned char) (ft.dwHighDateTime&  0xff);
            buf[1] = (unsigned char) ((ft.dwHighDateTime>>  8)&  0xff);
            buf[2] = (unsigned char) ((ft.dwHighDateTime>>  16)&  0xff);
            buf[3] = (unsigned char) ((ft.dwHighDateTime>>  24)&  0xff);
            buf[4] = (unsigned char) (ft.dwLowDateTime&  0xff);
            buf[5] = (unsigned char) ((ft.dwLowDateTime>>  8)&  0xff);
            buf[6] = (unsigned char) ((ft.dwLowDateTime>>  16)&  0xff);
            buf[7] = (unsigned char) ((ft.dwLowDateTime>>  24)&  0xff);
        .........................
        .........................

    If this is the only PRNG seeding used on your machine, then your setup
    is very insecure.  As a bare minimum you should make sure the code
    that
    grabs entropy from the Windows CryptoAPI PRNG (which is also FIPS
    certified) is also enabled.

    This seeding source is not very random at all, and it is only a
    (short) matter
    of time before it will produce something so predictable it should
    not pass any
    quality tests, including FIPS tests.



        Please help in this regard. I am using openssl version 0.9.8o.
        Regards,
        Alok


    ______________________________ ______________________________
    __________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    <mailto:openssl-users@openssl.org>
    Automated List Manager majord...@openssl.org
    <mailto:majord...@openssl.org>



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to