Apologizes for doing this, but does anyone know the answers to these two questions:
1) How many bytes of entropy does fips_get_entropy() get? 32 (i.e. security_strength) or 40? 2) Is there any way to combine multiple sources of entropy (such as /dev/urandom and egd)? Thank you! On Tue, Oct 1, 2013 at 5:22 PM, Roy R <rr.crypt...@gmail.com> wrote: > Hi all, > > I'm trying to investigate how entropy is gathered for CTR_DRBG when > OpenSSL is in FIPS mode. > > Environment: RHEL 6 and OpenSSL FIPS Object Module 2.0.2 and OpenSSL > 1.0.1c. > > If I understood this correctly it looks like the security_strength is 256 > bits (32 bytes) and seed length is 384 bits (48 bytes). > > When instantiating (in FIPS_drbg_instantiate), it eventually calls > fips_get_entropy with the values entropy == 256, min_len = 32 and max_len > as a whole lot more). What is the difference here between entropy and > min_len? > > Eventually it calls drbg_get_entropy with entropy = 256+20 (where 20 is > the block length) and min_len = 32+20. This calls into > RAND_SSLeay()->bytes() to get 60 bytes of rand (as the comment says this > uses the standard OpenSSL PRNG to get entropy). > > fips_get_entropy then returns the last 40 bytes as the entropy (it uses > the first 20 for the continuous PRNG test). > > Now inside of RAND_SSLeay()->bytes() it eventually ends up in > ssleay_rand_bytes (in md_rand.c) and I'm having some trouble understanding > the code here. It fetches 32 bytes of random bytes from /dev/urandom and > adds that to the seed (using RAND_add). It also adds another 24 bytes (but > 0.0 entropy) of data in the current pid, uid and time. ssleay_rand_bytes > also does some hashing (I can't tell what hash method it's actually using). > > In the end I'm a bit confused, so I'd appreciate some help with a few > questions: > > 1) How many bytes of entropy do we really need? Just security_strength > (i.e. 32 bytes) or as many bytes as the RNG is requested (e.g. if we > request 64 bytes, do we need 64 bytes of entropy). > > 2) How many bytes is it actually getting in the end? fips_get_entropy > seems to return 40 even RAND_poll only returns 32 from /dev/urandom. > > 3) What exactly is the hash in ssleay_rand_bytes doing? > > The main reason I ask is that I heard for the new FIPS requirements we can > only use 20 bytes from /dev/urandom. Is OpenSSL compliant with this? If > not, is there a way I can combine another source of entropy (for example > egd + urandom)? > > Thanks a lot! >