Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

RAND_seed & RAND_bytes on Windows. How many random bytes I must give for function RAND_seed to seed PRNG properly?

776 views
Skip to first unread message

Vladimir Belov

unread,
Jul 1, 2011, 1:14:42 PM7/1/11
to
Hello.
I'll collect entropy(random bytes) myself on Windows. How many random
bytes I must give for function RAND_seed to seed PRNG properly in two cases:

1) Generating RSA keys.

2) Programming SSL-TLS. And where I must call RAND_seed during SSL-TLS
programming?

I think internal functions of OpenSSL call RAND_bytes when they need random
data. So, it is very important for me to understand how RAND_seed and
RAND_bytes work together. I don't understand how it works.

For example, if I have seeded PRNG with 256 bytes, how many random bytes I
can get with RAND_bytes after that and be sure that they are unpredictable
enough(good for cryptographical operations)?

I would be grateful for help and advices.

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Jeffrey Walton

unread,
Jul 1, 2011, 2:13:03 PM7/1/11
to
On Fri, Jul 1, 2011 at 1:14 PM, Vladimir Belov <ml.vlad...@gmail.com> wrote:
> Hello.
> I'll collect entropy(random bytes)  myself on Windows.  How many random
> bytes I must give for function RAND_seed to seed PRNG properly in two cases:
Why not allow OpenSSL to auto seed itself? If you have an overwhelming
desire to provide entropy, why not use Windows
(http://msdn.microsoft.com/en-us/library/aa379942(v=vs.85).aspx)?

As for the number of bytes required, I don't recall reading anything
for asymmetric key generation. For symmetric ciphers, Gutmann
recommends [key size in bits] + 64 bits (though Gutmann wrote the
paper, I believe I read it from NIST's site).

> 1) Generating RSA keys.
>
> 2) Programming SSL-TLS. And where I must call  RAND_seed during SSL-TLS
> programming?
>
> I think internal functions of OpenSSL call RAND_bytes when they need random
> data. So, it is very important for me to understand how RAND_seed and
> RAND_bytes work together. I don't understand how it works.

http://www.openssl.org/docs/crypto/RAND_bytes.html

> For example, if I have seeded PRNG with 256 bytes, how many random bytes I
> can get with RAND_bytes after that and be sure that they are unpredictable

> enough (good for cryptographic operations)?
http://groups.google.com/group/mailing.openssl.users/search?group=mailing.openssl.users&q=rand_bytes+entropy&qt_g=Search+this+group

Jeff

Vladimir Belov

unread,
Jul 2, 2011, 1:40:22 AM7/2/11
to
Thanks for answers, Jeff. But I still have questions:

> Why not allow OpenSSL to auto seed itself?

Because on Windows we have not /dev/random and that's why I think that auto
seed will be worse. But if OpenSSL seed PRNG automatically and I must not do
anything else, why in FAQ I see: "On other systems, applications have to
call the RAND_add() or RAND_seed() function with appropriate data before
generating keys or performing public key encryption."?

During debugging my program, I saw that RAND_poll is called only once after
first calling RAND_bytes or SSL_CTX_new. After that I called several
RAND_bytes and got at least 20000 bytes but RAND_poll isn't called. It's
worth saying that ssleay_rand_add(RAND_add) operates with internal ring
buffer named "state" and it's size is only 1039
bytes(1023+MD_DIGEST_LENGTH). This is an entropy pool I think. That's why
senselessly to give more than 1024 bytes of random data to RAND_seed
function, because entropy pool will be overwritten. And that's why I think
we must explicitly call RAND_seed from time to time - when RAND_bytes is
used. The question is: when do internal functions of OpenSSL library use
RAND_bytes and how many bytes they are use. Having received the answer to
it, I can exactly know when and how often I must explicitly call RAND_seed.


> If you have an overwhelming desire to provide entropy, why not use Windows
> (http://msdn.microsoft.com/en-us/library/aa379942(v=vs.85).aspx)?

I know CryptGenRandom function. But somewhere I read that this function only
seeds PRNG with cryptographically random value and after that it gives data
generated by the typical random number generator such as the one shipped
with C compiler(rand,random). It is far more random only because random
seeding. May be I am wrong. It will be very easy to seed PRNG on Windows if
I am wrong. CryptGenRandom is easy to use. But what about my assumptions,
Jeffrey?

> As for the number of bytes required, I don't recall reading anything
> for asymmetric key generation. For symmetric ciphers, Gutmann
> recommends [key size in bits] + 64 bits (though Gutmann wrote the
> paper, I believe I read it from NIST's site).

Thanks for answer.

> http://www.openssl.org/docs/crypto/RAND_bytes.html
"RAND_pseudo_bytes() returns 1 if the bytes generated are cryptographically
strong, 0 otherwise". But what about RAND_bytes? Is it also return 0 if the
bytes generated are already not cryptographically strong? Is there a limit
or no? I think must be a limit because entropy pool is limited to 1039
bytes.

And how about SSL-TLS programming? Where in my program and how often I must
explicitly call RAND_seed to be sure that all internal functions use
good(cryptographically strong and unpredictable) data?

0 new messages