|
Packit |
c4476c |
=pod
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=head1 NAME
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
RAND
|
|
Packit |
c4476c |
- the OpenSSL random generator
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=head1 DESCRIPTION
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
Random numbers are a vital part of cryptography, they are needed to provide
|
|
Packit |
c4476c |
unpredictability for tasks like key generation, creating salts, and many more.
|
|
Packit |
c4476c |
Software-based generators must be seeded with external randomness before they
|
|
Packit |
c4476c |
can be used as a cryptographically-secure pseudo-random number generator
|
|
Packit |
c4476c |
(CSPRNG).
|
|
Packit |
c4476c |
The availability of common hardware with special instructions and
|
|
Packit |
c4476c |
modern operating systems, which may use items such as interrupt jitter
|
|
Packit |
c4476c |
and network packet timings, can be reasonable sources of seeding material.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
OpenSSL comes with a default implementation of the RAND API which is based on
|
|
Packit |
c4476c |
the deterministic random bit generator (DRBG) model as described in
|
|
Packit |
c4476c |
[NIST SP 800-90A Rev. 1]. The default random generator will initialize
|
|
Packit |
c4476c |
automatically on first use and will be fully functional without having
|
|
Packit |
c4476c |
to be initialized ('seeded') explicitly.
|
|
Packit |
c4476c |
It seeds and reseeds itself automatically using trusted random sources
|
|
Packit |
c4476c |
provided by the operating system.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
As a normal application developer, you do not have to worry about any details,
|
|
Packit |
c4476c |
just use L<RAND_bytes(3)> to obtain random data.
|
|
Packit |
c4476c |
Having said that, there is one important rule to obey: Always check the error
|
|
Packit |
c4476c |
return value of L<RAND_bytes(3)> and do not take randomness for granted.
|
|
Packit |
c4476c |
Although (re-)seeding is automatic, it can fail because no trusted random source
|
|
Packit |
c4476c |
is available or the trusted source(s) temporarily fail to provide sufficient
|
|
Packit |
c4476c |
random seed material.
|
|
Packit |
c4476c |
In this case the CSPRNG enters an error state and ceases to provide output,
|
|
Packit |
c4476c |
until it is able to recover from the error by reseeding itself.
|
|
Packit |
c4476c |
For more details on reseeding and error recovery, see L<RAND_DRBG(7)>.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
For values that should remain secret, you can use L<RAND_priv_bytes(3)>
|
|
Packit |
c4476c |
instead.
|
|
Packit |
c4476c |
This method does not provide 'better' randomness, it uses the same type of CSPRNG.
|
|
Packit |
c4476c |
The intention behind using a dedicated CSPRNG exclusively for private
|
|
Packit |
c4476c |
values is that none of its output should be visible to an attacker (e.g.,
|
|
Packit |
c4476c |
used as salt value), in order to reveal as little information as
|
|
Packit |
c4476c |
possible about its internal state, and that a compromise of the "public"
|
|
Packit |
c4476c |
CSPRNG instance will not affect the secrecy of these private values.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
In the rare case where the default implementation does not satisfy your special
|
|
Packit |
c4476c |
requirements, there are two options:
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=over 2
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=item *
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
Replace the default RAND method by your own RAND method using
|
|
Packit |
c4476c |
L<RAND_set_rand_method(3)>.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=item *
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
Modify the default settings of the OpenSSL RAND method by modifying the security
|
|
Packit |
c4476c |
parameters of the underlying DRBG, which is described in detail in L<RAND_DRBG(7)>.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=back
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
Changing the default random generator or its default parameters should be necessary
|
|
Packit |
c4476c |
only in exceptional cases and is not recommended, unless you have a profound knowledge
|
|
Packit |
c4476c |
of cryptographic principles and understand the implications of your changes.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=head1 SEE ALSO
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
L<RAND_add(3)>,
|
|
Packit |
c4476c |
L<RAND_bytes(3)>,
|
|
Packit |
c4476c |
L<RAND_priv_bytes(3)>,
|
|
Packit |
c4476c |
L<RAND_get_rand_method(3)>,
|
|
Packit |
c4476c |
L<RAND_set_rand_method(3)>,
|
|
Packit |
c4476c |
L<RAND_OpenSSL(3)>,
|
|
Packit |
c4476c |
L<RAND_DRBG(7)>
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=head1 COPYRIGHT
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
Licensed under the OpenSSL license (the "License"). You may not use
|
|
Packit |
c4476c |
this file except in compliance with the License. You can obtain a copy
|
|
Packit |
c4476c |
in the file LICENSE in the source distribution or at
|
|
Packit |
c4476c |
L<https://www.openssl.org/source/license.html>.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=cut
|