On 04/10/2018 17:38, Salz, Rich wrote:
What's supposedly bad about the 1.0.x/1.1.0 OpenSSL RNG otherthan not being an NSA/NIST design?Poor locking; been known to crash.
Simple bug, not a reason to change the algorithm.
Does not reseed.
But can be reseeded if so desired, subject to locking.
Global across the process, rather than isolated for private-key generation or per-connection.
This is good, not bad.
Mixes in getpid and time to get "better" random bytes.
This gives 2 to 5 extra bits on machines with little available entropy, provided init is not done too early in the machine boot process. There seem to be much stronger sources loaded where available.
Has a "pseudo-rand" feature.
This is a clearly marked feature useful when the entropy sources are significantly slower than the random bit need, such as on a busy TLS server with a serial port (or slower) entropy source.
Never was cryptographically evaluated.
By whom?, I would expect the very public OpenSSL RNG to have been subjected to lots of 3rd party review outside the Foundation. The new design is taken from a document that was insufficiently publicly reviewed and was later found to contain a likely backdoor in one of its other suggested RNG designs, making the entire document highly dubious. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
