killing
commented
10 years ago This function is only a fall-back. We use RAND_bytes() if we can.
Open ggkitsas opened 10 years ago
killing
commented
10 years ago This function is only a fall-back. We use RAND_bytes() if we can.
jans23
commented
10 years ago From the security perspective the fallback to RAND_pseudo_bytes is a no-go. With this implementation users can never be sure to have a secure encryption key. This could happen if for one second during setup of the library RAND_bytes can't be used and the user is infected with the insecure key for the rest of the library's life-time. Even the documentation of RAND_pseudo_bytes states that this is not to be used for key generation.
Many other security applications display a message asking the user to move the mouse and randomly typing the keyboard until enough entropy for RAND_bytes is available.
Instead of falling back to RAND_pseudo_bytes the key generation should be repeated until RAND_bytes succeeds (asking the user to move mouse and type keyboard) or terminated with an error message.
RAND_pseudo_bytes must not be used for key generation. From OpenSSL documentation:
"RAND_pseudo_bytes() puts num pseudo-random bytes into buf. Pseudo-random byte sequences generated by RAND_pseudo_bytes() will be unique if they are of sufficient length, but are not necessarily unpredictable. They can be used for non-cryptographic purposes and for certain purposes in cryptographic protocols, but usually not for key generation.."
This affects the following: