Paper 2016/367
An Analysis of OpenSSL's Random Number Generator
Falko Strenzke
Abstract
In this work we demonstrate various weaknesses of the random number generator (RNG)
in the OpenSSL cryptographic library.
We show how OpenSSL's RNG, knowingly in a low entropy state, potentially leaks low entropy
secrets in its output, which were never intentionally fed to the RNG by
client code, thus posing vulnerabilities even when in the given
usage scenario the low entropy state is respected by the client application.
Turning to the core cryptographic functionality of the RNG,
we show how OpenSSL's functionality for
adding entropy to the RNG state fails to be effectively a mixing function.
If an initial low entropy state of the RNG
was falsely presumed to have 256 bits of entropy based on wrong entropy
estimations, this causes attempts to recover from this state to succeed only in long term
but to fail in short term.
As a result, the entropy level of generated cryptographic keys can be limited to
80 bits, even though thousands of bits of entropy might have been fed to the RNG state
previously. In the same scenario, we demonstrate an attack recovering the RNG
state from later output with an off-line effort between
Metadata
- Available format(s)
-
PDF
- Publication info
- Published by the IACR in EUROCRYPT 2016
- Contact author(s)
- fstrenzke @ cryptosource de
- History
- 2016-04-12: received
- Short URL
- https://ia.cr/2016/367
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2016/367, author = {Falko Strenzke}, title = {An Analysis of {OpenSSL}'s Random Number Generator}, howpublished = {Cryptology {ePrint} Archive, Paper 2016/367}, year = {2016}, url = {https://eprint.iacr.org/2016/367} }