4

I'm trying to program custom RSA key pair generation algorithm using OpenSSL. I've used the PKCS5_PBKDF2_HMAC_SHA1 function to generate PRNG seed, so, I've used this seed as RAND_seed input.

Unfortunately every time I call RAND_bytes, with the same seed, I obtain different random numbers, but this isn't the expected behaviour, because as say the answer at How can one securely generate an asymmetric key pair from a short passphrase? the random number generator is deterministic (same seed same output).

Below is the test case. I've declared also constant seed, but the generation is never deterministic.

unsigned int seed = 0x00beef00;
unsigned int rnum[5];
RAND_seed(&seed, sizeof(seed));
RAND_bytes((unsigned char *)&rnum[0], sizeof(rnum));

Where is the error?

Community
  • 1
  • 1
Crescenzo Mugione
  • 51
  • 1
  • 2
  • Assuming you are using the default `RAND` engine, checkout the source code for [`rand_bytes` in `md_rand.c`](https://github.com/openssl/openssl/blob/master/crypto/rand/md_rand.c). Also see [Making openssl generate deterministic key](http://stackoverflow.com/q/22759465) on Stack Overflow. The short of it is, you have to create an OpenSSL `ENGINE` to do it. – jww Dec 23 '16 at 17:12
  • To create a custom engine, see [Engine Building Lesson 1: A Minimum Useless Engine](https://www.openssl.org/blog/blog/2015/10/08/engine-building-lesson-1-a-minimum-useless-engine/) and [Engine Building Lesson 2: An Example MD5 Engine](https://www.openssl.org/blog/blog/2015/11/23/engine-building-lesson-2-an-example-md5-engine/) on the OpenSSL blog. – jww Dec 23 '16 at 17:14

2 Answers2

5

This is not an error. The OpenSSL random number generator does some seeding on its own using good sources of randomness.

So using the same seed value in RAND_seed does not guarantee the same sequence of random numbers. This is a Good Thing because it makes them less predictable and therefore more secure.

From the man page for RAND_seed:

    #include <openssl/rand.h>

    void RAND_seed(const void *buf, int num);

    void RAND_add(const void *buf, int num, double entropy);

    int  RAND_status(void);

    int  RAND_event(UINT iMsg, WPARAM wParam, LPARAM lParam);
    void RAND_screen(void);

RAND_add() mixes the num bytes at buf into the PRNG state. Thus, if the data at buf are unpredictable to an adversary, this increases the uncertainty about the state and makes the PRNG output less predictable. Suitable input comes from user interaction (random key presses, mouse movements) and certain hardware events. The entropy argument is (the lower bound of) an estimate of how much randomness is contained in buf, measured in bytes. Details about sources of randomness and how to estimate their entropy can be found in the literature, e.g. RFC 1750.

RAND_add() may be called with sensitive data such as user entered passwords. The seed values cannot be recovered from the PRNG output.

OpenSSL makes sure that the PRNG state is unique for each thread. On systems that provide "/dev/urandom", the randomness device is used to seed the PRNG transparently. However, on all other systems, the application is responsible for seeding the PRNG by calling RAND_add(), RAND_egd(3) or RAND_load_file(3).

RAND_seed() is equivalent to RAND_add() when num == entropy.

So if your system has /dev/urandom, it will be used as the initial seed for the PRNG.

dbush
  • 205,898
  • 23
  • 218
  • 273
  • Hi, thanks for the reply, from the topic http://crypto.stackexchange.com/questions/1662/how-can-one-securely-generate-an-asymmetric-key-pair-from-a-short-passphrase it say that "The PRNG is deterministic (same seed implies same output sequence) and produces random bits." – Crescenzo Mugione Dec 23 '16 at 07:28
  • 2
    @CrescenzoMugione A PRNG is deterministic. The difference here is that OpenSSL transparently seeds the the PRNG with random data from `/dev/urandom`. `RAND_seed` or `RAND_add` can be called multiple times to add seed data. So when you call one of these functions, the given seed buffer is *added* to the data pulled from `/dev/random`. This helps to increase randomness and make any generated bytes unpredictable. – dbush Dec 23 '16 at 13:00
-1

Openssl's int RAND_bytes(unsigned char *buf, int num); tries to make things as random as it can. That is apparently a feature you don't want, and are instead looking for a repeatable pseudorandom sequence

But Openssl also has

int RAND_pseudo_bytes(unsigned char *buf, int num);

which is probably what you are looking for, the pseudo part, to give you the repeatable sequence.

https://linux.die.net/man/3/rand_pseudo_bytes

Force openssl's RNGs to return a repeatable byte sequence

As an aside, if you are doing RSA, a repeatable random sequence isn't all that good, because what you are looking for are two large primes. Doing a large PRNG number, then testing for prime is probably a bad idea. Half of them will be divisible by 2! :)

If I recall correctly, you need to pick a good starting number, make it odd by ORing with 1, then test for prime, and if it is not, increment by 4 and try again.

Once you find them, you probably will not want to do it again using repeatable PRNG bytes to start your search.

And while I'm pretty sure this is for a learning project, but if all you want is a RSA key pair from openssl check out

https://stackoverflow.com/a/5246045/6047952

Community
  • 1
  • 1
infixed
  • 1,155
  • 7
  • 15
  • Hi, thanks for the reply, I've tried the RAND_pseudo_bytes, but it give me always random output for the same seed. I need to generate the same output for the same input, because my key pair must be unique for a single device, identified by some parameters. – Crescenzo Mugione Dec 23 '16 at 07:23
  • `RAND_pseudo_bytes` mixes the PID, time, etc into its state. Forking also mixes in new state. Check the source file for [`md_rand.c` and `rand_bytes` function](http://github.com/openssl/openssl/blob/master/crypto/rand/md_rand.c). – jww Dec 23 '16 at 16:58
  • @jww I have tried the test program from http://stackoverflow.com/a/7510354/6047952 and I get a repeatable sequence. How my version differs from the version of your source code I can't say. But a repeatable pseudorandom sequence is useful for things like Monte Carlo programs and such, so I'm surprised if the ability has been lost – infixed Dec 28 '16 at 22:43
  • @CrescenzoMugione. Even if you get a repeatable sequence, you are getting a really weak system. It's similar to the error that Debian made once that ended up with their openssh only producing 32K unique session keys because in the end their seed was based just on the PID. https://www.schneier.com/blog/archives/2008/05/random_number_b.html Stuff like MAC addresses are not even good secrets, as everyone on your subnet can get it. Remember, John von Neuman once said "Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin."[ – infixed Dec 28 '16 at 23:02