| lh | 9ed821d | 2023-04-07 01:36:19 -0700 | [diff] [blame^] | 1 | =pod |
| 2 | |
| 3 | =head1 NAME |
| 4 | |
| 5 | RAND |
| 6 | - the OpenSSL random generator |
| 7 | |
| 8 | =head1 DESCRIPTION |
| 9 | |
| 10 | Random numbers are a vital part of cryptography, they are needed to provide |
| 11 | unpredictability for tasks like key generation, creating salts, and many more. |
| 12 | Software-based generators must be seeded with external randomness before they |
| 13 | can be used as a cryptographically-secure pseudo-random number generator |
| 14 | (CSPRNG). |
| 15 | The availability of common hardware with special instructions and |
| 16 | modern operating systems, which may use items such as interrupt jitter |
| 17 | and network packet timings, can be reasonable sources of seeding material. |
| 18 | |
| 19 | OpenSSL comes with a default implementation of the RAND API which is based on |
| 20 | the deterministic random bit generator (DRBG) model as described in |
| 21 | [NIST SP 800-90A Rev. 1]. The default random generator will initialize |
| 22 | automatically on first use and will be fully functional without having |
| 23 | to be initialized ('seeded') explicitly. |
| 24 | It seeds and reseeds itself automatically using trusted random sources |
| 25 | provided by the operating system. |
| 26 | |
| 27 | As a normal application developer, you do not have to worry about any details, |
| 28 | just use L<RAND_bytes(3)> to obtain random data. |
| 29 | Having said that, there is one important rule to obey: Always check the error |
| 30 | return value of L<RAND_bytes(3)> and do not take randomness for granted. |
| 31 | Although (re-)seeding is automatic, it can fail because no trusted random source |
| 32 | is available or the trusted source(s) temporarily fail to provide sufficient |
| 33 | random seed material. |
| 34 | In this case the CSPRNG enters an error state and ceases to provide output, |
| 35 | until it is able to recover from the error by reseeding itself. |
| 36 | For more details on reseeding and error recovery, see L<RAND_DRBG(7)>. |
| 37 | |
| 38 | For values that should remain secret, you can use L<RAND_priv_bytes(3)> |
| 39 | instead. |
| 40 | This method does not provide 'better' randomness, it uses the same type of CSPRNG. |
| 41 | The intention behind using a dedicated CSPRNG exclusively for private |
| 42 | values is that none of its output should be visible to an attacker (e.g., |
| 43 | used as salt value), in order to reveal as little information as |
| 44 | possible about its internal state, and that a compromise of the "public" |
| 45 | CSPRNG instance will not affect the secrecy of these private values. |
| 46 | |
| 47 | In the rare case where the default implementation does not satisfy your special |
| 48 | requirements, there are two options: |
| 49 | |
| 50 | =over 2 |
| 51 | |
| 52 | =item * |
| 53 | |
| 54 | Replace the default RAND method by your own RAND method using |
| 55 | L<RAND_set_rand_method(3)>. |
| 56 | |
| 57 | =item * |
| 58 | |
| 59 | Modify the default settings of the OpenSSL RAND method by modifying the security |
| 60 | parameters of the underlying DRBG, which is described in detail in L<RAND_DRBG(7)>. |
| 61 | |
| 62 | =back |
| 63 | |
| 64 | Changing the default random generator or its default parameters should be necessary |
| 65 | only in exceptional cases and is not recommended, unless you have a profound knowledge |
| 66 | of cryptographic principles and understand the implications of your changes. |
| 67 | |
| 68 | =head1 SEE ALSO |
| 69 | |
| 70 | L<RAND_add(3)>, |
| 71 | L<RAND_bytes(3)>, |
| 72 | L<RAND_priv_bytes(3)>, |
| 73 | L<RAND_get_rand_method(3)>, |
| 74 | L<RAND_set_rand_method(3)>, |
| 75 | L<RAND_OpenSSL(3)>, |
| 76 | L<RAND_DRBG(7)> |
| 77 | |
| 78 | =head1 COPYRIGHT |
| 79 | |
| 80 | Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. |
| 81 | |
| 82 | Licensed under the OpenSSL license (the "License"). You may not use |
| 83 | this file except in compliance with the License. You can obtain a copy |
| 84 | in the file LICENSE in the source distribution or at |
| 85 | L<https://www.openssl.org/source/license.html>. |
| 86 | |
| 87 | =cut |