1

I need to know can we use PRG of OpenSSL as a PRF?

user13676
  • 845
  • 5
  • 14

2 Answers2

2

Yes, the Pseudo Random Number Generator (PRNG) in OpenSSL is Cryptographically Secure, which means it passes statistical tests, but as @Maarten Bodewes suggests in his comment, why not go one step further and use that PRNG directly, rather than through OpenSSL?

OpenSSL can use EGD (which stands for Entropy Gathering Daemon). It is a process that taps into configurable entropy sources in a given system to provide cryptographically secure random numbers. EGD is actually modeled after /dev/random in *Nix Operating Systems, so it would not be available in a Windows system, for example, but its function is the same as /dev/random which is to gather entropy for random number generation.

If you are creating an application in a *Nix system (OS X, Linux, etc) chances are that EGD is taking input from /dev/random, so your best bet is to use it. If you are in a different OS, then EGD is probably the way to go.

Security Aficionado
  • 188
  • 6
1

Security analysis of "Nix /dev/random" is discussed here

"Security Analysis of Pseudo-Random Number Generators with Input: /dev/random is not Robust", by Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault, Damien Vergnaud, and Daniel Wichs. http://eprint.iacr.org/2013/338.pdf

With an interesting blog https://www.schneier.com/blog/archives/2013/10/insecurities_in.html

then it might be wise to reconsider the blind usage of /dev/random as suggested in the first response.

OpenSSL API for PRNG (FIPS version) is https://www.openssl.org/docs/fips/UserGuide-2.0.pdf section 6.1.1 . The entropy callback is under application responsibility. You might not wish to use the dual EC-DRBG implementation (section 6.1.2) because of perceived vulnerability. The section about "default DRBG" explains how to map RAND_xxx functions to a FIPS approved DRBG.

You can rely on OpenSSL RAND_xxxx calls after you verify the following points

  • which DRBG is instantiated (either by default, either overriden)
  • where the functions rand_seed_cb() and rand_add_cb() get their entropy in your implementation.

If the initialization sequence instantiates the DRBG block based on AES-CTR, seeded and re-seeded with /dev/random, then the PRG of openSSL would satisfy the criteria for an acceptable PRF for cryptography.

Many academic papers mention that the output of AES is indistinguishable from randomness. and this is already answered Is it possible to distinguish a securely-encrypted ciphertext from random noise? .

(edited to smooth 'strong' statements as suggested in comments)

Community
  • 1
Pierre
  • 426
  • 2
  • 8