Difference between revisions of "Random fork-safety"

From OpenSSLWiki
Jump to: navigation, search
(new page about fork safety)
 
(add more links)
Line 7: Line 7:
 
* [http://emboss.github.io/blog/2013/08/21/openssl-prng-is-not-really-fork-safe/ OpenSSL PRNG Is Not (Really) Fork-safe - martinboßlet - Aug 21, 2013]
 
* [http://emboss.github.io/blog/2013/08/21/openssl-prng-is-not-really-fork-safe/ OpenSSL PRNG Is Not (Really) Fork-safe - martinboßlet - Aug 21, 2013]
  
However, since this issue has been "rediscovered" and discussed multiple times, here are some addition links:
+
However, since this issue has been "rediscovered" and discussed multiple times, here are some additional links:
  
 
* [http://marc.info/?l=openssl-dev&m=130289811108150&w=2 openssl-dev: recycled pids causes PRNG to repeat - Eric Wong - Apr 15, 2011]
 
* [http://marc.info/?l=openssl-dev&m=130289811108150&w=2 openssl-dev: recycled pids causes PRNG to repeat - Eric Wong - Apr 15, 2011]
 
* [https://plus.google.com/+AndroidDevelopers/posts/YxWzeNQMJS2 Google+ discussion of Android SecureRandom issue, caused by OpenSSL PID wraparound - Aug 14, 2013]
 
* [https://plus.google.com/+AndroidDevelopers/posts/YxWzeNQMJS2 Google+ discussion of Android SecureRandom issue, caused by OpenSSL PID wraparound - Aug 14, 2013]
 +
* [http://www.mail-archive.com/openssl-users@openssl.org/msg71749.html openssl-users: DLL hell - Nico Williams - Aug 15, 2013]
 +
* [http://www.mail-archive.com/openssl-dev@openssl.org/msg32867.html openssl-dev: not fork-safe if pids wrap (continuation of above openssl-users thread) - Aug 22, 2013]
 
* [http://www.mail-archive.com/openssl-dev@openssl.org/msg33003.html openssl-dev: Patch to increase rng entropy after forking - Ernst-Udo Wallenborn - Sept 18, 2013]
 
* [http://www.mail-archive.com/openssl-dev@openssl.org/msg33003.html openssl-dev: Patch to increase rng entropy after forking - Ernst-Udo Wallenborn - Sept 18, 2013]
 
* [http://www.mail-archive.com/openssl-dev@openssl.org/msg33012.html openssl-dev: Mixing time into the pool - Ben Laurie - Sept 21, 2013]
 
* [http://www.mail-archive.com/openssl-dev@openssl.org/msg33012.html openssl-dev: Mixing time into the pool - Ben Laurie - Sept 21, 2013]

Revision as of 00:34, 3 October 2013

One of the most important issues in the proper cryptographic use of random numbers is that random numbers must not be used. Since the UNIX fork() system call duplicates the entire process state, a random number generator which does not take this issue into account will produce the same sequence of random numbers in both the parent and the child (or in multiple children), leading to cryptographic disaster. (i. e. people being able to read your communications)

OpenSSL's default random number generator mixes in the PID, which provides a certain degree of fork safety. However, once the PIDs wrap, new children will start to produce the same random sequence as previous children which had the same PID. This is unlikely to happen in most common cases, but it is not impossible, which makes the issue even more insidious.

The most comprehensive explanation of this problem is probably this blog post:

However, since this issue has been "rediscovered" and discussed multiple times, here are some additional links: