RAND_bytes从相同种子获得的结果不同 [英] RAND_bytes doesn't give the same result from the same seed

问题描述

我正在尝试使用OpenSSL编程自定义RSA密钥对生成算法.我已使用PKCS5_PBKDF2_HMAC_SHA1函数生成PRNG种子，因此，已将该种子用作RAND_seed输入.

I'm trying to program custom RSA key pair generation algorithm using OpenSSL. I've used the PKCS5_PBKDF2_HMAC_SHA1 function to generate PRNG seed, so, I've used this seed as RAND_seed input.

不幸的是，每次我用相同的种子调用RAND_bytes时，我都会获得不同的随机数，但这不是预期的行为，因为正如

Unfortunately every time I call RAND_bytes, with the same seed, I obtain different random numbers, but this isn't the expected behaviour, because as say the answer at How can one securely generate an asymmetric key pair from a short passphrase? the random number generator is deterministic (same seed same output).

下面是测试用例.我也声明了不变的种子，但是这一代从来没有确定性.

Below is the test case. I've declared also constant seed, but the generation is never deterministic.

unsigned int seed = 0x00beef00;
unsigned int rnum[5];
RAND_seed(&seed, sizeof(seed));
RAND_bytes((unsigned char *)&rnum[0], sizeof(rnum));

错误在哪里?

推荐答案

这不是错误. OpenSSL随机数生成器使用良好的随机性源自行进行播种.

This is not an error. The OpenSSL random number generator does some seeding on its own using good sources of randomness.

因此，在RAND_seed中使用相同的种子值不能保证相同的随机数序列.这是一件好事，因为它使它们难以预测，因此更加安全.

So using the same seed value in RAND_seed does not guarantee the same sequence of random numbers. This is a Good Thing because it makes them less predictable and therefore more secure.

在RAND_seed的手册页中:

    #include <openssl/rand.h>

    void RAND_seed(const void *buf, int num);

    void RAND_add(const void *buf, int num, double entropy);

    int  RAND_status(void);

    int  RAND_event(UINT iMsg, WPARAM wParam, LPARAM lParam);
    void RAND_screen(void);

RAND_add()将buf处的num字节混合为PRNG状态.因此，如果 对手无法预测buf处的数据，这会增加 状态的不确定性，使PRNG输出减少 可预见.适当的输入来自用户交互(随机密钥 按下，鼠标移动)和某些硬件事件. entropy 参数是(随机数的下限)对多少随机性的估计 包含在buf中，以字节为单位.有关来源的详细信息 随机性以及如何估计其熵可以在 文学，例如RFC 1750.

RAND_add() mixes the num bytes at buf into the PRNG state. Thus, if the data at buf are unpredictable to an adversary, this increases the uncertainty about the state and makes the PRNG output less predictable. Suitable input comes from user interaction (random key presses, mouse movements) and certain hardware events. The entropy argument is (the lower bound of) an estimate of how much randomness is contained in buf, measured in bytes. Details about sources of randomness and how to estimate their entropy can be found in the literature, e.g. RFC 1750.

RAND_add()可能会使用敏感数据(例如用户输入的数据)来调用 密码.种子值无法从PRNG中恢复 输出.

RAND_add() may be called with sensitive data such as user entered passwords. The seed values cannot be recovered from the PRNG output.

OpenSSL确保PRNG状态对于每个线程都是唯一的. 在提供"/dev/urandom"的系统上，随机设备是 用来透明地为PRNG播种.但是，在所有其他系统上， 该应用程序负责通过调用来为PRNG播种 RAND_add()，RAND_egd(3)或RAND_load_file(3).

OpenSSL makes sure that the PRNG state is unique for each thread. On systems that provide "/dev/urandom", the randomness device is used to seed the PRNG transparently. However, on all other systems, the application is responsible for seeding the PRNG by calling RAND_add(), RAND_egd(3) or RAND_load_file(3).

RAND_seed()等同于RAND_add()，当num == entropy时.

因此，如果您的系统具有/dev/urandom，它将用作PRNG的初始种子.

So if your system has /dev/urandom, it will be used as the initial seed for the PRNG.

这篇关于RAND_bytes从相同种子获得的结果不同的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！