[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal and OpenSSL

To: Richard Levitte - VMS Whacker <levitte@stacken.kth.se>
Subject: Re: heimdal and OpenSSL
From: "Jacques A. Vidrine" <n@nectar.com>
Date: Thu, 4 Jan 2001 19:56:54 -0600
Cc: heimdal-discuss@sics.se
In-Reply-To: <20010105.015155.03887827.levitte@stacken.kth.se>; from levitte@stacken.kth.se on Fri, Jan 05, 2001 at 01:51:55AM +0100
Mail-Followup-To: "Jacques A. Vidrine" <n@nectar.com>,Richard Levitte - VMS Whacker <levitte@stacken.kth.se>,heimdal-discuss@sics.se
References: <20010104104221.B46732@hamlet.nectar.com> <20010104192845.V158614@pandora.inf.elte.hu> <20010104130745.B85350@hamlet.nectar.com> <20010105.015155.03887827.levitte@stacken.kth.se>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mutt/1.2.5i

On Fri, Jan 05, 2001 at 01:51:55AM +0100, Richard Levitte - VMS Whacker wrote:
> As an OpenSSL developer, I'd like to know what's the actual benefit of
> Heimdals des_new_random_key() over OpenSSLs des_random_key().  I
> understand it's based on a different PRNG, is that the only real
> difference, or does the scrambling with des_ecb_encrypt() have a
> meaning I can't detect yet?

Gee, after looking at the various sources more closely, I am beginning
to think that the history might be something like this:

   KTH libdes:    des_random_key         a lame PRNG
   SSLeay:        des_random_key         same PRNG as above
   KTH libdes:    des_new_random_key     a replacement PRNG
   OpenSSL 0.9.5: des_random_key         basically a wrapper for RAND_bytes?

Which would imply that OpenSSL des_random_key and Heimdal
des_new_random_key are indeed interchangeable.  It would be nice if
someone who knows could confirm whether or not I'm off the deep end
here.

> The actual main difference that I can detect is that the PRNG in
> Heimdals rnd_keys.c can take seeding from any of /dev/{,s,u}random
> (it's quite possible that I'll borrow some ideas for OpenSSL
> there...).

Hmm, OpenSSL only uses /dev/urandom by default?  Isn't that dangerous?
I guess that's OK if you don't have to seed very often.  I'll have to
try building it with /dev/random and see how it runs.

> In any case, since des_random_key() is provided in Heimdal for
> backward compatibility, can one assume that it and
> des_new_random_key() are actually interchangeable?  The comments in
> Heimdals des.h seem to suggest that...
> 
> In that case, it might be possible for us to provide
> des_new_random_key() as an entry point in OpenSSL.  We'll see...

That would help, although one might as easily do this in the Heimdal
sources, or even just rename des_new_random_key to des_random_key in
the Heimdal sources.  Yes, I like this latter approach.

-- 
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org

Follow-Ups:
- Re: heimdal and OpenSSL
  - From: joda@pdc.kth.se (Johan Danielsson)

References:
- heimdal and OpenSSL
  - From: "Jacques A. Vidrine" <n@nectar.com>
- Re: heimdal and OpenSSL
  - From: GOMBAS Gabor <gombasg@inf.elte.hu>
- Re: heimdal and OpenSSL
  - From: "Jacques A. Vidrine" <n@nectar.com>
- Re: heimdal and OpenSSL
  - From: Richard Levitte - VMS Whacker <levitte@stacken.kth.se>

Prev by Date: Re: heimdal and OpenSSL
Next by Date: Re: [fixed] Re: 0.3d on FreeBSD 4.2-Stable
Prev by thread: Re: heimdal and OpenSSL
Next by thread: Re: heimdal and OpenSSL
Index(es):
- Date
- Thread