[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal and OpenSSL

On Fri, Jan 05, 2001 at 01:51:55AM +0100, Richard Levitte - VMS Whacker wrote:
> As an OpenSSL developer, I'd like to know what's the actual benefit of
> Heimdals des_new_random_key() over OpenSSLs des_random_key().  I
> understand it's based on a different PRNG, is that the only real
> difference, or does the scrambling with des_ecb_encrypt() have a
> meaning I can't detect yet?

Gee, after looking at the various sources more closely, I am beginning
to think that the history might be something like this:

   KTH libdes:    des_random_key         a lame PRNG
   SSLeay:        des_random_key         same PRNG as above
   KTH libdes:    des_new_random_key     a replacement PRNG
   OpenSSL 0.9.5: des_random_key         basically a wrapper for RAND_bytes?
Which would imply that OpenSSL des_random_key and Heimdal
des_new_random_key are indeed interchangeable.  It would be nice if
someone who knows could confirm whether or not I'm off the deep end

> The actual main difference that I can detect is that the PRNG in
> Heimdals rnd_keys.c can take seeding from any of /dev/{,s,u}random
> (it's quite possible that I'll borrow some ideas for OpenSSL
> there...).

Hmm, OpenSSL only uses /dev/urandom by default?  Isn't that dangerous?
I guess that's OK if you don't have to seed very often.  I'll have to
try building it with /dev/random and see how it runs.

> In any case, since des_random_key() is provided in Heimdal for
> backward compatibility, can one assume that it and
> des_new_random_key() are actually interchangeable?  The comments in
> Heimdals des.h seem to suggest that...
> In that case, it might be possible for us to provide
> des_new_random_key() as an entry point in OpenSSL.  We'll see...

That would help, although one might as easily do this in the Heimdal
sources, or even just rename des_new_random_key to des_random_key in
the Heimdal sources.  Yes, I like this latter approach.

Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org