Seeding of the random number generator

[theShmoo]

We use the latest version of the Intel SGX SDK. (intel/linux-sgx: Intel SGX for Linux* (github.com)
Also we need to use OpenSSL in the Intel SGX Enclave. For that we use the up to date version of intel-sgx-ssl.

We recognized that you replace the rand_lib.c of OpenSSL with your own version: intel-sgx-ssl/rand_lib.c at master · intel/intel-sgx-ssl (github.com))

But your version does not provide any possibility to seed the random number generator!

In the lines #L847-L854
you see that the seed function pointer is just empty.

If you then call RAND_seed just nothing happens! Which is extremely dangerous, if we would not have looked at your source code, we would have never detected this problem! We need to seed the random number generator with numbers provided by a Hardware Security Module as a requirement.

What do you suggest? Why is this not implemented? Is there another way to seed?

[theShmoo]

your Linux Developer Guide says in "5. Appendix A: Supported APIs" RAND_seed is supported

[ShundaZhang]

We use the latest version of the Intel SGX SDK. (intel/linux-sgx: Intel SGX for Linux* (github.com)
Also we need to use OpenSSL in the Intel SGX Enclave. For that we use the up to date version of intel-sgx-ssl.

We recognized that you replace the rand_lib.c of OpenSSL with your own version: intel-sgx-ssl/rand_lib.c at master · intel/intel-sgx-ssl (github.com))

But your version does not provide any possibility to seed the random number generator!

In the lines #L847-L854
you see that the seed function pointer is just empty.

If you then call RAND_seed just nothing happens! Which is extremely dangerous, if we would not have looked at your source code, we would have never detected this problem! We need to seed the random number generator with numbers provided by a Hardware Security Module as a requirement.

What do you suggest? Why is this not implemented? Is there another way to seed?

1. By default, SGXSSL provides the RDRAND engine, which doesn't need seed, referring to OpenSSL:
   https://github.com/openssl/openssl/blob/3b1978e4860770089b6244c549059c43bd9cc4da/crypto/engine/eng_rdrand.c#L43-L49
   We don’t provide seed in SGXSSL doesn’t impact the security of random number in SGXSSL if user use RDRAND by default.

To your question, we suggest you to use the default RDRAND engine without seed, it is secure.

2. But if user manually choose RAND_seed() with their software PRNG, it will cause security issue if RAND_seed() is empty. Yes, we should support RAND_seed(), and we are implanting RAND_seed() with RDSEED.

[theShmoo]

Thank you for your response!

Do the random numbers generated by RDRAND comply with the specifications from AIS-20?

It is hard for us to understand all the details and for us it would be easier to just seed the PRNG by our self. But if RDRAND is good enough for this specification it would be great.

[ShundaZhang]

Thank you for your response!

Do the random numbers generated by RDRAND comply with the specifications from AIS-20?

It is hard for us to understand all the details and for us it would be easier to just seed the PRNG by our self. But if RDRAND is good enough for this specification it would be great.

Yes, I think the random numbers generated correctly by RDRAND comply with AIS20. You can refer to https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/LinuxRNG/LinuxRNG_EN.pdf?__blob=publicationFile&v=20
Intel RDRAND is a HW based instruction, and a NDRNG (Nondeterministic Random Number Generator), complies NIST 800-90 A/B/C and BSI AIS-20/31.

[theShmoo]

Thank you very much for your help!

We will consider using "only" RDRAND. I will update you here if it is sufficient for us.

I won't close the issue, because I consider it a bug that the RAND_seed method just does nothing. But feel free to close if you disagree.