Lines Matching +full:on +full:- +full:resistance
18 .\" Set up some character translations and predefined strings. \*(-- will
24 .tr \(*W-
27 . ds -- \(*W-
29 . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30 . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
37 . ds -- \|\(em\|
49 .\" If the F register is >0, we'll generate index entries on stderr for
71 .\" Fear. Run. Save yourself. No user-serviceable parts.
81 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
97 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
98 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
99 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
100 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
101 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
102 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
104 . \" troff and (daisy-wheel) nroff accents
123 . ds d- d\h'-1'\(ga
124 . ds D- D\h'-1'\(hy
134 .TH EVP_RAND 7ossl "2023-09-19" "3.0.11" "OpenSSL"
140 EVP_RAND \- the random bit generator
149 The default OpenSSL \s-1RAND\s0 method is based on the \s-1EVP_RAND\s0 classes to provide
150 non-deterministic inputs to other cryptographic algorithms.
152 While the \s-1RAND API\s0 is the 'frontend' which is intended to be used by
153 application developers for obtaining random bytes, the \s-1EVP_RAND API\s0
156 bit generators (\s-1DRBG\s0) and their configuration parameters.
157 A \s-1DRBG\s0 is a certain type of cryptographically-secure pseudo-random
158 number generator (\s-1CSPRNG\s0), which is described in
159 [\s-1NIST SP 800\-90A\s0 Rev. 1].
163 it is in general not necessary to utilize the \s-1EVP_RAND API\s0 directly.
165 \&\fBRAND_priv_bytes\fR\|(3), see also \s-1\fBRAND\s0\fR\|(7).
170 You want to use your own private \s-1DRBG\s0 instances.
171 Multiple \s-1DRBG\s0 instances which are accessed only by a single thread provide
177 Refer to \fBprovider\-rand\fR\|(7) for the implementation details to support adding
178 randomness sources to \s-1EVP_RAND.\s0
180 You need to change the default settings of the standard OpenSSL \s-1RAND\s0
184 An \s-1EVP_RAND\s0 instance can be used as the entropy source of another
185 \&\s-1EVP_RAND\s0 instance, provided it has itself access to a valid entropy source.
186 The \s-1EVP_RAND\s0 instance which acts as entropy source is called the \fIparent\fR,
187 the other instance the \fIchild\fR. Typically, the child will be a \s-1DRBG\s0 because
190 This is called chaining. A chained \s-1EVP_RAND\s0 instance is created by passing
191 a pointer to the parent \s-1EVP_RAND_CTX\s0 as argument to the \fBEVP_RAND_CTX_new()\fR call.
192 It is possible to create chains of more than two \s-1DRBG\s0 in a row.
193 It is also possible to use any \s-1EVP_RAND_CTX\s0 class as the parent, however, only
197 Currently, there are three shared \s-1DRBG\s0 instances,
198 the <primary>, <public>, and <private> \s-1DRBG.\s0
199 While the <primary> \s-1DRBG\s0 is a single global instance, the <public> and <private>
200 \&\s-1DRBG\s0 are created per thread and accessed through thread-local storage.
203 the thread-local <public> and <private> \s-1DRBG\s0 instance, respectively.
204 .SS "The <primary> \s-1DRBG\s0 instance"
206 The <primary> \s-1DRBG\s0 is not used directly by the application, only for reseeding
207 the two other two \s-1DRBG\s0 instances. It reseeds itself by obtaining randomness
210 .SS "The <public> \s-1DRBG\s0 instance"
213 .SS "The <private> \s-1DRBG\s0 instance"
218 The <primary> \s-1DRBG\s0 is intended to be accessed concurrently for reseeding
219 by its child \s-1DRBG\s0 instances. The necessary locking is done internally.
220 It is \fInot\fR thread-safe to access the <primary> \s-1DRBG\s0 directly via the
221 \&\s-1EVP_RAND\s0 interface.
222 The <public> and <private> \s-1DRBG\s0 are thread-local, i.e. there is an
224 locking via the \s-1EVP_RAND\s0 interface.
226 Pointers to these \s-1DRBG\s0 instances can be obtained using
228 Note that it is not allowed to store a pointer to one of the thread-local
229 \&\s-1DRBG\s0 instances in a variable or other memory location where it will be
232 All other \s-1DRBG\s0 instances created by an application don't support locking,
234 Instead of accessing a single \s-1DRBG\s0 instance concurrently from different
235 threads, it is recommended to instantiate a separate \s-1DRBG\s0 instance per
236 thread. Using the <primary> \s-1DRBG\s0 as entropy source for multiple \s-1DRBG\s0
237 instances on different threads is thread-safe, because the \s-1DRBG\s0 instance
238 will lock the <primary> \s-1DRBG\s0 automatically for obtaining random input.
241 The following picture gives an overview over how the \s-1DRBG\s0 instances work
245 \& +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
247 \& +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
249 \& v +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
250 \& RAND_add() ==> <primary> <\-| shared DRBG (with locking) |
251 \& / \e +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
252 \& / \e +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\…
253 \& <public> <private> <\- | per\-thread DRBG instances |
254 \& | | +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
259 \& +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-…
262 \& +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-…
272 A \s-1DRBG\s0 instance seeds itself automatically, pulling random input from
274 system entropy source, or another \s-1DRBG\s0 with access to such a source.
278 time using the \-\-with\-rand\-seed option. The following sections explain
282 Before satisfying a generate request (\fBEVP_RAND_generate\fR\|(3)), the \s-1DRBG\s0
285 \&\- the \s-1DRBG\s0 was not instantiated (=seeded) yet or has been uninstantiated.
287 \&\- the number of generate requests since the last reseeding exceeds a
291 \&\- the time elapsed since the last reseeding exceeds a certain time
295 \&\- the \s-1DRBG\s0 is in an error state.
298 the \s-1DRBG\s0 is seeding or reseeding.
299 The last case ensures that the \s-1DRBG\s0 automatically recovers
304 reseeding of the \s-1DRBG\s0 with fresh entropy by setting the
305 \&\fIprediction resistance\fR parameter to 1 when calling
308 The document [\s-1NIST SP 800\-90C\s0] describes prediction resistance requests
309 in detail and imposes strict conditions on the entropy sources that are
310 approved for providing prediction resistance.
311 A request for prediction resistance can only be satisfied by pulling fresh
312 entropy from a live entropy source (section 5.5.2 of [\s-1NIST SP 800\-90C\s0]).
319 (or \fBRAND_seed\fR\|(3)), then this will immediately reseed the <primary> \s-1DRBG.\s0
320 The <public> and <private> \s-1DRBG\s0 will detect this on their next generate
327 The \s-1DRBG\s0 distinguishes two different types of random input: \fIentropy\fR,
335 for automatically seeding and reseeding its <primary> \s-1DRBG.\s0 In some cases
337 configuration, using the \-\-with\-rand\-seed option. For more information,
338 see the \s-1INSTALL\s0 instructions. There are also operating systems where no
342 \&\s-1DRBG,\s0 depending on whether automatic reseeding is available or not.
343 .SS "Reseeding the primary \s-1DRBG\s0 with automatic seeding enabled"
345 Calling \fBRAND_poll()\fR or \fBRAND_add()\fR is not necessary, because the \s-1DRBG\s0
347 However, both calls are permitted, and do reseed the \s-1RNG.\s0
349 \&\fBRAND_add()\fR can be used to add both kinds of random input, depending on the
354 the \s-1DRBG.\s0
360 (resp. reinstantiation) if the \s-1DRBG\s0 is instantiated
363 security strength of the \s-1DRBG.\s0 Currently it defaults to 256 bits (32 bytes).
368 \&\s-1NOTE:\s0 Manual reseeding is *not allowed* in \s-1FIPS\s0 mode, because
369 [\s-1NIST\s0 SP\-800\-90Ar1] mandates that entropy *shall not* be provided by
374 .SS "Reseeding the primary \s-1DRBG\s0 with automatic seeding disabled"
380 the (re\-)seeding of the \s-1DRBG\s0 will fail. This corresponds to one and a half
381 times the security strength of the \s-1DRBG.\s0 The extra half is used for the
384 More precisely, the number of bytes needed for seeding depend on the
385 \&\fIsecurity strength\fR of the \s-1DRBG,\s0 which is set to 256 by default.
388 \&\s-1\fBRAND\s0\fR\|(7), \s-1\fBEVP_RAND\s0\fR\|(3)
394 Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
398 in the file \s-1LICENSE\s0 in the source distribution or at