diff options
Diffstat (limited to 'doc/man7/RAND.pod')
| -rw-r--r-- | doc/man7/RAND.pod | 35 |
1 files changed, 16 insertions, 19 deletions
diff --git a/doc/man7/RAND.pod b/doc/man7/RAND.pod index e253e9025d..d5fa154224 100644 --- a/doc/man7/RAND.pod +++ b/doc/man7/RAND.pod @@ -33,11 +33,12 @@ is available or the trusted source(s) temporarily fail to provide sufficient random seed material. In this case the CSPRNG enters an error state and ceases to provide output, until it is able to recover from the error by reseeding itself. -For more details on reseeding and error recovery, see L<RAND_DRBG(7)>. +For more details on reseeding and error recovery, see L<EVP_RAND(7)>. For values that should remain secret, you can use L<RAND_priv_bytes(3)> instead. -This method does not provide 'better' randomness, it uses the same type of CSPRNG. +This method does not provide 'better' randomness, it uses the same type of +CSPRNG. The intention behind using a dedicated CSPRNG exclusively for private values is that none of its output should be visible to an attacker (e.g., used as salt value), in order to reveal as little information as @@ -45,35 +46,31 @@ possible about its internal state, and that a compromise of the "public" CSPRNG instance will not affect the secrecy of these private values. In the rare case where the default implementation does not satisfy your special -requirements, there are two options: +requirements, the default RAND method can be replaced by your own RAND +method using L<RAND_set_rand_method(3)>. -=over 2 +Changing the default random generator should be necessary +only in exceptional cases and is not recommended, unless you have a profound +knowledge of cryptographic principles and understand the implications of your +changes. -=item * +=head1 DEAFULT SETUP -Replace the default RAND method by your own RAND method using -L<RAND_set_rand_method(3)>. +The default OpenSSL RAND method is based on the EVP_RAND deterministic random +bit generator (DRBG) classes. +A DRBG is a certain type of cryptographically-secure pseudo-random +number generator (CSPRNG), which is described in [NIST SP 800-90A Rev. 1]. -=item * - -Modify the default settings of the OpenSSL RAND method by modifying the security -parameters of the underlying DRBG, which is described in detail in L<RAND_DRBG(7)>. - -=back - -Changing the default random generator or its default parameters should be necessary -only in exceptional cases and is not recommended, unless you have a profound knowledge -of cryptographic principles and understand the implications of your changes. =head1 SEE ALSO -L<RAND_add(3)>, L<RAND_bytes(3)>, L<RAND_priv_bytes(3)>, L<RAND_get_rand_method(3)>, L<RAND_set_rand_method(3)>, L<RAND_OpenSSL(3)>, -L<RAND_DRBG(7)> +L<EVP_RAND(3)>, +L<RAND_get0_primary(3)> =head1 COPYRIGHT |