Broken RSA Keys (part 3: openssl)

Openssl uses the RANDFILE environment variable or configuration setting in its config file to specify the location of a random seed. During key generation, this seed is combined with a few bytes from /dev/urandom, to be used as a new seed for the openssl internal pseudorandom number generator.

In most systems, you can find your own personal openssl seed in ~/.rnd, and for the purposes of this blog post, I am going to use ~/.rnd and RANDFILE interchangeably. But of course, you need to use whatever is the correct RANDFILE in your configuration. Upon first run, openssl should generate ~/.rnd for you. If you generate some key with openssl and ~/.rnd still doesn’t exist, you better dig into your environment variables and openssl config file to find RANDFILE. You’re going to need it momentarily.

Every time openssl reads ~/.rnd, it overwrites the file with a new random seed for next time. So to ensure strong entropy using openssl, all you need to do is ensure strong entropy entered into this file once. After that, you may safely assume all your openssl operations on that machine include high entropy.

This file is 1k long (8192 bits) but your openssl private key has a cryptographic strength around 128 or 256 bits (a 3072 bit RSA or DH private key has a cryptographic strength of 128 bits). Also, when openssl reads your RANDFILE, it will include additional bytes from urandom, which can only strengthen your key further. So we don’t need anywhere near 8192 bits of entropy in your RANDFILE. 32 bytes = 256 bits

There are lots of easy ways to get this wrong. You could be reading the wrong openssl.cnf file. Maybe you had a type-o when you set RANDFILE. Maybe the openssl you’re using ignores your RANDFILE environment variable. To eliminate all of these possible sources of error, do this:

  • Run your openssl command.
  • Now check your ~/.rnd file (or whatever RANDFILE) to ensure it exists.
  • Get the md5sum.
  • Run your openssl command again.
  • Get the new md5sum, and ensure it’s different from before. This will ensure you’re definitely looking at the right RANDFILE, which is definitely being used by your openssl command.

Now, overwrite that file with a new random seed:
dd if=/dev/random bs=1 count=32 of=~/.rnd

After generating a new random seed file, run your openssl command for real, trusting that you have strong entropy from now on.

Please see also:

Broken RSA Keys (part1: the problem)
Broken RSA Keys (part 2: fixing ssh keys)

Comments are closed.