I just learned about the basics of public cryptography a few weeks ago and I am
ID: 653269 • Letter: I
Question
I just learned about the basics of public cryptography a few weeks ago and I am curious as to why the C rand() function should not be used for crypto schemes. For example, say I want to generate a private key using the C rand() function, along with srand(). Lets say srand() generates a seed based on system time (as in example http://www.cplusplus.com/reference/cstdlib/rand/). Is rand() therefore not acceptably pseudo random because the system time is not random (what if I based the seed on something more random)?
If this is the case, then how does OpenSSL generate random private keys? Moreover, how could an attacker exploit an OpenSSL implementation that uses C rand() the way I specified above?
Thank you.
Explanation / Answer
In the example you linked, the current time (specifically, a value representing the number of seconds elapsed since Jan 1, 1970 UTC) is used as the seed. If an attacker knows which year you generated your key, then that leaves only about 2^25 possible values for the seed --- and therefore only about 2^25 possible values for your key. At this point, he can guess your key pretty easily simply through brute force.
But let's say you find a better way to choose a seed, what then? Well, rand() will try to use this seed to generate a stream of random bits. But those bits won't be truly random, since they're based off a single seed value. So will they be close enough to random for cryptographic purposes? Probably not. Most PRNGs that aren't specifically designed to be cryptographically secure won't be good enough. They're designed for use in simulations and the like, not for times when there are smart and resourceful Bad Guys trying to do Bad Things.
OpenSSL seeds its PRNG using /dev/urandom (I'm not sure what it does on systems where this isn't available), and then uses its own PRNG to generate the random numbers.