Reference Guide

10 Chapter 1: Changes Between MES 4.0.1 and 4.1.n.n

RSA BSAFE Micro Edition Suite 4.4 Migration Guide

TLS Changes

PRNG Security Enhancements

MES 4.1 introduced the following PRNG-related security enhancements:

•

Random cryptographic objects are reseeded with a small amount of entropy after a

specified period of time to prevent attacks involving the cloning of virtual machines.

• Enhanced seed generation for DRBGs by adding a default personalization string,

based on the current time, process ID, and thread ID, to the random cryptographic

object. Alternatively, application-defined personalization strings can be added.

While these features provide improved security, there can be TLS and SSL

performance overheads because of the number of random cryptographic objects

created for SSL contexts and SSL objects. Systems running an Oracle

Solaris

operating system are particularly affected.

This overhead can be mitigated by turning off entropy reseeding and personalization

for random cryptographic objects used by SSL contexts and SSL objects. Before

creating any SSL context, call

R_SSL_feature_set() with

SSL_FEATURE_DISABLE_RAND_PERSONALIZATION and

SSL_FEATURE_DISABLE_RAND_TIMED_RESEED.

For more information about these identifiers, see API Reference Information > TLS

Operations > SSL Object Operations > Identifiers > Feature in the RSA BSAFE

Micro Edition Suite Developers Guide.