lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Nov 2006 10:13:46 -0200 From: Henrique de Moraes Holschuh <hmh@....eng.br> To: Ben Pfaff <blp@...stanford.edu> Cc: linux-kernel@...r.kernel.org Subject: Re: Entropy Pool Contents On Mon, 27 Nov 2006, Ben Pfaff wrote: > daw@...berkeley.edu (David Wagner) writes: > > Well, if you want to talk about really high-value keys like the scenarios > > you mention, you probably shouldn't be using /dev/random, either; you > > should be using a hardware security module with a built-in FIPS certified > > hardware random number source. > > Is there such a thing? "Annex C: Approved Random Number > Generators for FIPS PUB 140-2, Security Requirements for > Cryptographic Modules", or at least the version of it I was able > to find with Google in a few seconds, simply states: > > There are no FIPS Approved nondeterministic random number > generators. There used to exist a battery of tests for this, but a FIPS revision removed them. You cannot really easily define a True RNG as secure or not with simple tests. I'd suggest googling after the papers validating the Intel and VIA Padlog hardware RNGs, they are much better reading than FIPS for this. If you want a software implementation of all the former FIPS tests, please get the Debian fork of rng-tools, or Jeff's upstream rng-tools (Debian's has a lot more stuff, but I don't recall if it has any extra FIPS functionality). I should get around to submit patches to Jeff one of these years. It is about a week-man-hours of tedious work, though. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists