| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Jun 2021 13:49:24 -0700
From: "H. Peter Anvin" <hpa@...or.com>
To: James Morris <jamorris@...ux.microsoft.com>,
Stephan Mueller <smueller@...onox.de>
CC: Mickaël Salaün <mic@...ikod.net>,
David Miller <davem@...emloft.net>,
Herbert Xu <herbert@...dor.apana.org.au>,
John Haxby <john.haxby@...cle.com>,
Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>,
Simo Sorce <simo@...hat.com>, linux-crypto@...r.kernel.org,
linux-kernel@...r.kernel.org,
Mickaël Salaün <mic@...ux.microsoft.com>,
tytso@....edu
Subject: Re: [PATCH v1] crypto: Make the DRBG compliant with NIST SP800-90A rev1
This one really does keep coming back like yesterday's herring, doesn't it...
On June 23, 2021 10:00:29 AM PDT, James Morris <jamorris@...ux.microsoft.com> wrote:
>On Wed, 23 Jun 2021, Stephan Mueller wrote:
>
>>
>> > These changes replace the use of the Linux RNG with the Jitter RNG,
>> > which is NIST SP800-90B compliant, to get a proper entropy input
>and a
>> > nonce as defined by FIPS.
>>
>> Can you please help me understand what is missing in the current code
>which
>> seemingly already has achieved this goal?
>
>The advice we have is that if an attacker knows the internal state of
>the
>CPU, then the output of the Jitter RNG can be predicted.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Powered by blists - more mailing lists