[Cryptography] [RNG] /dev/random initialisation
David Johnston
dj at deadhat.com
Wed Oct 30 00:09:57 EDT 2013
On 10/29/2013 8:59 PM, John Kelsey wrote:
> On Oct 28, 2013, at 5:28 PM, dj at deadhat.com <mailto:dj at deadhat.com> wrote:
>
> ...
>> But the specifications (SP800-90x & FIPS 140-2) make it spectacularly
>> hard
>> to mix in multiple sources in a compliant way. SP800-90 gives a way
>> to mix
>> in "additional entropy" and "personalization strings", but FIPS 140-2
>> states that all sources must be authenticated. All configuring entities
>> must be authenticated. Try authenticating hardware on one end of chip
>> against hardware at the other end of the chip. It is the mother of all
>> chicken and egg problems.
>
> Wait, the FIPS labs refuse to let you put your own stuff into those
> additional inputs? That's the whole *point* of having them in the
> DRBGs. If you call generate with an additional input that is not
> guessable to the attacker, starting with a DRBG state the attacker
> knows, the DRBG is put into an unguessable-to-the-attacker state
> before the output bits are generated.
>
But FIPS requires that the inputting entity be authenticated. In a chip
scenario, that is silly. Especially when 'authenticated' means a FIPS
authentication scheme where each on-chip bus attached entity has to be
provisioned a cert by a third party or undergo some ephemeral key
exchange with bignum arithmetic.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131029/b531528c/attachment.html>
More information about the cryptography
mailing list