[Cryptography] [RNG] /dev/random initialisation
Nico Williams
nico at cryptonector.com
Thu Oct 31 02:57:10 EDT 2013
On Wed, Oct 30, 2013 at 11:28:18PM -0400, John Kelsey wrote:
> The part of the standard involving entropy sources isn't done yet, but
> when it is, RBGs really will have to ultimately be fed by an approved
> entropy source. The alternative seems to be leaving people in the
> current situation, where there's more or less no way of knowing how
> much entropy is being collected, or where it's coming from. If the
> entropy source is good, then the RBG should end up secure.
I've been wishing it were so for many years. Certification can be
everything to a vendor, and when the standards and labs require a bad
result, the vendor provides it. Management demands it, the engineers
that don't like it move on to other projects, and the ones that don't
know better do what they're told. It's just too difficult to argue with
anyone about the requirements that must be met to get a certification.
Or at least that's the perception. That perception is wrong: I've
actually succeeded in getting NIST to change a proposed requirement in
the past (or so I was told after the fact, verbally; my emailed comments
actually went unanswered at the time). But not that long ago colleagues
running a product past certification were emphatic that changing the
requirements was just too difficult/expensive/not worthwhile.
Standards can be a source of systemic risk. This is true even in the
absence of conspiracies: just because of inertia. Standards can also be
a source of stability and can prevent serious mistakes -- also because
of inertia. Lack of standards is worse.
> The restriction on external sources of additional input is pretty
> obviously a misunderstanding--someone somewhere got confused between
> entropy source inputs (which need to come from some trusted entropy
> source) and additional inputs (which can come from anywhere).
It's a reasonable explanation. For 2004. It's still believable in 2013
because most of us don't deal in FIPS-anything, so we can (and do) shrug
it all off. But it's also a bit embarrassing. As someone here recently
said (Peter Gutmann, IIRC), we thought "oh, you were serious about
that?!". But, yes, standards with certification lab enforcement are
serious, therefore we should not shrug them off. AND, in order to do
that, the standards bodies in question have to be accessible.
Nico
--
More information about the cryptography
mailing list