[Cryptography] [RNG] /dev/random initialisation

[dj at deadhat.com]

> On 31/10/13 06:28 AM, John Kelsey wrote:
>> On Oct 30, 2013, at 2:09 PM, Jerry Leichter <leichter at lrw.com> wrote:

>
>> The restriction on external sources of additional input is pretty
>> obviously a misunderstanding--someone somewhere got confused between
>> entropy source inputs (which need to come from some trusted entropy
>> source) and additional inputs (which can come from anywhere).
>
>
> If it is a misunderstanding, it's had larger than normal ramifications.
>   There have been many reports of dropping all external sources as a
> need to get approval.  It's the process?
>
>

It's not a misunderstanding. It's right there in section 4 of FIPS 140-2.
FIPS 140-2 and SP800-90 are fundamentally incompatible.  It leads directly
to demands from the certification houses that cannot be met. Similarly I
can't get CTR_DRBG vectors out of a test lab that don't include additional
entropy. They read it as mandatory due to ambiguous text in the spec. The
situation for certifying a coincident boundary FIPS 140-2, SP800-90
circuit is thoroughly messed up in ways that compromise security.

I've detailed the details in my comments against SP800-90A, which I'll be
sending off in the next couple of days.

I'm not persuaded by the angst about malicious input. The text in SP800-90
around defining the 'consuming application' is just fine. The consuming
application can give the nonces, personalization strings and additional
entropy necessary to secure its own instance. If you trust the other guy
to supply your personalization string for you, good luck with that.

But it's FIPS 140-2 that prevents an unauthenticated consuming application
putting in the material necessary to get the random numbers necessary to
perform a secure authentication. A chicken and egg problem if ever there
was one.