[Cryptography] [RNG] /dev/random initialisation

dj at deadhat.com dj at deadhat.com
Thu Oct 31 17:43:54 EDT 2013


>> On 31/10/13 06:28 AM, John Kelsey wrote:
>>> On Oct 30, 2013, at 2:09 PM, Jerry Leichter <leichter at lrw.com> wrote:
>
>>
>>> The restriction on external sources of additional input is pretty
>>> obviously a misunderstanding--someone somewhere got confused between
>>> entropy source inputs (which need to come from some trusted entropy
>>> source) and additional inputs (which can come from anywhere).
>>
>>
>> If it is a misunderstanding, it's had larger than normal ramifications.
>>   There have been many reports of dropping all external sources as a
>> need to get approval.  It's the process?
>>
>>
>
> It's not a misunderstanding. It's right there in section 4 of FIPS 140-2.

And what are we supposed to do with 4.9.2 of FIPS 140-2? That reduces the
output entropy to considerably less than (1-epsilon) | epsilon < 1/2^64,
as required by SP800-90A.

If every there was a clause that I though was inserted to weaken an RNG
spec, that would be it.

Please re-open FIPS 140-2 for comment.

"If each call to a RNG produces blocks of n bits (where n > 15), the first
n-bit block generated after power-up, initialization, or reset shall not
be used, but shall be saved for comparison with the next n-bit block to be
generated. Each subsequent generation of an n-bit block shall be compared
with the previously generated block. The test shall fail if any two
compared n-bit blocks are equal.
"




More information about the cryptography mailing list