[147932] in cryptography@c2.net mail archive
Re: [Cryptography] [RNG] /dev/random initialisation
daemon@ATHENA.MIT.EDU (dj@deadhat.com)
Thu Oct 31 23:46:49 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <4a0dcda87c6a9f1f0bc548c8f17fae01.squirrel@www.deadhat.com>
Date: Thu, 31 Oct 2013 21:43:54 -0000
From: dj@deadhat.com
To: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
>> On 31/10/13 06:28 AM, John Kelsey wrote:
>>> On Oct 30, 2013, at 2:09 PM, Jerry Leichter <leichter@lrw.com> wrote:
>
>>
>>> The restriction on external sources of additional input is pretty
>>> obviously a misunderstanding--someone somewhere got confused between
>>> entropy source inputs (which need to come from some trusted entropy
>>> source) and additional inputs (which can come from anywhere).
>>
>>
>> If it is a misunderstanding, it's had larger than normal ramifications.
>> There have been many reports of dropping all external sources as a
>> need to get approval. It's the process?
>>
>>
>
> It's not a misunderstanding. It's right there in section 4 of FIPS 140-2.
And what are we supposed to do with 4.9.2 of FIPS 140-2? That reduces the
output entropy to considerably less than (1-epsilon) | epsilon < 1/2^64,
as required by SP800-90A.
If every there was a clause that I though was inserted to weaken an RNG
spec, that would be it.
Please re-open FIPS 140-2 for comment.
"If each call to a RNG produces blocks of n bits (where n > 15), the first
n-bit block generated after power-up, initialization, or reset shall not
be used, but shall be saved for comparison with the next n-bit block to be
generated. Each subsequent generation of an n-bit block shall be compared
with the previously generated block. The test shall fail if any two
compared n-bit blocks are equal.
"
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
