Hi Stephan:
Currently DRBG is seeded with entropy from get_random_bytes.
However, get_random_bytes is basically the kernel version of
/dev/urandom. So there is no guarantee that you're actually
getting the amount of entropy required.
Are you sure this is compliant with the DRBG specification?
Am Donnerstag, 16. April 2015, 22:36:17 schrieb Herbert Xu:
Hi Herbert,
Hi Stephan:
Currently DRBG is seeded with entropy from get_random_bytes.
However, get_random_bytes is basically the kernel version of
/dev/urandom. So there is no guarantee that you're actually
getting the amount of
Am Donnerstag, 16. April 2015, 22:44:55 schrieb Herbert Xu:
Hi Herbert, Rafael,
Hi Stephan:
Currently you can have two users of DRBG issuing requests in
parallel and end up using the same internal state. The only
difference between them is the cycle counter that you inject
into the DRBG.
I
Hi Stephan:
Currently you can have two users of DRBG issuing requests in
parallel and end up using the same internal state. The only
difference between them is the cycle counter that you inject
into the DRBG.
I can't see how this is safe as the cycle counter contains minimal
entropy. The whole
Am Donnerstag, 16. April 2015, 23:26:18 schrieb Herbert Xu:
Hi Herbert,
On Thu, Apr 16, 2015 at 05:07:20PM +0200, Stephan Mueller wrote:
I do not see a specific requirement in SP800-90A about the quality of the
noise source.
Well it explicitly says that you cannot use a DRBG. In the worst
Am Donnerstag, 16. April 2015, 23:30:38 schrieb Herbert Xu:
Hi Herbert,
On Thu, Apr 16, 2015 at 05:13:50PM +0200, Stephan Mueller wrote:
Surely, the shadow approach scales better than a global lock. But its
drawback is the (almost) identical state.
The drawback is that your DRBG is no longer
On Thu, Apr 16, 2015 at 05:07:20PM +0200, Stephan Mueller wrote:
I do not see a specific requirement in SP800-90A about the quality of the
noise source.
Well it explicitly says that you cannot use a DRBG. In the worst
case get_random_bytes is completely deterministic.
That said, I already
On Thu, Apr 16, 2015 at 05:13:50PM +0200, Stephan Mueller wrote:
Surely, the shadow approach scales better than a global lock. But its
drawback
is the (almost) identical state.
The drawback is that your DRBG is no longer anything like that
specified by the standard. You've completely
Hi Stephan,
in my opinion you definitively have to seed the DRBG with true
entropy from /dev/random. This is what we are currently doing
in userland with the strongSwan DRBG needed for the post-quantum
NTRU-based key exchange algorithm. The NIST SP800-90A spec defines
a parameter which estimates
On Fri, Apr 17, 2015 at 03:19:17AM +0200, Stephan Mueller wrote:
1. during initialization of a DRBG instance, seed from get_random_bytes to
have a DRBG state that is seeded and usable.
I think we either need to use real entropy and block, or mark
the DRBG unusable until such a time that it
Am Donnerstag, 16. April 2015, 19:11:18 schrieb Andreas Steffen:
Hi Andreas,
Hi Stephan,
in my opinion you definitively have to seed the DRBG with true
entropy from /dev/random. This is what we are currently doing
in userland with the strongSwan DRBG needed for the post-quantum
NTRU-based
11 matches
Mail list logo
