See: https://tools.ietf.org/html/rfc4086
Section 4 suggests ways to de-skew. -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." > On Jul 28, 2016, at 6:51 AM, Hubert Kario <hka...@redhat.com> wrote: > > On Wednesday, 27 July 2016 15:23:21 CEST Leon Brits wrote: >> John, >> >> Thanks for your reply. >> >> The SP800-90B test has different types of test but the test with the lowest >> output is used as the maximum entropy capability of the chip. That is how I >> understand it from the FIPS lab. >> >> For the FIPS validation, using a NDRNG, that source must feed the DRBG >> directly (FIPS lab) and not from something like the PRNG. I use seed the >> /dev/random from the NDRNG and then source from the PRNG, but that is not >> allowed for DRBGs. Again I hope I understand them correct. > > but PRNG and DRBG is the same thing, both generate pseudo-random numbers from > a seed using (hopefully) a cryptographically secure algorithm > > FIPS definitely allows you to use output of one DRBG to seed other DRBG > > in the end, you should gather as much entropy as possible in the system, and > mix it all together and then use output of a DRBG that uses all that entropy > to seed other DRBGs > > what that means in practical terms, is feed output from your NDRNG to kernel's > entropy pool and seed everything from /dev/urandom output (or getrandom()) > > -- > Regards, > Hubert Kario > Senior Quality Engineer, QE BaseOS Security team > Web: www.cz.redhat.com > Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic-- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
signature.asc
Description: Message signed with OpenPGP using GPGMail
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
