> > Wait what? This sounds nuts... Can you refer to something that backs your > > claim? > > The 384 comes straight out of SP800-90A, see the table 10.2.1. > It's also in the code where we do: > drbg->seedlen = keylen + 16; > [...] > if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) { > [...] > } else { > drbg->min_entropylen = drbg->seedlen; > > (With keylen == 32) > > You'll also see that when not using a DF "full entropy" is needed, > when using a DF it's not required. > > A DRBG can only generate "full entropy" for the first security > strength / 2 bits it generates after a reseed. This is at least > covered in SP800-90C 10.4, but there are other places that mention > this too. So you need to pull the double amount of entropy from > your entropy source if it doesn't provide full entropy. This also > requires to use of prediction resistance. > > > Kurt
Even if your claim about the 768 bits of entropy is correct, it only proves that it was a good idea to make the derivation function the default in commit 8164d91d1802e6173291dee50923cc60fcd3bf72. Matthias https://github.com/openssl/openssl/commit/8164d91d1802e6173291dee50923cc60fcd3bf72
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project