Re: [openssl-project] FW: April Crypto Bulletin from Cryptosense

2018-04-07 Thread Richard Levitte
In message <20180406170540.gk80...@mit.edu> on Fri, 6 Apr 2018 12:05:43 -0500, Benjamin Kaduk said: kaduk> On Fri, Apr 06, 2018 at 04:23:02PM +0200, Andy Polyakov wrote: kaduk> > > This is one reason why keeping around old assembly code can have a cost. :( kaduk> > > kaduk> > >

Re: [openssl-project] Entropy seeding the DRBG

2018-04-07 Thread Kurt Roeckx
On Sat, Apr 07, 2018 at 07:00:21PM +0200, Richard Levitte wrote: > In message <20180407160031.gb12...@roeckx.be> on Sat, 7 Apr 2018 18:00:32 > +0200, Kurt Roeckx said: > > kurt> On Sat, Apr 07, 2018 at 04:58:06PM +0200, Richard Levitte wrote: > kurt> > > Can I suggest you try

Re: [openssl-project] Entropy seeding the DRBG

2018-04-07 Thread Richard Levitte
In message <20180407174527.gc20...@roeckx.be> on Sat, 7 Apr 2018 19:45:28 +0200, Kurt Roeckx said: kurt> On Sat, Apr 07, 2018 at 07:00:21PM +0200, Richard Levitte wrote: kurt> > In message <20180407160031.gb12...@roeckx.be> on Sat, 7 Apr 2018 18:00:32 +0200, Kurt Roeckx

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

2018-04-07 Thread Kurt Roeckx
On Sat, Apr 07, 2018 at 06:49:50PM +0200, Richard Levitte wrote: > H... case 4 shouldn't pose too much problems unless you restart > the application more than once every second or so (for a 1 second > resolution). On VMS, the system time is kept with 100 nanosecond > granularity... this

[openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

2018-04-07 Thread Salz, Rich
I would like to see this put on hold until we fix the ‘now requires 50% more random seeding’ issue. What should I do to force that issue? From: Richard Levitte Reply-To: openssl/openssl

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

2018-04-07 Thread Richard Levitte
Like I said in the post I just made, I see zero problems with having that requirement on systems that can support it. I don't see why we must lower the bar for *everyone* just because we currently need to do so for VMS Cheers, Richard In message

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

2018-04-07 Thread Kurt Roeckx
On Sat, Apr 07, 2018 at 06:49:50PM +0200, Richard Levitte wrote: > In message <20180407154649.ga12...@roeckx.be> on Sat, 7 Apr 2018 17:46:50 > +0200, Kurt Roeckx said: > > kurt> | For case 2 above, the timestamp must be trusted. A trusted > kurt> | timestamp is generated and

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

2018-04-07 Thread Salz, Rich
>Compliance with AES was also never a stated goal. Implicitly it was because (a) it's a standard algorithm and (b) MTI for TLS. But more importantly, *it didn't break anything.* ___ openssl-project mailing list openssl-project@openssl.org

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

2018-04-07 Thread Kurt Roeckx
On Sat, Apr 07, 2018 at 04:48:51PM +, Salz, Rich wrote: > >Like I said in the post I just made, I see zero problems with having > that requirement on systems that can support it. I don't see why we > must lower the bar for *everyone* just because we currently need to do > so

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

2018-04-07 Thread Kurt Roeckx
On Sat, Apr 07, 2018 at 05:07:02PM +, Salz, Rich wrote: > > > >NIST SP800-90A rev1 section 8.6.7 has: > > Compliance with this was never a stated goal of this release. So not > relevant. Compliance with AES was also never a stated goal. Kurt

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

2018-04-07 Thread Salz, Rich
> Because > - It is not clear we need to do so >That we need to do what? Do FIPS compliant random numbers in this release. > - We are not required to do FIPS level DRBG/CSPRNG this release > It's not because we don't have a requirement that it can be

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

2018-04-07 Thread Kurt Roeckx
On Sat, Apr 07, 2018 at 05:55:14PM +, Salz, Rich wrote: > > Because > > - It is not clear we need to do so > > >That we need to do what? > > Do FIPS compliant random numbers in this release. We will never have that in any release by default, like I already stated a

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

2018-04-07 Thread Richard Levitte
In message <20180407185034.ga25...@roeckx.be> on Sat, 7 Apr 2018 20:50:35 +0200, Kurt Roeckx said: kurt> > In going from 1.1.0 to 1.1.1, breaking platforms that used to kurt> > work is just plain wrong. kurt> kurt> So then I suggest we support the syscalls on all platforms that

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

2018-04-07 Thread Richard Levitte
In message <20180407190250.ga27...@roeckx.be> on Sat, 7 Apr 2018 21:02:51 +0200, Kurt Roeckx said: kurt> On Sat, Apr 07, 2018 at 06:49:50PM +0200, Richard Levitte wrote: kurt> > H... case 4 shouldn't pose too much problems unless you restart kurt> > the application more

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

2018-04-07 Thread Salz, Rich
>NIST SP800-90A rev1 section 8.6.7 has: Compliance with this was never a stated goal of this release. So not relevant. ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

2018-04-07 Thread Salz, Rich
>Like I said in the post I just made, I see zero problems with having that requirement on systems that can support it. I don't see why we must lower the bar for *everyone* just because we currently need to do so for VMS Because - It is not clear we need to do so

Re: [openssl-project] Entropy seeding the DRBG

2018-04-07 Thread Richard Levitte
In message <8c39cdf4-a91e-4dfb-be67-6799e07d3...@akamai.com> on Tue, 3 Apr 2018 16:58:17 +, "Salz, Rich" said: rsalz> >Please note that that 50% extra is only used for rsalz> >instantiating the DRBG. On reseed we it only uses 256 rsalz> >bits. Instantiating is

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

2018-04-07 Thread Kurt Roeckx
On Sat, Apr 07, 2018 at 02:15:51PM +, Salz, Rich wrote: > I would like to see this put on hold until we fix the ‘now requires 50% more > random seeding’ issue. > > What should I do to force that issue? NIST SP800-90A rev1 section 8.6.7 has: | A nonce may be required in the construction of a

Re: [openssl-project] Entropy seeding the DRBG

2018-04-07 Thread Kurt Roeckx
On Sat, Apr 07, 2018 at 04:58:06PM +0200, Richard Levitte wrote: > > Can I suggest you try something like > > https://github.com/usnistgov/SP800-90B_EntropyAssessment to at least > > get an idea? You would need to sample 1 variable and feed that into > > it. > > And yeah, sure, especially if all

Re: [openssl-project] FW: [openssl/openssl] VMS: lower the entropy demand for this platform specifically (#5904)

2018-04-07 Thread Richard Levitte
In message <20180407154649.ga12...@roeckx.be> on Sat, 7 Apr 2018 17:46:50 +0200, Kurt Roeckx said: kurt> On Sat, Apr 07, 2018 at 02:15:51PM +, Salz, Rich wrote: kurt> > I would like to see this put on hold until we fix the ‘now requires 50% more random seeding’ issue. kurt>

Re: [openssl-project] Entropy seeding the DRBG

2018-04-07 Thread Richard Levitte
In message <20180407160031.gb12...@roeckx.be> on Sat, 7 Apr 2018 18:00:32 +0200, Kurt Roeckx said: kurt> On Sat, Apr 07, 2018 at 04:58:06PM +0200, Richard Levitte wrote: kurt> > > Can I suggest you try something like kurt> > >