Wan-Teh Chang wrote:
Don't use PR_GetRandomNoise. It is designed for this purpose, but its implementation is incomplete.
Glad I asked.
What did you mean by K seed? Is it the KKEY variable in the algorithm of FIPS 186-2 Appendix 3.2?
Yes that's what I'm looking at. Is there a method I can call in NSS to just do that part of the DSA algorithm? I'm not sure if what we're doing is "precomputing". We're not trying to generate a bunch of these ahead of time. Just "on the fly".
So to do it just once we need the initial KKEY (random data from the function below) and then do the G(t,KKEY) mod q to get a value of k.
The existing code handles the G(t,KKEY) mod q part, we just need to feed it a changing KKEY as it appears to be using the same KKEY each time. The algorithm in appendix 3.2, step 3d shows "incrementing" KKEY to get the next value when precomputing. Is it ok to just use a random KKEY each time when the signature is created or do we have to store the KKEY somehow and keep "incrementing" it using this formula?
You can generate K seed using NSS's RNG, or you can use /dev/urandom on Unix and CryptoAPI's RNG on Windows. NSS uses /dev/urandom and CryptoAPI's RNG to generate some seed material for its RNG. You can look at our code: http://lxr.mozilla.org/security/ident?i=RNG_SystemRNG
The NSS method (RNG_SystemRNG) looks like what I want. Dave _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
