On Fri, Oct 23, 2015 at 04:34:11PM +0200, Dr. Matthias St. Pierre wrote: > > Hi, > > I have a related question concerning alternative RNGs, hope it is not too > off-topic: > > Currently we are using the NIST-SP800-90a compliant DRBG (fips_drbg_method()), > because it seemed to us to be more sophisticated and mature than the default > RAND_SSLeay(). At least it's better documented and tested. > > Currently this DRBG is only available through the FIPS object module, so you > need to build a FIPS capable OpenSSL library in order to use it. > > Shouldn't the FIPS DRBG code be added to the normal code base in master, too, > as an alternative RNG implemtation? Or is the NIST-SP800-90a DRG construction > already obsolete outside of FIPS world?
FWIW, the FIPS module was recently removed, so FIPS_drbg_method() is not present in master anymore. I think there are plans to reimplement the whole thing, but I don't know anything about that. In general the NIST DRBGs seem fairly complicated (or completely untrustworthy like Dual EC DRBG), so I'd rather have a different implementation as default RNG for OpenSSL. Cheers
signature.asc
Description: PGP signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
