On 10/24/2015 05:55 PM, Marcus Meissner wrote: > On Fri, Oct 23, 2015 at 07:19:11PM +0200, Alessandro Ghedini wrote: >> On Fri, Oct 23, 2015 at 04:34:11PM +0200, Dr. Matthias St. Pierre wrote: >> ... >> In general the NIST DRBGs seem fairly complicated (or completely >> untrustworthy >> like Dual EC DRBG), so I'd rather have a different implementation as default >> RNG for OpenSSL. > > Well, the Dual EC has been removed from the guidance. > > The other 3 modes described in NIST 800-90a make sense though. I suggest to > read > the standard, the main things making it long are all the error handling and > reseeding strategies. > > Ciao, Marcus
I agree, to me it seems to be a rather straightforward implementation of a hybrid RNG. To get an impression of the essentials, e.g. for the DRBG based on AES-CTR, it helps to have a look at Figures 11 (p.49) and 12 (p.51) of <http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf>. The nice part about the DRBG is that one can connect it to an external entropy source and configure the reseed interval. It also supports prediction resistance on demand, although this feature is not available through FIPS_drbg_method(), only if one uses FIPS_drbg_generate() directly. So it would be convenient for us to have it available in the normal OpenSSL library without having to fiddle with the FIPS object module. It wouldn't have to be the default OpenSSL RNG, though. Regards, Matthias _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
