On Wednesday, 27 July 2016 15:23:21 CEST Leon Brits wrote: > John, > > Thanks for your reply. > > The SP800-90B test has different types of test but the test with the lowest > output is used as the maximum entropy capability of the chip. That is how I > understand it from the FIPS lab. > > For the FIPS validation, using a NDRNG, that source must feed the DRBG > directly (FIPS lab) and not from something like the PRNG. I use seed the > /dev/random from the NDRNG and then source from the PRNG, but that is not > allowed for DRBGs. Again I hope I understand them correct.
but PRNG and DRBG is the same thing, both generate pseudo-random numbers from a seed using (hopefully) a cryptographically secure algorithm FIPS definitely allows you to use output of one DRBG to seed other DRBG in the end, you should gather as much entropy as possible in the system, and mix it all together and then use output of a DRBG that uses all that entropy to seed other DRBGs what that means in practical terms, is feed output from your NDRNG to kernel's entropy pool and seed everything from /dev/urandom output (or getrandom()) -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
