On 26/06/17 21:18, Kurt Roeckx wrote: >> “Recommendation for Random Number Generation Using Deterministic Random >> Bit Generators” >> http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf >> >> That design may look complicated, but if you think you can >> leave out some of the blocks in their diagram, proceed with >> caution. Every one of those blocks is there for a reason. > > SP800-90A (or revision 1) can clearly be used as reference on how > to implement it, even if we don't use an approved algorithm from > it. And I really think we should look at that document when > implementing it. > > There should probably also be an option to use an RNG that > conforms to it.
I am strongly in favour of this approach. We should be led by standards. > >>> Randomness should be whitened. >> >> Whitening at the input is neither difficult nor necessary nor sufficient. >> The hard part is obtaining a reliable lower bound on the amount of >> useful randomness in the bit-blob when it appears at the input. Where >> did the bits come from? Where did the bound come from? Do you trust >> the generic openssl user, who knows nothing about cryptology, to provide >> either one? > > I think it should by default be provided by the OS, and I don't > think any OS is documenting how much randomness it can provide. > I also agree that, by default, using the OS provided source makes a lot of sense. Matt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev