> -----Ursprüngliche Nachricht----- > Von: openssl-dev [mailto:openssl-dev-boun...@openssl.org] Im Auftrag von > Blumenthal, Uri - 0553 - MITLL > Gesendet: Mittwoch, 30. August 2017 16:27 > An: openssl-dev@openssl.org > Betreff: Re: [openssl-dev] Plea for a new public OpenSSL RNG API > ... > > It allows hardware sources to be used via the same API. > > I rather doubt this. For example, my smartcard (accessible via PKCS#11) is a > hardware source, which I > occasionally use. How do you see it used with the same API?
We have a similar situation, on a small hardware device with little own entropy but with a smartcard reader. We implemented a get_entropy() call which fetches the entropy via PKCS#11, and modified the rand_method such that RAND_DRBG_generate() is always called with prediction_resistance=1. So every generate() triggers a reseed(), the entropy is fetched from the smartcard and it is immediately postprocessed by the AES-CTR DRBG. The /dev/urandom device was only used as additional input. So we didn't feel the need for an extra API call. Matthias
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
