[openssl-dev] Plea for a new public OpenSSL RNG API
Dr. Matthias St. Pierre
Matthias.St.Pierre at ncp-e.com
Wed Aug 30 14:41:36 UTC 2017
> -----Ursprüngliche Nachricht-----
> Von: openssl-dev [mailto:openssl-dev-bounces at openssl.org] Im Auftrag von Blumenthal, Uri - 0553 - MITLL
> Gesendet: Mittwoch, 30. August 2017 16:27
> An: openssl-dev at openssl.org
> Betreff: Re: [openssl-dev] Plea for a new public OpenSSL RNG API
> ...
> > It allows hardware sources to be used via the same API.
>
> I rather doubt this. For example, my smartcard (accessible via PKCS#11) is a hardware source, which I
> occasionally use. How do you see it used with the same API?
We have a similar situation, on a small hardware device with little own entropy but with a smartcard reader. We implemented a get_entropy() call which fetches the entropy via PKCS#11, and modified the rand_method such that RAND_DRBG_generate() is always called with prediction_resistance=1. So every generate() triggers a reseed(), the entropy is fetched from the smartcard and it is immediately postprocessed by the AES-CTR DRBG. The /dev/urandom device was only used as additional input. So we didn't feel the need for an extra API call.
Matthias
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4328 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170830/72fdc28b/attachment-0001.bin>
More information about the openssl-dev
mailing list