[Cryptech Tech] Some thoughts and questions on the RNG strategy
Joachim Strömbergson
joachim at secworks.se
Fri Feb 7 11:03:25 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Aloha!
Fredrik Thulin wrote:
> Can I have more than one, please?
More than one entropy source - yes! That is what I suggest that we shold
have.
More than one CSPRNG - maybe.
> To me, ideally, the cryptech HSM shouldn't be too set on any one
> entropy source or processing algorithm, although I realise that there
> might be both knowledge- and technical reasons to limit end users
> choices here.
I agree. The entropy collection sub system should be agnostic in regards
to what source you use. You will need to know the bitrate and there will
always be tweaking to map the inputs to the right pins etc. But other
than that, we _should_ be entropy source agnostic.
The issues we are discussing now is what to use in our
demonstrator/example implementation. And the reason why it is important
is that what we choose here will reflect on how the project is
perceived. And also I would assume that quite a few of possible Cryptech
implementers would borrow our entropy source designs if they seem
reasonably good.
> Joachim, you've previously slapped me silly when trying to draw ASCII
> diagrams of randomness processing =), but can't we have something
> functionally like this :
>
> good source 1 ---> ChaCha ------+ +----> randomness good source 2
> ---> DRBG-CTR ----+
Sure, it is quite possible. I think it is a waste of resources having
two CSPRNGs and I think the CSPRNG should be seeded from more than one
source, but it is possible.
> I'm not going near the debate about what is a good source. I hope
> those could be modular rather than set in stone.
If my design is to prevail it sure will be.
- --
Med vänlig hälsning, Yours
Joachim Strömbergson - Alltid i harmonisk svängning.
========================================================================
Joachim Strömbergson Secworks AB joachim at secworks.se
========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCAAGBQJS9L18AAoJEF3cfFQkIuyNVM4P/3bC0JBAyJrp32lMyVr/JcJL
b4WlJIa/WrsZYxmXkdiDzmQeoC97tzT0L+pD4bEa3Ivf7PLsFB+HYOi7HqNgGcg+
+IU+MWQIPY1nbsg1M/UsE2N4YGscSCLB4IUzuofEgQCuJcFO2Elnq8jFqOILItgS
s43YhHfScB/X6EYTaiDUKSJIAAkMntMIxGGpwrkXAQT5l1JKup7qpZiu/yNJizXz
YbFSe2gVjLmRWewdL69/VGhTlHt3yNDLsA0Kb0YdCtfp/yqKNJsEi1Z/vDLSANlz
qeMoTqqun8VlGyp11JX+SSZJ8NMB/XSZgoIshSkDdDgfienf2siFGAlazpKOAOLZ
n5Z0LVBA1tzO7JI3CBzG+H7Ue1ac6SdP/iGXYf7fW4RIS/xPhxsJBrEF5530o2RI
lqfj8jAWbHa0C2UMKMFAc0IjyCpya9cTH0DSv+YvhRNeOTN4hLFFjt6945xk0aWU
JIvjZkzOd5T53wwH9IucotxdAeBGyZ8bI+UNh2ukb7FtV5ct7SXmSUV+LPKWrC8M
uZMqU56m/RK+xWCj4n3pYw3CYPYHAqNNC//ruszlOCJZHBxs/WbOLeYzV3PxzhK9
asQ5+lnfcU9vijIaIxEvfTXa1pl66GmMFuMJwnpnFNG/Py+DEfhIip0907V37QRn
tylWBWc31jocoHVadicV
=kogQ
-----END PGP SIGNATURE-----
More information about the Tech
mailing list