<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Does priority mean it won't get used in normal situations?<br>
<br>
What happens when the system is temporarilly low on entropy? Any chance<br>
it can get used then?<br>
<br>
What happens when I create thousands of filenames containing many "A"'s?<br>
<br>
I'm still not convinced these are harmless. But I guess I'm strongly<br>
biased to only depending on a FIPS certified RNG.</blockquote><div><br></div><div>First Botan uses entropy sources like Intel_Rdrand, /dev/random, /dev/srandom, and /dev/urandom. Each byte gathered is counted towards the polling goal with a fixed fraction depending on the entropy type. If not enough entropy has been gathered, then it will go through the list of Unix commands, one by one sorted according to its priority. As shown by my previous example, the high priority commands created more than enough entropy. So yes, it won't get used in normal situations since you, besides the Unix commands, also have the other entropy sources that is used first.</div>
<div><br></div><div>Lets say that the filenames do get used, then yes, they will be added as entropy and counted as (bytes x 0.005) bits towards the goal of 128 bits. This will not be the only entropy, you will always have other bytes added before these bytes. Like e.g. the high resolution timestamp.</div>
<div><br></div><div>What I can do is to forward your concerns to the Botan mailing list. To discuss the usage of "ls -alni /tmp" as one of the low priority sources.</div><div><br></div><div>The key generation in SoftHSM uses a standard issue X9.31 Appendix A.2.4 PRNG with a AES-256 block cipher. The key for this block cipher comes from the HMAC_RNG, based on the design described in "On Extract-then-Expand Key Derivation Functions and an HMAC-based KDF" by Hugo Krawczyk. The HMAC_RNG is reseeded after every 1024 byte random byte. HMAC_RNG is used when the X9.31 PRNG gets its cipher key and when it refills it internal state / reseed.</div>
<div><br></div><div>My belief is that this is good enough for a software based HSM like SoftHSM.</div><div><br></div><div>// Rickard</div></div></div></div>