[Opendnssec-develop] hsmutil test implemented

Roland van Rijswijk roland.vanrijswijk at surfnet.nl
Tue Aug 25 10:04:20 UTC 2009

Hi Jakob,

Jakob Schlyter wrote:
> we're not testing random number quality, just that emits numbers as
> expected. the quality is checked as part of any certification process
> (e.g. FIPS 140-2).

Yes and no. Beware of vendors that implement C_GenerateRandom in
software only. The randomness checks for the certification may only
apply to the internal RNG in the HSM or token that is used for key
generation. Especially smart card and token vendors sometimes implement
C_GenerateRandom in software (although most of them are sensible enough
to use a common implementation, e.g. OpenSSL).

> I guess there are stuff talking PKCS#11 that does not provide any random
> numbers.

Yep, see above.

I agree with you, though, that testing RNGs on HSMs is out of scope and
maybe a bit too paranoid ;-)




-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl

More information about the Opendnssec-develop mailing list