[Opendnssec-develop] hsmutil test implemented

Roland van Rijswijk roland.vanrijswijk at surfnet.nl
Tue Aug 25 10:06:01 UTC 2009


Having said the below, what do you actually use the random data for? I
suppose for salting in NSEC3?

Cheers,

Roland

Roland van Rijswijk wrote:
> Hi Jakob,
> 
> Jakob Schlyter wrote:
>> we're not testing random number quality, just that emits numbers as
>> expected. the quality is checked as part of any certification process
>> (e.g. FIPS 140-2).
> 
> Yes and no. Beware of vendors that implement C_GenerateRandom in
> software only. The randomness checks for the certification may only
> apply to the internal RNG in the HSM or token that is used for key
> generation. Especially smart card and token vendors sometimes implement
> C_GenerateRandom in software (although most of them are sensible enough
> to use a common implementation, e.g. OpenSSL).
> 
>> I guess there are stuff talking PKCS#11 that does not provide any random
>> numbers.
> 
> Yep, see above.
> 
> I agree with you, though, that testing RNGs on HSMs is out of scope and
> maybe a bit too paranoid ;-)
> 
> Cheers,
> 
> Roland
> 


-- 

-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl



More information about the Opendnssec-develop mailing list