[Opendnssec-develop] hsmutil test implemented
Roland van Rijswijk
roland.vanrijswijk at surfnet.nl
Tue Aug 25 10:06:01 UTC 2009
Having said the below, what do you actually use the random data for? I
suppose for salting in NSEC3?
Cheers,
Roland
Roland van Rijswijk wrote:
> Hi Jakob,
>
> Jakob Schlyter wrote:
>> we're not testing random number quality, just that emits numbers as
>> expected. the quality is checked as part of any certification process
>> (e.g. FIPS 140-2).
>
> Yes and no. Beware of vendors that implement C_GenerateRandom in
> software only. The randomness checks for the certification may only
> apply to the internal RNG in the HSM or token that is used for key
> generation. Especially smart card and token vendors sometimes implement
> C_GenerateRandom in software (although most of them are sensible enough
> to use a common implementation, e.g. OpenSSL).
>
>> I guess there are stuff talking PKCS#11 that does not provide any random
>> numbers.
>
> Yep, see above.
>
> I agree with you, though, that testing RNGs on HSMs is out of scope and
> maybe a bit too paranoid ;-)
>
> Cheers,
>
> Roland
>
--
-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl
More information about the Opendnssec-develop
mailing list