[Opendnssec-user] ods-signerd calling vmstat?!?
Rickard Bellgrim
rickard at opendnssec.org
Tue Sep 3 06:56:54 UTC 2013
> Does priority mean it won't get used in normal situations?
>
> What happens when the system is temporarilly low on entropy? Any chance
> it can get used then?
>
> What happens when I create thousands of filenames containing many "A"'s?
>
> I'm still not convinced these are harmless. But I guess I'm strongly
> biased to only depending on a FIPS certified RNG.
First Botan uses entropy sources like Intel_Rdrand, /dev/random,
/dev/srandom, and /dev/urandom. Each byte gathered is counted towards the
polling goal with a fixed fraction depending on the entropy type. If not
enough entropy has been gathered, then it will go through the list of Unix
commands, one by one sorted according to its priority. As shown by my
previous example, the high priority commands created more than enough
entropy. So yes, it won't get used in normal situations since you, besides
the Unix commands, also have the other entropy sources that is used first.
Lets say that the filenames do get used, then yes, they will be added as
entropy and counted as (bytes x 0.005) bits towards the goal of 128 bits.
This will not be the only entropy, you will always have other bytes added
before these bytes. Like e.g. the high resolution timestamp.
What I can do is to forward your concerns to the Botan mailing list. To
discuss the usage of "ls -alni /tmp" as one of the low priority sources.
The key generation in SoftHSM uses a standard issue X9.31 Appendix A.2.4
PRNG with a AES-256 block cipher. The key for this block cipher comes from
the HMAC_RNG, based on the design described in "On Extract-then-Expand Key
Derivation Functions and an HMAC-based KDF" by Hugo Krawczyk. The HMAC_RNG
is reseeded after every 1024 byte random byte. HMAC_RNG is used when the
X9.31 PRNG gets its cipher key and when it refills it internal state /
reseed.
My belief is that this is good enough for a software based HSM like SoftHSM.
// Rickard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20130903/a7893cba/attachment.htm>
More information about the Opendnssec-user
mailing list