[Opendnssec-user] entropy source for SoftHSM
Rick van Rein
rick at openfortress.nl
Tue May 13 16:09:58 UTC 2014
> This source: http://www.enisa.europa.eu/activities/Resilience-and-CIIP/networks-and-services-resilience/dnssec/gpgdnssec/at_download/fullReport says:
> >The random number generator for the system should pass the NIST SP 800-22rev15 test
Adding a bit more context that is:
"A means for creating a secure backup of the keys used by the system must be provided, together with the option for key generation in a separate environment. Depending on the security requirements of the domain holder, a hardware security module (HSM) could be required for the signing system. In addition, requirements might be set to conform to the specified Security Requirements for Cryptographic Modules, Federal Information Processing Standards 140 (FIPS) level4. The random number generator for the system should pass the NIST SP 800-22rev15 test."
Although ambiguously formulated, I read the last sentence as par of the “In addition" to the “depending on” constraint of a Hardware Security Module, just as I said ;-) and it is considered optional. I would first consider replacing SoftHSM with an HSM before worrying about random number generations.
Come to think of it, SoftHSM is a bit of a misnomer — it might have been better to call it SoftSM :) but nobody would have understood it then.
More information about the Opendnssec-user