[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [kmip] KMIP: RNG Proposals
Tim, Good points -- just a couple of follow up comments below. Bob > > A common PRNG parameter which is not able to be specified in the current > proposal is Prediction Resistance. This is the combining of one bit of entropy > with each output bit. This can be on or off. This is discussed in detail in NIST's > SP800-90a-rev1. > We haven't seen any NIST indication as yet that this will be included in the > RNG testing. It can be added if this is of interest and you see a use case for it. [<[Bob]>] I think that Peter is referring to the fact that NIST specify each DRBG as being instantiated with Prediction Resistance on, or off -- both/either of which can be tested. So I think if we are going to have attributes which represent the state in which the PRNG was used, then perhaps just an attribute flag indicating whether or not 'Prediction Resistance' was enabled should be sufficient. For an example, here's a link to a NIST algorithm validation with PR enabled: http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html#188 > > > It would be good to be able to indicate what entropy sources have been or > will be used to seed a PRNG algorithm. Is it fair to assume that all PRNG > instances in a server will be seeded with the same types of entropy sources, > and as such could this be the same for all PRNG algorithms? > > That is an interesting area for discussion - classification of the actual entropy > source - and something I think is a lot broader as an area. To date no one has > indicate that this is something which is of interest - and NIST itself don't have > a taxonomy for classification of actual entropy sources. The assumption you > ask about isn't one that is valid to make from my understanding. It would be > useful to get comments from others. I think this whole area (entropy > sources) is one the group hasn't indicated an interest or a use case for > tackling as yet. [<[Bob]>] Definitely an interesting topic and one which NIST has yet to finalize, although they have indicated in recent drafts of SP800-90B that they will be qualifying the seed sources -- what that will look like is hard to guess, but my feeling is that they will be going with the 'min-entropy' number as a qualifier for h/w sources. Regardless, my recommendation is that we be prepared to support some sort of qualification of the seeding source, which could be another DRBG, or most likely a h/w source. Perhaps providing a 'seed qualification' field which supports both DRBGs and future h/w qualifications of min-entropy?