OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [pkcs11-comment] Regarding CKF_RNG flag in CK_TOKEN_INFO

Thanks Alan and Daniel for your replies.

I agree with Alan on C_GenerateRandom and C_SeedRandom expectations.

On Tue, Feb 15, 2022 at 4:39 AM Alan Braggins <alan.braggins@gmail.com> wrote:
"C_GenerateRandom generates random or pseudo-random data" and CKF_RNG
indicates "the token has its own random number generator" so arguably
it would be not wrong for a token with no true random number generator
to not set CKF_RNG but nonetheless return pseudo-random data and
CKR_OK when C_GenerateRandom was called.
If CKF_RNG is actually expected to be set when only a pseudo-random
generator is available, maybe a separate flag should be added to
indicate that calling C_SeedRandom with an external source of
randomness is required for good quality C_GenerateRandom output.

(Disclaimer: I haven't used PKCS#11 for years, and only worked with
HSMs with hardware randomness when I did.)

On Thu, 10 Feb 2022 at 12:51, Daniel Minder <Daniel.Minder@utimaco.com> wrote:
>
> Hi Brahmaji,
>
>
>
> see the definition of CKR_RANDOM_NO_RNG: âThis value can be returned by C_SeedRandom and C_GenerateRandom. It indicates that the specified token doesnât have a random number generator. [â]â
>
> Since CKF_RNG shows whether the token has an RNG or not, my interpretation is that C_SeedRandom and C_GenerateRandom will return CKR_RANDOM_NO_RNG if CKF_RNG is not set.
>
> But even if CKF_RNG is set C_SeedRandom might not be supported in which case CKR_RANDOM_SEED_NOT_SUPPORTED is returned.
>
>
>
> What would be your expectation on the outcome if CKF_RNG is not set and you call C_GenerateRandom or C_SeedRandom?
>
>
>
> Regards,
>
> Daniel
>
>
>
> From: pkcs11-comment@lists.oasis-open.org <pkcs11-comment@lists.oasis-open.org> On Behalf Of Brahmaji K
> Sent: Donnerstag, 10. Februar 2022 11:55
> To: pkcs11-comment@lists.oasis-open.org
> Subject: [pkcs11-comment] Regarding CKF_RNG flag in CK_TOKEN_INFO
>
>
>
> Dear OASIS Team,
>
>
>
> When the CKF_RNG flag is not set can we still use the C_SeedRandom() API? Any specific restrictions around using this flag on Random APIs like C_GenerateRandom() and C_SeedRandom()?
>
>
>
> This is a generic question, not specific to the cryptoki version.
>
>
>
> Thanks and Regards,
>
> Brahmaji K
>
>
> ________________________________
>
> Utimaco IS GmbH
> Germanusstr. 4, D.52080 Aachen, Germany, Tel: +49-241-1696-0, www.utimaco.com
> Seat: Aachen â Registergericht Aachen HRB 18922
> VAT ID No.: DE 815 496 496
> Managementboard: Stefan Auerbach (Chairman) CEO, Malte Pollmann CSO, Martin Stamm CFO
>
> This communication is confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Please inform us immediately and destroy the email.



--
alan.braggins@gmail.com
http://www.chiark.greenend.org.uk/~armb/

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]