[Pcsclite-muscle] max length of randomLen for C_GenerateRandom

Michael StJohns mstjohns
Fri Apr 21 09:40:47 PDT 2017 

On 4/21/2017 8:41 AM, Florent wrote:
> Hi
>
>     You want to marry your smart card as a source of entropy to a DBRG
>     and reseed the DBRG from the smart card fairly often.   See NIST
>     SP800-90A for the general form for a DBRG.
>
>
> Since 2007 and 2013, the SP800-90A has been criticized ;)

Actually - its just the Dual EC mode that was criticized.   AFAICT, the 
remaining modes are as secure as the underlying PRF.


> All the controversy aside, the simultaneous use is a good idea, though.
>
>     Alternately, you can use multiple sources of entropy - a smart
>     card, a TPM, one of the TRNGs from above and use them to seed the
>     DBRG.  That way you're not dependent on any of these being
>     "trusted".  Simplest way to do this is XOR the N streams of TRNG
>     data together to provide the seed and reseed data.  Oh yeah - most
>     modern Intel motherboards and processors support the RDRAND and
>     RDSEED instructions and there is software to expose those for use.
>     (https://software.intel.com/en-us/articles/intel-digital-random-number-generator-drng-software-implementation-guide
>     <https://software.intel.com/en-us/articles/intel-digital-random-number-generator-drng-software-implementation-guide>)
>
>     As long as your TRNG can keep up with the reseed schedule, you can
>     get a *lot* of bits out of the DRBG.
>
>
> I'll dig into that some more
>
>     WRT to the smart card, my guess is there is a TRNG backing a DBRG
>     of some sort.
>
>
> Again, this may be checked if I have the source code of the PKCS11 
> driver, yes?

No - I've got the unredacted data sheets for the smart cards and they 
don't go any deeper than AIS31 compliant RNG. The PKCS11 driver has 
nothing to do with this. From conversations I had on the show floor at 
RSA many years ago, I believe there's some sort of noisy diode or some 
what as an entropy source, but I wouldn't make a bet on that belief.


>
>     I wouldn't trust a generic PKCS11 driver to do what you want.
>
>
> Do you mean "generic" as in a driver not provided by the vendor 
> itself? (i.e. OpenSC or Charismatics)

Sorry - I actually should have said "random" as in any given PKCS11 
driver.  If you've got source you've got a better idea of what's 
happening, but even then if you don't have the detailed reality of the 
underlying HSM you may still be guessing wrong.

Mike

>
> Cheers
>
>
>
> _______________________________________________
> Pcsclite-muscle mailing list
> Pcsclite-muscle at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pcsclite-muscle/attachments/20170421/f280679c/attachment.html>

More information about the pcsclite-muscle mailing list