[Openswan dev] Support for hardware random number generators

David McCullough David_Mccullough at securecomputing.com
Fri Nov 21 06:40:14 EST 2008

Jivin Paul Wouters lays it down ...
> On Thu, 20 Nov 2008, Vrabete, Brad wrote:
> > You're right. But the situation changes if the HW RNG was built to be FIPS
> > compliant. Then (and only then) FIPS check can be disabled to save CPU
> > clocks.
> Then perhaps the kernel should provide a way of telling us that information,
> and we could dynamically decide on doing our own fips checks.
> The alternative would be to do fips checks and after a certain time,
> decide everything was good and to drop the checks. That would at
> least catch the really bad streams of zeros we've seen, though not the
> more subtly broken things, or things that somehow actually physically
> break at some point.

Well the more paranoid are concerned that the RNG stops working (HW
failure) and no one detects it.

Depending on the application,  all views are reasonable ;-)


David McCullough,  david_mccullough at securecomputing.com,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org   http://www.snapgear.com

More information about the Dev mailing list