[Openswan dev] Support for hardware random number generators
David McCullough
David_Mccullough at securecomputing.com
Fri Nov 21 06:40:14 EST 2008
Jivin Paul Wouters lays it down ...
> On Thu, 20 Nov 2008, Vrabete, Brad wrote:
>
> > You're right. But the situation changes if the HW RNG was built to be FIPS
> > compliant. Then (and only then) FIPS check can be disabled to save CPU
> > clocks.
>
> Then perhaps the kernel should provide a way of telling us that information,
> and we could dynamically decide on doing our own fips checks.
>
> The alternative would be to do fips checks and after a certain time,
> decide everything was good and to drop the checks. That would at
> least catch the really bad streams of zeros we've seen, though not the
> more subtly broken things, or things that somehow actually physically
> break at some point.
Well the more paranoid are concerned that the RNG stops working (HW
failure) and no one detects it.
Depending on the application, all views are reasonable ;-)
Cheers,
Davdm
--
David McCullough, david_mccullough at securecomputing.com, Ph:+61 734352815
Secure Computing - SnapGear http://www.uCdot.org http://www.snapgear.com
More information about the Dev
mailing list