[149181] in cryptography@c2.net mail archive
Re: [Cryptography] Auditing rngs
daemon@ATHENA.MIT.EDU (John Kelsey)
Tue Jan 21 17:00:19 2014
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <52DEE442.6030100@connotech.com>
From: John Kelsey <crypto.jmk@gmail.com>
Date: Tue, 21 Jan 2014 16:41:00 -0500
To: Thierry Moreau <thierry.moreau@connotech.com>
Cc: Philip Shaw <wahspilihp@gmail.com>, Tom Mitchell <mitch@niftyegg.com>,
"cryptography@metzdowd.com" <cryptography@metzdowd.com>,
Bill Frantz <frantz@pwpconsult.com>, Kent Borg <kentborg@borg.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
> On Jan 21, 2014, at 4:18 PM, Thierry Moreau <thierry.moreau@connotech.com> wrote:
...
> You did not prove anything about the 512 bits entropy estimate. You merely postulated it. The deterministic process from (Ex,Ax) to keypairx may be audited like any other software logic implementation.
If the HSM's entropy estimates are correct, or the additional input has as much entropy as is postulated, then the drbg gets to a secure starting point.
There isn't any test you can do on entropy source outputs that will guarantee that they have some claimed amount of entropy, so your complaint seems kinda unavoidable beyond that.
--John
> Regards,
>
> --
> - Thierry Moreau
>
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
