2014 FIPS disallows ANSI X9.31
Werner Koch
wk at gnupg.org
Fri Jan 17 08:36:33 CET 2014
On Thu, 16 Jan 2014 18:21, john at masinter.net said:
> The ANSI X 9.31 RNG should be replaced with FIPS recommended SP800-90 DRBG.
Libgcrypt has a mechanism to select from several RNG implementaions.
Adding another one will be simple. However, it is quite some work to
actually code and test it.
Frankly, I once looked the options but then figured that X9.31 will be
easier to implement and did just that.
> Is there any branch or work planned to address the 2014 change in FIPS
> requirements?
Is there anyone who wants to sponsor that? From a technical and privacy
point of view a FIPS certification is useless. In particular a DRNG
which does not address the problem of the seed.
> Or is there any option to build GnuPG with OpenSSL? (Are you laughing now?:)
GnuPG is tightly coupled to Libgcrypt.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gcrypt-devel
mailing list