[PATCH 0/2] SP800-90A DRBG
Stephan Mueller
smueller at chronox.de
Wed Feb 17 18:30:36 CET 2016
Am Mittwoch, 17. Februar 2016, 17:20:17 schrieb Werner Koch:
Hi Werner,
>Hi Stephan,
>
>On Tue, 16 Feb 2016 22:03, smueller at chronox.de said:
>> as the SP800-90A DRBG is considered for inclusion into 1.7, I ported the
>> existing DRBG patch set in [1] to the current git tree of libgcrypt.
>
>Thanks for that update. Actually integration of your code was on my
>short list.
>
>You added a new API gcry_randomize_drbg along with a new structure and a
>lot of new constants which seem to be only there to expose internal
>stuff. Why can't we just use a replacement for the current X9.31
>generator? There should be just an RNG and not a way to configure it.
The question is what kind of support do you want to have with the DRBG. The
implementation in the patch includes all bells and whistles defined in
SP800-90A. The following listing enumerates options which may be removed from
the current implementation:
- implementation of either Hash, HMAC or CTR DRBG with only one cipher
- remove prediction resistance
- remove support for additional information
- remove support for personalization string
- remove reseed support
All these items are options at the disposal of the caller.
The mentioned function of gcry_randomize_drbg is a convenience wrapper to
gcry_randomize as this function has no natural API for supplying an additional
information string.
I am happy to distill out the unwanted pieces. But I am not sure what I shall
remove.
Note, the default DRBG is the HMAC DRBG with SHA-256 core without prediction
resistance. I favor the HMAC DRBGs as they are the leanest ones.
Ciao
Stephan
More information about the Gcrypt-devel
mailing list