On Tue, Oct 2, 2012 at 9:02 PM, Robert Relyea <rrel...@redhat.com> wrote: > > But we can use it go seed the prng. There's a pretty easy way to get NSS to > use HW generated values to get some initial entropy: If you create a PKCS > #11 module that advertises a RNG (See the PKCS #11 spec), NSS will mix > entropy from it's own internal PRNG as well as extract random values to mix > into it's internal PRNG. Such a scheme would allow even old version of NSS > to benefit from HW RNGs. > > As another step, there are a set of internal entropy collecting functions > within NSS that are platform specific called: > win_rand.c, unix_rand.c, and os2_rand.c. Mixing hardware generated bits into > the RNG_SystemRNG() call would pick up new HW generated entropy whenever NSS > decided it needs to reseed.
Yes, we can use it as an entropy source. I think the latter method is better. I just verified that there is no DRBG validation certificate issued to Intel: http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html So I think we can only use it as an entropy source. Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
