acvpparser icon indicating copy to clipboard operation
acvpparser copied to clipboard

Published 20 hours ago verified publisher icon smuellerDD

Examples openssl3 fips provider with jitter entropy backends

Open vkosuri opened this issue 11 months ago • 3 comments

Hi, with little crypto knowledge, I am looking how I can use jitter entropy and OpenSSL backend together when it comes openss3 with FIPS provider?

vkosuri avatar Mar 06 '24 18:03 vkosuri

Am Mittwoch, 6. März 2024, 19:31:37 CET schrieb Mallikarjunarao Kosuri:

Hi Mallikarjunarao,

Hi, with little crypto knowledge, I am looking how I can use jitter entropy and OpenSSL backend together when it comes openss3 with FIPS provider?

You either change OpenSSL to use the Jitter RNG as entropy source (e.g. by updating the RAND_poll function).

Another option is to use the SLES/RHEL kernels where the /dev/random output provides SP800-90B compliant data derived from the in-kernel Jitter RNG version. Or port the relevant patches to your kernel.

Ciao Stephan

smuellerDD avatar Mar 07 '24 14:03 smuellerDD

Am Mittwoch, 6. März 2024, 19:31:37 CET schrieb Mallikarjunarao Kosuri: Hi Mallikarjunarao,

You either change OpenSSL to use the Jitter RNG as entropy source (e.g. by updating the RAND_poll function).

The OpenSSL with FIPS Provider the RAND Generators are CONFORMING TO SP800-90B https://github.com/openssl/openssl/blob/master/doc/man7/EVP_RAND-CTR-DRBG.pod#conforming-to

My question is, without ACVP Jitter entropy can I use OpenSSL RAND Generator with FIPS provider?

vkosuri avatar Mar 08 '24 01:03 vkosuri

Am Freitag, 8. März 2024, 02:57:06 CET schrieb Mallikarjunarao Kosuri:

Hi Mallikarjunarao,

Am Mittwoch, 6. März 2024, 19:31:37 CET schrieb Mallikarjunarao Kosuri: Hi Mallikarjunarao,

You either change OpenSSL to use the Jitter RNG as entropy source (e.g. by updating the RAND_poll function). The OpenSSL with FIPS Provider the RAND Generators are CONFORMING TO SP800-90B https://github.com/openssl/openssl/blob/master/doc/man7/EVP_RAND-CTR-DRBG.p od#conforming-to

It would be helpful for you to understand what that means. 90B is an entropy source specification and OpenSSL does not have any entropy source. That said, I have no clue what this reference means.

My question is, without ACVP Jitter entropy can I use OpenSSL RAND Generator with FIPS provider?

Not that I am aware of as outlined above.

Ciao Stephan

smuellerDD avatar Mar 12 '24 21:03 smuellerDD