Re: Random numbers from Jarred Nicholls on 2012-05-15 (public-webcrypto@w3.org from May 2012)

From: Jarred Nicholls <jarred@webkit.org>
Date: Tue, 15 May 2012 12:28:27 -0400
To: Philip Gladstone <pgladsto@cisco.com>
Cc: public-webcrypto@w3.org
Message-ID: <CANufG2MQBSZ59HRGRtc2tufeC+RCzSREy24G7qFeOANZ6ks_=Q@mail.gmail.com>

On Tue, May 15, 2012 at 11:29 AM, Philip Gladstone <pgladsto@cisco.com>wrote:

>  Thanks for that pointer. Mnay operating systems have both /dev/random and
> /dev/urandom -- I suspect that we would want to expose both types of random
> numbers (i.e. an event interface that returns when there is sufficient
> entropy, and a synchronous interface for getting pseudo-random numbers).
>
> I would hope that when the hardware has a good source of random numbers
> (e.g. when Intel's Bull Mountain is available), then that source would be
> used in both cases. Getting good sources of entropy is hard, and this is
> especially important when generating keying material (recall the issues
> with duplicate primes in SSL certificates from earlier this year).
>
> Philip
>
>
> On 5/15/2012 11:01 AM, Nadim wrote:
>
>  Also, very relevant is window.crypto.getRandomValues:
> http://wiki.whatwg.org/wiki/Crypto
>
>  NK
>
>  On Tuesday, 15 May, 2012 at 10:59 AM, Nadim wrote:
>
>   If we implement AES and SHA-2, we can use these as building blocks for
> a Fortuna RNG (spec. Bruce Schneier, Niels Ferguson.) I've already
> implemented Fortuna in JS and it's definitely feasible.
>
>  NK
>
>  On Tuesday, 15 May, 2012 at 10:52 AM, Philip Gladstone wrote:
>
>   I believe that the crypto API should have a method for generating
> cryptographically secure random numbers. This is non-trivial to get right,
> but there is hardware support in some new chips for generating high quality
> random numbers. A uniform random number interface can abstract the platform
> differences and provide a uniform interface..
>
> Philip
>
> --
> Philip Gladstone
> Distinguished Engineer
> Product Developmentpgladstone@cisco.com
> Phone: +1 978-ZEN-TOAD (+1 978 936 8623)
> Google: +1 978 800 1010
> Ham radio: N1DQ
>
>
> Attachments:
>  - smime.p7s
>
>
>
>
> --
> Philip Gladstone
> Distinguished Engineer
> Product Developmentpgladstone@cisco.com
> Phone: +1 978-ZEN-TOAD (+1 978 936 8623)
> Google: +1 978 800 1010
> Ham radio: N1DQ
>
>
Note that this almost directly correlates with the future decision of the
level of API this WG is aiming to build (low, medium, high) and the use
cases it aims to satisfy, i.e., if crypto RNG is a necessity for an
accepted use case.  Perhaps the next step is to weigh in on or create use
cases that provide more points towards deciding on the API level.

Thanks,
Jarred

Received on Tuesday, 15 May 2012 16:29:20 UTC