[Pcsclite-muscle] max length of randomLen for C_GenerateRandom

Ludovic Rousseau ludovic.rousseau at gmail.com
Thu Apr 20 16:17:29 UTC 2017


2017-04-20 17:15 GMT+02:00 Florent <fdeybach at gmail.com>:

> Thanks for your answer Ludovic.
>
>
>> I suggest you to use a hardware dedicated to random number generation.
>>
>
> Yes, this is of course the main option I have in mind.
> My question remains theoretical in the event we don't trust any of the
> TRNG vendors (https://en.wikipedia.org/wiki/Comparison_of_hardware_
> random_number_generators).
> I may have more confidence in a certified card, like the JCOP 2.4.1r3
> which has been evaluated according to the AIS 31 of the BSI.
>
>
>> A smart card may be too slow for you.
>>
>
> Yes, I am aware of that. But certified TRNG are also very slow (75 kbps
> for the Quantis AIS31 for example).
> Let's just say that the time is not a issue for me :)
>
>
>> Also I am not sure that the data returned by C_GenerateRandom() always
>> comes from the smart card. It depends on the PKCS#11 library you use.
>>
>
> Yes, you're right. Thanks for the warning. In order to be sure I would
> need the source code of the PKCS#11 library, right?
>

Yes. Or you have to trust the vendor :-)


> So by the content of your answer, I presume this hasn't been
> tested/considered yet? (assuming the data comes genuinely from the internal
> generator of the card).
>

I guess that OpenSC is implementing C_GenerateRandom correctly (after a
quick review of the code).

Another option is to use the ISO 7816-4 GET CHALLENGE command [1] if your
card suport it.

Bye

[1]
http://www.cardwerk.com/smartcards/smartcard_standard_ISO7816-4_6_basic_interindustry_commands.aspx#chap6_15

-- 
 Dr. Ludovic Rousseau
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pcsclite-muscle/attachments/20170420/ce525187/attachment.html>


More information about the Pcsclite-muscle mailing list