[Info-vax] VSI has released 9.2-1

Tue Jun 20 08:29:48 EDT 2023

On 2023-06-19, Arne Vajhøj <arne at vajhoej.dk> wrote:
> On 6/19/2023 8:20 AM, Simon Clubley wrote:
>> 
>> This is not about selling new systems. This is about being a part of
>> work to make sure that existing sites don't get forced to move away
>> from VMS because VMS no longer meets the industry standard security standards.
>> 
>> You can have a nice piece of software running on VMS, but that's no
>> good unless those VMS systems are secure by modern standards. VMS systems
>> _WILL_ be dropped in many areas if they are regarded as no longer being
>> secure by today's standards.
>
> Which security standards mandate direct support for entropy generation
> in the OS?
>

You can also do it using external devices, which has been the only option
for VMS until now, because the goal is to be able to meet a set of
specified standards.

>>> The OpenSSL maintainers may be happy that they get better entropy
>>> with less code.
>> 
>> Replace "better entropy" with "now-acceptable entropy".
>
> Who is saying that current OpenSSL way is no longer acceptable?
>

OpenSSL on VMS, not OpenSSL in general.

>>                                                      The new entropy
>> engine running within the kernel offers a brand-new capability for VMS
>> that is considered to be standard elsewhere.
>> 
>> To put this another way, the previous solutions for generating entropy
>> within user mode that I am aware of were not suitable by today's standards.
>
> So you say.
>
> I would really like to get some sources.
>

Fair enough. The current standards are the NIST SP 800-90 series of
standards:

https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final
https://csrc.nist.gov/publications/detail/sp/800-90b/final
https://csrc.nist.gov/publications/detail/sp/800-90c/draft

In each case, the actual standard can be found in the top right of the
page, under the "Publication:" section.

However, since they can be hard to follow in certain parts, here is
a much more readable introduction-level document from Red Hat discussing
these issues from a Linux point of view:

https://www.redhat.com/en/blog/understanding-random-number-generators-and-their-limitations-linux

Look at the sources Linux is using for the entropy pool. You can't duplicate
that in user mode without access to a kernel module (and underlying OS
support) to help you.

>> Look at previous discussions here about trying to find sources to get
>> a bit more entropy while running in user mode.
>
> The topic has been discussed.
>
> And the maintainer of the OpenSSL VMS code has indeed asked
> some questions.
>
> But I do not remember him saying that the current code was
> not acceptable.
>
> > Maybe I am seeing something here you are missing ?
>
> Possible. I miss a lot of things. So just post links
> to the standards, best practice documents etc. specifying
> the need for direct OS entropy.
>

The NIST and earlier standards specify a series of requirements. You can't
meet those requirements in a software-based solution without kernel support
to get direct access to the entropy sources.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.