Zurück
-
Titel
Are randomly generated passwords in Password Vault strong enough? -
Beschreibung
How is it ensured that sufficiently secure passwords are generated?
Are there any security requirements in Safeguard? -
Ursache
Certain papers suggest that generating a secure and large random number is claimed to be a problem in VM due to the missing TPM chip.
Details here: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Studien/ZufallinVMS/Randomness-in-VMs.pdf?__blob=publicationFile&v=3 -
Lösung
The paper referred is regarding Linux, however, its conclusion at the start of the paper states “As a summary, the major finding of this study is that all assessed VMs depending on their configuration, allow Linux to obtain sufficient entropy.”.
Regardless of whether SPP is running as a VM or hardware, the password generation logic within SPP is exactly the same. We use all FIPS 140-2 certified modules from the underlying operating system. That is, we do not attempt to write our own algorithms to generate a password. We use the operating system cryptography to generate cryptographically strong random data, and then take the bytes of that data to create a password.