[Cryptography] FIPS 140 testing hurting secure random bit generation

[Paul Hoffman]

On Oct 29, 2013, at 8:59 PM, John Kelsey <crypto.jmk at gmail.com> wrote:

> On Oct 28, 2013, at 5:28 PM, dj at deadhat.com wrote:
> 
> ...
>> But the specifications (SP800-90x & FIPS 140-2) make it spectacularly hard
>> to mix in multiple sources in a compliant way. SP800-90 gives a way to mix
>> in "additional entropy" and "personalization strings", but FIPS 140-2
>> states that all sources must be authenticated. All configuring entities
>> must be authenticated. Try authenticating hardware on one end of chip
>> against hardware at the other end of the chip. It is the mother of all
>> chicken and egg problems.
> 
> Wait, the FIPS labs refuse to let you put your own stuff into those additional inputs?  

From what multiple implementers (not just Peter) have said: yes.

> More broadly to everyone: If you see problems with how the FIPS validation process plays with the DRBGs, or other problems, email a formal comment in.  

This is a somewhat absurd suggestion for two reasons:

- The NIST CMVP people have a reputation (that may or may not be deserved) for taking much longer to validate systems from boat-rockers. I have been told by implementers that their labs explicitly told them not to complain about anything during the 140-3 development process because of this.

- The folks in NIST Computer Security Division are down the hall from these people. They are writing rules for the documents generated by CSD. The people in CSD need to lead the charge for fixing the broken testing, not asking people who are already paying a hundreds of thousands of dollars, and losing even more of that in delayed sales, to do the work of fixing CMVP.

This problem has been known by the CSD and CMVP people for many years. The other deep problems with the CMVP has been known for many years. Everyone looks at NIST as NIST, not as two departments. You can fix this, but we can't.

--Paul Hoffman