Welome to the Internet, here's your private key

Joshua Hill josh at untruth.org
Tue Feb 5 19:37:54 EST 2002 

On Wed, Feb 06, 2002 at 10:06:46AM +1100, Greg Rose wrote:
> At this point I am detecting a pattern... So, I'm afraid it isn't true that 
> it will pick up even these simple linear sequences. (An LFSR of length 12 
> only generates 4095 bits, repeated about 5 times!) I find this less 
> surprising, actually. LFSR output "looks" random in some more fundamental 
> sense.

The FIPS 140 statistical tests are not designed to be used to test the
'goodness' of a design.  (That is not what the self-tests in a FIPS
module are there for, in general)  It is assumed that the implemented
PRNG (Deterministic RNG in FIPS 140-2 parlance) has been evaluated to
verify that it is one of the approved algorithms.  These algorithms
have already undergone extensive design analysis, including extensive
statistical analysis.

In a FIPS module, the statistical random number generator tests
are present to verify that nothing has gone horribly, horribly awry.
Think of it as one step better than the continuous random number generator
conditional test (which, BTW, will pass outputs that simply alternate
between two values).

Ok, so what about _true_ RNGs? (Non-Deterministic RNGs, in FIPS 140-2
parlance)  Well, you're only allowed to use "approved" designs to produce
keys and provide inputs to key exchange/agreement protocols.  (Note that
the _design_ analysis has to occur as a separate process leading up to
the design's approval). At the moment, there aren't any approved designs.
(Ok, in truth, there just aren't any publicly available.  You are allowed
to use any Non-Deterministic RNG approved for Classified use)

If you're trying to do a _design_ analysis, you need to use a set of
tests considerably more extensive than the FIPS 140 Statistical tests.
If you're just testing to see if your particular piece of hardware has
failed, it works reasonably well.

				Josh

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list