Via puts RNGs on new processors

[Arnold G. Reinhold]

At 4:22 PM -0700 4/8/03, Joshua Hill wrote:
>On Tue, Apr 08, 2003 at 04:24:27PM -0400, Anton Stiglic wrote:
>>
>>  In fact to be a bit more precise, for FIPS 140-2  level 3 the module
>>  needs to provide a call for the statistical tests, and it may automatically
>>  start the tests on power up. For FIPS 140-2 level 4, the module must
>>  execute the statistical tests on power up.
>
>This was the case for the initial version of the standard (as well as FIPS
>140-1), but this requirement has since been dropped.  (as of Dec 3, 2002)
>
>There are no longer any power on or user initiated statistical tests
>required by FIPS 140-2.  The testing lab still needs to perform some
>tests while testing the module, but that's the extent of it.
>

The FIPS-140 tests failed if they found excessive deviations from 
perfect randomness. That's overkill for detecting most hardware 
failures, say all output stuck on, and fails to address the real 
danger: someone substituting a PRNG seeded from a small set of values 
known to the attacker. A substitution could be effected through a 
trap door in the CPU micro code, the operating system or by a worm. 
Designed properly, such a PRNG would pass the FIPS-140 statistical 
tests with flying colors.

One nice feature of the VIA TRNG is that hardware whitening can be 
disabled. This facilitates testing for deviations from randomness 
that would be expected from the underlying design, particularly 
deviations that can be correlated with physical properties like chip 
temperature and supply voltage.  Output that appeared perfect would 
be suspect.

Of course any behavior can be faked with enough resources, so at best 
a CPU TRNG should be used as one more input to a randomness generator.

Arnold Reinhold

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com