secure CRNGs and FIPS (Re: How important is FIPS 140-2 Level 1 cert?)

Adam Back adam at cypherspace.org
Tue Dec 26 15:58:44 EST 2006 

Anoymous wrote:
> [criticizing FIPS CRNGs]

You can make a secure CRNG that you can obtain FIPS 140 certification
on using the FIPS 186-2 appendix 3.1 (one of my clients got FIPS 140
on an implementation of the FIPS 186-2 RNG that I implemented for
general key generation and such crypto use.)

You should apply change notice 1 under the section "general purpose
random number generation", or you will be doing needless modulo q
bignum operations for general RNG use (the default, non-change-note
modified RNG is otherwise hard code for DSA k value generation and
related things 186-2 being the FIPS DSA standard doc).


Also about continuously adding seeding this is also provided with
186-2 rng via the XSEED parameter, which allows the system to add
extra entropy at any time.


About the criticisms of Common Critera evaluation in general, I think
why people complain it is a documentation exercise is because pretty
much all it does ensure that it does what it says it does.  So
basically you have to enumerates threats, state what threats the
system is designed to protect against, and which are out of scope.

Then the rest of the documentation is just saying that in increasing
detail, that you have not made mistakes in the design and
specification and to some extent implementation.


So as someone else said in the thread, as a user you need to read the
security target document section on security objectives and
assumptions, and check if they protect against attacks that are
relevant to you.

Another aspect of security targets is protection profiles.  A
protection profile is basically a sort of set of requirements for
security targets for a given type of system.  So you might get eg a
protection profile for hard disk encryption.  The protection profile
will be standardized on and so it makes it a bit easier for the
consumer as its less likely the protection profile will be massaged.
(I mean the consortium or standardization body creating the protection
profile will want some security quality bar).

Adam

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list