How important is FIPS 140-2 Level 1 cert?
Thor Lancelot Simon
tls at rek.tjls.com
Wed Dec 27 14:10:10 EST 2006
On Tue, Dec 26, 2006 at 05:36:42PM +1300, Peter Gutmann wrote:
>
> In addition I've heard of evaluations where the generator is required to use a
> monotonically increasing counter (clock value) as the seed, so you can't just
> use the PRNG as a postprocessor for an entropy polling mechanism. Then again
> I know of some that have used it as exactly that without any problems.
This (braindamaged) requirements change was brought in by the creation of
a Known Answer Test for the cipher-based RNG. Prior to the addition of
that test, one could add additional entropy by changing the seed value at
each iteration of the generator. But that makes it, of course, impossible
to get Known Answers that confirm that the generator actually imlements
the standard. So suddenly the alternate form of the generator -- in my
opinion much less secure -- which uses a monotonically-increasing counter
for the seed, was the only permitted form.
I have yet to hear of anyone who has found a test lab that will certify
a generator implementation that uses the mono counter for the KAT suite
but a random seed in normal operation. For good reason, labs are usually
very leery of algorithm implementations that come with a "special test
mode".
However, you are free to change the actual key for the generator as often
as you like. I'm not sure why OpenSSL doesn't implement "fork protection"
that way, for example -- or does it use the MAC-based generator instead?
Thor
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list