How important is FIPS 140-2 Level 1 cert?
pgut001 at cs.auckland.ac.nz
Fri Dec 29 02:49:35 EST 2006
Thor Lancelot Simon <tls at rek.tjls.com> writes:
>On Tue, Dec 26, 2006 at 05:36:42PM +1300, Peter Gutmann wrote:
>> In addition I've heard of evaluations where the generator is required to use a
>> monotonically increasing counter (clock value) as the seed, so you can't just
>> use the PRNG as a postprocessor for an entropy polling mechanism. Then again
>> I know of some that have used it as exactly that without any problems.
>This (braindamaged) requirements change was brought in by the creation of a
>Known Answer Test for the cipher-based RNG. Prior to the addition of that
>test, one could add additional entropy by changing the seed value at each
>iteration of the generator. But that makes it, of course, impossible to get
>Known Answers that confirm that the generator actually imlements the
>standard. So suddenly the alternate form of the generator -- in my opinion
>much less secure -- which uses a monotonically-increasing counter for the
>seed, was the only permitted form.
I don't know if it's the only permitted form, the KAT simply feeds in known
input and checks that the output is as required. You can feed in anything you
want, there's no need for it to be a counter. The known input just happens to
be in the form of a monotonically increasing counter (for the Variable Seed
Test (VST), these are from test vectors that NIST has published), the other
test, the Monte Carlo Test (MCT) is just a single random seed value which
isn't a counter. The values created by the NIST tool are actually rather odd
and consist of a one bit shifted down from the MSB, so you get a successively
longer string of one bits as input to the VST until all 64 bits are ones. I
have no idea why they chose these particular values.
>I have yet to hear of anyone who has found a test lab that will certify a
>generator implementation that uses the mono counter for the KAT suite but a
>random seed in normal operation.
I know of at least one and possibly two (I'd have to go back through old email
to see who did what), certified at the same time that others couldn't get
certified when doing more or less the same thing.
>However, you are free to change the actual key for the generator as often as
>you like. I'm not sure why OpenSSL doesn't implement "fork protection" that
>way, for example -- or does it use the MAC-based generator instead?
I'm not sure, I just read through the certification docs on their web site,
but they don't go into this.
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography