How important is FIPS 140-2 Level 1 cert?
Ben Laurie
ben at algroup.co.uk
Fri Dec 29 05:40:20 EST 2006
Thor Lancelot Simon wrote:
> On Tue, Dec 26, 2006 at 05:36:42PM +1300, Peter Gutmann wrote:
>> In addition I've heard of evaluations where the generator is required to use a
>> monotonically increasing counter (clock value) as the seed, so you can't just
>> use the PRNG as a postprocessor for an entropy polling mechanism. Then again
>> I know of some that have used it as exactly that without any problems.
>
> This (braindamaged) requirements change was brought in by the creation of
> a Known Answer Test for the cipher-based RNG. Prior to the addition of
> that test, one could add additional entropy by changing the seed value at
> each iteration of the generator. But that makes it, of course, impossible
> to get Known Answers that confirm that the generator actually imlements
> the standard. So suddenly the alternate form of the generator -- in my
> opinion much less secure -- which uses a monotonically-increasing counter
> for the seed, was the only permitted form.
>
> I have yet to hear of anyone who has found a test lab that will certify
> a generator implementation that uses the mono counter for the KAT suite
> but a random seed in normal operation. For good reason, labs are usually
> very leery of algorithm implementations that come with a "special test
> mode".
>
> However, you are free to change the actual key for the generator as often
> as you like. I'm not sure why OpenSSL doesn't implement "fork protection"
> that way, for example -- or does it use the MAC-based generator instead?
No, it doesn't. Fork protection was originally implemented inside the
"FIPS boundary" - which the test lab made us remove. I guess it might be
possible to re-insert it outside the boundary, I'm not sure that
occurred to us at the time. I seem to remember there was some obstacle
to this, though, but I can't remember what it was.
While we're at it, an amusing fact I learnt about FIPS-140 while I was
implementing it for OpenSSL is that some of the Monte Carlo tests have
output that's independent of the input.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list