How important is FIPS 140-2 Level 1 cert?

Ben Laurie ben at algroup.co.uk
Fri Dec 29 05:40:20 EST 2006


Thor Lancelot Simon wrote:
> On Tue, Dec 26, 2006 at 05:36:42PM +1300, Peter Gutmann wrote:
>> In addition I've heard of evaluations where the generator is required to use a
>> monotonically increasing counter (clock value) as the seed, so you can't just
>> use the PRNG as a postprocessor for an entropy polling mechanism.  Then again
>> I know of some that have used it as exactly that without any problems.
> 
> This (braindamaged) requirements change was brought in by the creation of
> a Known Answer Test for the cipher-based RNG.  Prior to the addition of
> that test, one could add additional entropy by changing the seed value at
> each iteration of the generator.  But that makes it, of course, impossible
> to get Known Answers that confirm that the generator actually imlements
> the standard.  So suddenly the alternate form of the generator -- in my
> opinion much less secure -- which uses a monotonically-increasing counter
> for the seed, was the only permitted form.
> 
> I have yet to hear of anyone who has found a test lab that will certify
> a generator implementation that uses the mono counter for the KAT suite
> but a random seed in normal operation.  For good reason, labs are usually
> very leery of algorithm implementations that come with a "special test
> mode".
> 
> However, you are free to change the actual key for the generator as often
> as you like.  I'm not sure why OpenSSL doesn't implement "fork protection"
> that way, for example -- or does it use the MAC-based generator instead?

No, it doesn't. Fork protection was originally implemented inside the
"FIPS boundary" - which the test lab made us remove. I guess it might be
possible to re-insert it outside the boundary, I'm not sure that
occurred to us at the time. I seem to remember there was some obstacle
to this, though, but I can't remember what it was.

While we're at it, an amusing fact I learnt about FIPS-140 while I was
implementing it for OpenSSL is that some of the Monte Carlo tests have
output that's independent of the input.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list