Use of TPM chip for RNG?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Jul 5 06:50:11 EDT 2006


Thor Lancelot Simon <tls at rek.tjls.com> writes:
>On Mon, Jul 03, 2006 at 10:41:05AM -0600, Anne & Lynn Wheeler wrote:
>> however, at least some of the TPM chips have RNGs that have some level
>> of certification (although you might have to do some investigation to
>> find out what specific chip is being used for TPM).
>
>See one of the examples in my other message today in this thread (subject
>changed as an aid to new readers) for an example of why you should *not*
>trust such certifications as evidence that the RNG is any good.
>
>Summary: I have encountered one such RNG that was FIPS-140 certified as a
>Deterministic RNG but whose "hardware" inputs the vendor refused to disclose,
>which I find extremely suspicious.  It is possible to get a DRNG certified
>without careful analysis of what its input is; I have personally seen this
>happen and heard of more instances even after NIST gave specific guidance to
>the contrary.

Exactly.  The FIPS 140 (strictly speaking X9.17/X9.31 PRNG) tests test a
generator's determinism, not its nondeterminism.  In other word they generate
a set of input/output pairs from a known-good generator and then make sure
that the generator being certified produces the same output.  Actually getting
nondeterminism into the process is quite tricky, and involves extremely
careful and creative reinterpretation of the "DT vector" (date-and-time)
input.  The non-creatively-interpreted generator depends for its strength
entirely on the key chosen for the PRNG.  If it's constant across all devices,
it'll pass the certification but its strength will be close to zero.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list