Flaws in OpenSSL FIPS Object Module
Joshua Hill
josh-lists at untruth.org
Fri Dec 14 11:33:16 EST 2007
On Thu, Dec 13, 2007 at 08:29:47PM -0500, Thor Lancelot Simon wrote:
> In fact, I was in the middle of a FIPS-140 certification at level 2
> a number of years ago when the Known Answer Test for the X9.17 block
> cipher based PRNG was introduced. One unanticipated side effect of
> this test was to make it impossible to actually use a clock or free
> running counter as the counter in the PRNG, since the KAT expected
> the simplistic "increment counter by 1 every time a block is extracted"
> behavior chosen by most implementers.
You may be confusing the requirements for a KAT which is a power-up health
check on all of the deterministic components of the PRNG (which is run on
power-up and requires that you fix all the inputs to some specific known
value and verify that a known result is produced) and the requirements
for algorithm testing of your PRNG (which for X9.17/X9.31, does require
treating DT as a monotonic counter for one portion of the test).
> Of course, that mode is _less_ secure (because the internal state is
> more predictable) than the other, but given the choice between "validate
> PRNG using special mode, run it using normal mode" or "validate PRNG
> using special mode, run it using special mode" I know I'd pretty much
> always take the latter.
That's your choice, of course.
> In fact, the test lab we were using told us they were quite skeptical
> about the former as well.
So, did they require that you use your AES implementation using the test
fixture as well?
Josh
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list