Flaws in OpenSSL FIPS Object Module

Joshua Hill josh-lists at untruth.org
Fri Dec 14 11:33:16 EST 2007

On Thu, Dec 13, 2007 at 08:29:47PM -0500, Thor Lancelot Simon wrote:
> In fact, I was in the middle of a FIPS-140 certification at level 2
> a number of years ago when the Known Answer Test for the X9.17 block
> cipher based PRNG was introduced.  One unanticipated side effect of
> this test was to make it impossible to actually use a clock or free
> running counter as the counter in the PRNG, since the KAT expected
> the simplistic "increment counter by 1 every time a block is extracted"
> behavior chosen by most implementers.

You may be confusing the requirements for a KAT which is a power-up health
check on all of the deterministic components of the PRNG (which is run on
power-up and requires that you fix all the inputs to some specific known
value and verify that a known result is produced) and the requirements
for algorithm testing of your PRNG (which for X9.17/X9.31, does require
treating DT as a monotonic counter for one portion of the test).

> Of course, that mode is _less_ secure (because the internal state is
> more predictable) than the other, but given the choice between "validate
> PRNG using special mode, run it using normal mode" or "validate PRNG
> using special mode, run it using special mode" I know I'd pretty much
> always take the latter.  

That's your choice, of course.

> In fact, the test lab we were using told us they were quite skeptical
> about the former as well.

So, did they require that you use your AES implementation using the test
fixture as well?


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list