FIPS 140-2, PRNGs, and entropy sources

Darren Lasko dlasko at ieee.org
Mon Jul 9 18:08:33 EDT 2007 

On 7/8/07, Joshua Hill <josh-lists at untruth.org> wrote:
> On Sat, Jul 07, 2007 at 10:53:17PM -0600, Darren Lasko wrote:
> > 1) Can a product obtain FIPS 140-2 certification if it implements a PRNG
> > from NIST SP 800-90 (and therefore is not listed in FIPS 140-2 Annex C)?  If
> > not, will Annex C be updated to include the PRNGs from SP 800-90?
>
> The PRNGs in SP800-90 are listed in the current Annex C (see
> item #6 on page 4; this occurred in January of this year).
> http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexc.pdf
>

Hey, look at that!  I guess I should have downloaded the latest
version before posting my question... I was looking at a revision I
downloaded back in November.  Sorry for the superfluous question.

> There is no algorithm testing for the SP800-90 RNGs yet, but they are
> allowed for use in the approved mode of operation because of IG 1.10
> (http://csrc.nist.gov/cryptval/140-1/FIPS1402IG.pdf).  You'll also want
> to read IG 1.12, which directly pertains to the testing that is required
> to test the vendor's assertion that they have a compliant SP80-90 RNG.
>

Thank you, that's very good information.

> > 2) Does FIPS 140-2 have any requirements regarding the quality of the
> > entropy source that is used for seeding a PRNG?
>
> Yes.  The requirement imposed by FIPS 140-2
> (http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)
> are in section 4.7.2:
>  "Compromising the security of the key generation method (e.g., guessing
>  the seed value to initialize the deterministic RNG) shall require as
>  least as many operations as determining the value of the generated key."
> (which would apply to any RNG output that became a key)
>
> and in section 4.7.3:
>  "Compromising the security of the key establishment method (e.g.,
>  compromising the security of the algorithm used for key establishment)
>  shall require at least as many operations as determining the value of
>  the cryptographic key being transported or agreed upon."
> (which would apply to any RNG output that is used in a security relevant
> way in a key establishment scheme)
>

Again, good information.  However, it seems pretty nebulous about how
they expect you to measure the number of operations required to
compromise the security of the key generation method.  Do you know
what kind of documentation the labs require?

SP 800-90, Appendix C.3, states that the "min-entropy" method shall be
used for estimating entropy, but this method only uses the
probabilities assigned to each possible sample value.  I'm guessing
that measuring ONLY the probabilities associated with each sample is
insufficient for assessing your entropy source.  For example, if I
obtain 1 bit per sample and I measure 50% 0's and 50% 1's, I have
"full entropy" by that measure, even if my entropy source always
produces "1010101010101010....".

Is the "NIST Statistical Test Suite" sufficient for evaluating your
entropy source, and will the certification labs accept results from
the STS as an assessment of the entropy source?

Thanks and best regards,
Darren Lasko

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list