Another Snake Oil Candidate

lists lists at
Thu Sep 13 22:31:20 EDT 2007

On  12 Sep 2007 20:18:22 -0700, Aram Perez wrote:
> I don't about you, but when I hear terms like (please pardon my
> cynicism):

> 	"with military grade AES encryption" - Hum, I'll have
> to ask NIST
> about that.

AES can be permitted for use in classified environments. See And, yes, the DoD
does use AES in certain circumstances.

> > 	The encryption keys used to protect your data are generated
> > 	in hardware by a FIPS 140-2 compliant True Random Number
> As opposed to a FIPS 140-2 compliant False Random Number Generator.

While I don't understand this quibble about standard terminology, I do
note that the IronKey language is somewhat misleading. There are no
FIPS-approved non-deterministic RNGs at this point, as all of the
FIPS-approved RNGs are deterministic (pseudo) RNGs. (See It
is possible to use a non-deterministic RNG to seed a FIPS-approved PRNG,
but I don't know of anyone in the FIPS 140-2 world that claims doing so
makes the non-deterministic RNG "FIPS 140-2 compliant." 

(Also, if random data is utilized during key generation within a FIPS
140-2 module, then a FIPS-approved RNG must be utilized to generate that
data in order to meet FIPS 140-2 requirements. Since all the
FIPS-approved RNGs are PRNGs, a true RNG is not going to meet the FIPS
140-2 requirement here.)

Overall, colorful language and FIPS 140 hand-waving seem like the
marketing norm in the "security products that utilize crypto" world. I
think the language used by IronKey falls right in line with that, but I
don't get a sense of snake oil. Then again, I don't really care either.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list