questions about RNGs and FIPS 140

[Nicolas Williams]

On Thu, Aug 26, 2010 at 02:13:46PM -0700, Eric Murray wrote:
> On Thu, Aug 26, 2010 at 11:21:35AM -0500, Nicolas Williams wrote:
> > I'm thinking of a system where a deterministic (seeded) RNG and
> > non-deterministic RNG are used to generate a seed for a deterministic
> > RNG, which is then used for the remained of the system's operation until
> > next boot or next re-seed.  That is, the seed for the run-time PRNG
> > would be a safe combination (say, XOR) of the outputs of a FIPS 140-2
> > PRNG and non-certifiable TNG.
> 
> That won't pass FIPS.  It's reasonable from a security standpoint,
> (although I would use a hash instead of an XOR), but it's not FIPS 140
> certifiable.
> 
> Since FIPS can't reasonably test the TRNG output, it can't
> be part of the output.  FIPS 140 is about guaranteeing a certain 
> level of security, not maximizing security.

If the issue is that determinism is necessary during certification
testing, then it should be possible to switch off the TRNG.  If the
issue is that FIPS is braindead, well, then we're at layer 9.

(One would think that gambling systems would be required to have a TRNG
on/off switch that would be set to off for testing, then set to on, then
resin poured on it, at the end of testing, to cause it to stay on.  That
way there'd be no risk of seeds being stolen because normal operation
would render possession of those seeds useless... without also attacking
the TRNG physically.  The TRNG design should be such that physical
attacks on it would be noticeable by bystanders and physical security
monitoring.  Yes, I know, a determined engineer working at a gambling
equipment manufacturer could probably find other ways to trojan the
system anyways.)

Nico
-- 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com