questions about RNGs and FIPS 140

Joshua Hill josh-lists at untruth.org
Fri Aug 27 14:38:32 EDT 2010


Nicolas Williams <Nicolas.Williams at oracle.com> writes:
>Would it be possible to combine a FIPS 140-2 PRNG with a TRNG such that
>testing and certification could be feasible?

On Fri, Aug 27, 2010 at 07:20:06PM +1200, Peter Gutmann responded:
> No.  If you choose your eval lab carefully you can sneak in a TRNG
> somewhere as input to your PRNG

Peter, I'm sorry, but this dances on the edge of "obviously factually
incorrect".  Could there be some lab / tester who doesn't like just
about everything?  I suppose so, but that's more a consequence of the
somewhat bizarre FIPS 140 testing arrangement than what NIST thinks the
standard says.

The fact is that all of the approved deterministic RNGs have places that
you are expected to use to seed the generator.  The text of the standard
explicitly states that you can use non-approved non-deterministic RNGs
to seed your approved deterministic RNG.

It's an even better situation if you look at the modern deterministic RNGs
described in NIST SP800-90. (You'll want to use these, anyway.  They are
better designs and last I heard, NIST was planning on retiring the other
approved deterministic RNGs.) Every design in SP800-90 requires that your
initial seed is appropriately large and unpredictable, and the designs all
allow (indeed, require!) periodic reseeding in similarly reasonable ways.

Nicolas Williams <Nicolas.Williams at oracle.com> writes:
>I'm thinking of a system where a deterministic (seeded) RNG and non-
>deterministic RNG are used to generate a seed for a deterministic RNG

This is explicitly allowed within the standard.  You will have to
argue that the strength of this seed is appropriate to support the key
generation that you perform.  To be clear, there are other requirements
(continuous RNG test, etc), but the basic idea you outlined is directly
allowed by the text of the standard.

On Fri, Aug 27, 2010 at 07:20:06PM +1200, Peter Gutmann wrote:
> That's the sensible way of doing it, but will probably be disallowed 
> by the FIPS lab.  

>From the second paragraph of section 4.7.1 in FIPS 140-2:
   "Commercially available nondeterministic RNGs may be used for 
    the purpose of generating seeds for Approved deterministic RNGs."

Josh

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list