questions about RNGs and FIPS 140

Peter Gutmann pgut001 at
Sat Aug 28 03:01:18 EDT 2010

Joshua Hill <josh-lists at> writes:

>Peter, I'm sorry, but this dances on the edge of "obviously factually
>incorrect".  Could there be some lab / tester who doesn't like just about
>everything?  I suppose so, but that's more a consequence of the somewhat
>bizarre FIPS 140 testing arrangement than what NIST thinks the standard says.

What matters to someone getting something evaluated isn't what NIST thinks or
what one person's interpretation of the standard says, but what the lab does
and doesn't allow.  Since what I reported is based on actual evaluations
(rather than what NIST thinks), how can it be "factually incorrect"?

>The fact is that all of the approved deterministic RNGs have places that you
>are expected to use to seed the generator.  The text of the standard
>explicitly states that you can use non-approved non-deterministic RNGs to
>seed your approved deterministic RNG.

Yup, and if you look at some of the generators you'll see things like the use
of a date-and-time vector DT in the X9.17/X9.30 generator, which was the
specific example I gave earlier of sneaking in seeding via the date-and-time.
Unfortunately one lab caught that and required that the DT vector really be a
date and time, specifically the 64-bit big-endian output of time(), the
Security 101 counterexample for how to seed an RNG.

In summary it doesn't matter what the standard says, it matters what the labs
require, and that can be (a) often arbitrary and (b) contrary to what would
generally be regarded as good security practice.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list