questions about RNGs and FIPS 140

Joshua Hill josh-lists at untruth.org
Sat Aug 28 04:16:57 EDT 2010


On Sat, Aug 28, 2010 at 07:01:18PM +1200, Peter Gutmann wrote:
> What matters to someone getting something evaluated isn't what NIST thinks or
> what one person's interpretation of the standard says, but what the lab does
> and doesn't allow.  Since what I reported is based on actual evaluations
> (rather than what NIST thinks), how can it be "factually incorrect"?

Hence my qualification.  I agree that there is inconsistency between the
labs; I've dealt with a handful of them, and worked at one of them for
a decade (mainly doing FIPS 140 validations, as it happens), so I have
some background in the area.

> Unfortunately one lab caught that and required that the DT vector really be a
> date and time, specifically the 64-bit big-endian output of time(), the
> Security 101 counterexample for how to seed an RNG.

Didn't we have this discussion at the NIST RNG workshop?  The DT field
could be used for seeding if you can argue that this is equivalent to
a date/time stamp, but the main purpose of DT is not seeding, it is
an anti-cycle protection.  The (1 cipher block long) V parameter and
the *K key (in the parlance of ANSI X9.31 A.2.4) are the main spots
for seeding.  As an aside, at this point IG7.6 explicitly allows you to
use an incrementer for DT, so you could start with any value you like
and treat that as a seed value as well...

> In summary it doesn't matter what the standard says, it matters what the labs
> require, and that can be (a) often arbitrary and (b) contrary to what would
> generally be regarded as good security practice.

If the lab is trying to enforce regulations not present in the standard,
the DTR, or the NIST guidance, you could always complain to NIST or move
to another lab.

I'm sorry that your FIPS validation process seemed arbitrary, and that
your lab enforced requirements beyond what they should have.  That doesn't
change the fact that seeding an approved deterministic RNG using a
non-approved non-deterministic RNG is explicitly allowed by FIPS 140-2.

Josh

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list