questions about RNGs and FIPS 140
Thierry Moreau
thierry.moreau at connotech.com
Tue Sep 7 10:12:59 EDT 2010
Ben Laurie wrote:
> On 27/08/2010 19:38, Joshua Hill wrote:
>> The fact is that all of the approved deterministic RNGs have places that
>> you are expected to use to seed the generator. The text of the standard
>> explicitly states that you can use non-approved non-deterministic RNGs
>> to seed your approved deterministic RNG.
>
> This is nice.
>
>> It's an even better situation if you look at the modern deterministic RNGs
>> described in NIST SP800-90. (You'll want to use these, anyway. They are
>> better designs and last I heard, NIST was planning on retiring the other
>> approved deterministic RNGs.) Every design in SP800-90 requires that your
>> initial seed is appropriately large and unpredictable, and the designs all
>> allow (indeed, require!) periodic reseeding in similarly reasonable ways.
>
> Given that we seem to have agreed that "unpredictable" is kinda hard,
> I'm amused that SP800-90 requires it. If it is a requirement then I
> wonder why NIST didn't specify how to generate and validate such a seed?
>
Well, I find SP800-90 Annex C (Entropy and Entropy Sources) quite clear
about the requirements. If nothing is approved, we may guess it's
because no unpredictable phenomenon has been shown (convincingly) to be
compliant.
In terms of solution documentation requirements, I see four stages:
1) unpredictable phenomenon,
2) sensor technology,
3) digitalization,
4) conditioning.
I separate 2 and 3 while NIST seems to merge them. I see them separate
since the sensor technology is seldom developed with the entropy
collection application in mind (the unpredictable phenomenon is not
engineered: it just exists). The digitalization refers to the
algorithmic processing taking raw A-to-D (analog to digital) data and
giving some discrete measurement of the unpredictable phenomenon. This
measurement is basically a convenient intermediate representation using
a physical characteristic that is better understood, for analysis
purposes, than the raw A-to-D data.
The digitalization algorithm may be the same as for pre-existing uses of
the sensor technology, in which case an after-the-fact certification is
challenging.
NIST seems to favor very well defined algorithms for affixing the NIST
approved mark. The, the digitalization algorithm for a given pair
<unpredictable phenomenon,sensor technology> may be challenging.
I released (a few days ago) a specification document for digitalization
and conditioning algorithms for PUDEC, Practical Use of Dice for Entropy
Collection, see http://www.connotech.com/doc_pudec_algo.html
Incidentally, another difficulty is that confidence in the entropy
collection function is difficult to support with boot time / run time
testing. IIRC, the statistical testing at boot time had to be dropped
from the FIPS140 requirements because false failures (intrinsic to
statistical testing) were not manageable in an operational context.
Obviously, there are other considerations to NIST approval because it
would become a procurement specification for the US Federal government.
> Cheers,
>
> Ben.
>
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list