questions about RNGs and FIPS 140

Thierry Moreau thierry.moreau at connotech.com
Tue Sep 7 10:12:59 EDT 2010 

Ben Laurie wrote:
> On 27/08/2010 19:38, Joshua Hill wrote:
>> The fact is that all of the approved deterministic RNGs have places that
>> you are expected to use to seed the generator.  The text of the standard
>> explicitly states that you can use non-approved non-deterministic RNGs
>> to seed your approved deterministic RNG.
> 
> This is nice.
> 
>> It's an even better situation if you look at the modern deterministic RNGs
>> described in NIST SP800-90. (You'll want to use these, anyway.  They are
>> better designs and last I heard, NIST was planning on retiring the other
>> approved deterministic RNGs.) Every design in SP800-90 requires that your
>> initial seed is appropriately large and unpredictable, and the designs all
>> allow (indeed, require!) periodic reseeding in similarly reasonable ways.
> 
> Given that we seem to have agreed that "unpredictable" is kinda hard,
> I'm amused that SP800-90 requires it. If it is a requirement then I
> wonder why NIST didn't specify how to generate and validate such a seed?
> 

Well, I find SP800-90 Annex C (Entropy and Entropy Sources) quite clear 
about the requirements. If nothing is approved, we may guess it's 
because no unpredictable phenomenon has been shown (convincingly) to be 
compliant.

In terms of solution documentation requirements, I see four stages:
1) unpredictable phenomenon,
2) sensor technology,
3) digitalization,
4) conditioning.

I separate 2 and 3 while NIST seems to merge them. I see them separate 
since the sensor technology is seldom developed with the entropy 
collection application in mind (the unpredictable phenomenon is not 
engineered: it just exists). The digitalization refers to the 
algorithmic processing taking raw A-to-D (analog to digital) data and 
giving some discrete measurement of the unpredictable phenomenon. This 
measurement is basically a convenient intermediate representation using 
a physical characteristic that is better understood, for analysis 
purposes, than the raw A-to-D data.

The digitalization algorithm may be the same as for pre-existing uses of 
the sensor technology, in which case an after-the-fact certification is 
challenging.

NIST seems to favor very well defined algorithms for affixing the NIST 
approved mark. The, the digitalization algorithm for a given pair 
<unpredictable phenomenon,sensor technology> may be challenging.

I released (a few days ago) a specification document for digitalization 
and conditioning algorithms for PUDEC, Practical Use of Dice for Entropy 
Collection, see http://www.connotech.com/doc_pudec_algo.html

Incidentally, another difficulty is that confidence in the entropy 
collection function is difficult to support with boot time / run time 
testing. IIRC, the statistical testing at boot time had to be dropped 
from the FIPS140 requirements because false failures (intrinsic to 
statistical testing) were not manageable in an operational context.

Obviously, there are other considerations to NIST approval because it 
would become a procurement specification for the US Federal government.



> Cheers,
> 
> Ben.
> 


Regards,

-- 
- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1

Tel. +1-514-385-5691

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list