[Cryptography] FIPS 140 testing hurting secure random bit generation

[Peter Gutmann]

Paul Hoffman <paul.hoffman at vpnc.org> writes:

>- The NIST CMVP people have a reputation (that may or may not be deserved)
>for taking much longer to validate systems from boat-rockers. I have been
>told by implementers that their labs explicitly told them not to complain
>about anything during the 140-3 development process because of this.

+1 (by "CMVP people" I assume you mean "the labs").  What the labs apply is
what they interpret the requirements to be.  Interpretations (it might be more
appropriate to label them "guesses" in some cases) vary between labs, so that
something that's OK'd by one lab is rejected by another.  In the worst case,
two labs can set mutually exclusive requirements.  As an implemeter, your
options are either (a) do the appropriate silly-walk or (b) escalate the issue
to NIST.  The latter is sufficiently painful that you'd have to be facing a
serious showstopper before trying it.

It's difficult to get people directly involved in this to talk about it in
public (although many are happy to complain at length in private).  Vendors
are reluctant to publicly criticise the organisation that they depend on for
access to government markets.

Peter.