[Cryptography] FIPS 140 testing hurting secure random bit generation

Stephan Mueller smueller at chronox.de
Wed Oct 30 14:11:53 EDT 2013


Am Mittwoch, 30. Oktober 2013, 07:20:11 schrieb Paul Hoffman:

Hi Paul,

>On Oct 29, 2013, at 8:59 PM, John Kelsey <crypto.jmk at gmail.com> wrote:
>> On Oct 28, 2013, at 5:28 PM, dj at deadhat.com wrote:
>> 
>> ...
>> 
>>> But the specifications (SP800-90x & FIPS 140-2) make it
>>> spectacularly hard to mix in multiple sources in a compliant way.
>>> SP800-90 gives a way to mix in "additional entropy" and
>>> "personalization strings", but FIPS 140-2 states that all sources
>>> must be authenticated. All configuring entities must be
>>> authenticated. Try authenticating hardware on one end of chip
>>> against hardware at the other end of the chip. It is the mother of
>>> all chicken and egg problems.
>> 
>> Wait, the FIPS labs refuse to let you put your own stuff into those
>> additional inputs?
>From what multiple implementers (not just Peter) have said: yes.
>
>> More broadly to everyone: If you see problems with how the FIPS
>> validation process plays with the DRBGs, or other problems, email a
>> formal comment in.
>This is a somewhat absurd suggestion for two reasons:
>
>- The NIST CMVP people have a reputation (that may or may not be
>deserved) for taking much longer to validate systems from
>boat-rockers. I have been told by implementers that their labs
>explicitly told them not to complain about anything during the 140-3
>development process because of this.
>
>- The folks in NIST Computer Security Division are down the hall from
>these people. They are writing rules for the documents generated by
>CSD. The people in CSD need to lead the charge for fixing the broken
>testing, not asking people who are already paying a hundreds of
>thousands of dollars, and losing even more of that in delayed sales,
>to do the work of fixing CMVP.
>
>This problem has been known by the CSD and CMVP people for many years.
>The other deep problems with the CMVP has been known for many years.
>Everyone looks at NIST as NIST, not as two departments. You can fix
>this, but we can't.

Being a FIPS tester, I am called by NIST to enforce such or similarly 
strange requirements that at best do not help cryptography. Deviations 
are not an option...

Ciao
Stephan


More information about the cryptography mailing list