[Cryptography] FIPS 140 testing hurting secure random bit generation

[John Kelsey]

On Oct 30, 2013, at 10:20 AM, Paul Hoffman <paul.hoffman at vpnc.org> wrote:

>> More broadly to everyone: If you see problems with how the FIPS validation process plays with the DRBGs, or other problems, email a formal comment in.  
> 
> This is a somewhat absurd suggestion for two reasons:
> 
> - The NIST CMVP people have a reputation (that may or may not be deserved) for taking much longer to validate systems from boat-rockers. I have been told by implementers that their labs explicitly told them not to complain about anything during the 140-3 development process because of this.
> 
> - The folks in NIST Computer Security Division are down the hall from these people. They are writing rules for the documents generated by CSD. The people in CSD need to lead the charge for fixing the broken testing, not asking people who are already paying a hundreds of thousands of dollars, and losing even more of that in delayed sales, to do the work of fixing CMVP.
> 
> This problem has been known by the CSD and CMVP people for many years. The other deep problems with the CMVP has been known for many years. Everyone looks at NIST as NIST, not as two departments. You can fix this, but we can't.

Perhaps you have never worked in a large organization?  I know there are problems with validation, but that does not mean either that I automatically have the power to fix them, or that I know all the problems that people run into with FIPS validation.  

At any rate, I didn't know that the labs were forbidding people freely putting in external input from unverified sources.  When I emailed around to other people working on RNG stuff and dealing with validation stuff today, they didn't know about it either. 

The reason I recommend making a formal comment is because the documents are open for public comment right now, and because those comments make it a lot easier to make a case that this is a problem that needs fixing.  

> --Paul Hoffman

--John