[Cryptography] FIPS 140 testing hurting secure random bit generation

[Paul Hoffman]

On Oct 30, 2013, at 6:19 PM, John Kelsey <crypto.jmk at gmail.com> wrote:

> On Oct 30, 2013, at 10:20 AM, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
> 
>>> More broadly to everyone: If you see problems with how the FIPS validation process plays with the DRBGs, or other problems, email a formal comment in.  
>> 
>> This is a somewhat absurd suggestion for two reasons:
>> 
>> - The NIST CMVP people have a reputation (that may or may not be deserved) for taking much longer to validate systems from boat-rockers. I have been told by implementers that their labs explicitly told them not to complain about anything during the 140-3 development process because of this.
>> 
>> - The folks in NIST Computer Security Division are down the hall from these people. They are writing rules for the documents generated by CSD. The people in CSD need to lead the charge for fixing the broken testing, not asking people who are already paying a hundreds of thousands of dollars, and losing even more of that in delayed sales, to do the work of fixing CMVP.
>> 
>> This problem has been known by the CSD and CMVP people for many years. The other deep problems with the CMVP has been known for many years. Everyone looks at NIST as NIST, not as two departments. You can fix this, but we can't.
> 
> Perhaps you have never worked in a large organization?  

As you know, I was a consultant for NIST CSD for a while.

> I know there are problems with validation, but that does not mean either that I automatically have the power to fix them, or that I know all the problems that people run into with FIPS validation.  

There was no "automatically" above for the obvious reason. However, CSD can still fix this in a way that no vendor or commenter can hope to do. CSD has the crypto knowledge *and the position in the NIST org chart*; none of us have the latter.

> At any rate, I didn't know that the labs were forbidding people freely putting in external input from unverified sources.  When I emailed around to other people working on RNG stuff and dealing with validation stuff today, they didn't know about it either. 

Then maybe the FIPS 140 evaluations are inconsistent; that's clearly worse.

> The reason I recommend making a formal comment is because the documents are open for public comment right now, and because those comments make it a lot easier to make a case that this is a problem that needs fixing.  

That seems incorrect. NIST 800-90 A/B/C are open for comments; FIPS 140-2 and the still-delayed FIPS 140-3 do not appear to be. The problems in this thread are with the FIPS testing, not with 800-90 (other than that B and C are about five years late; they clearly should have come out with the first version of A, as many people said at the time). Outside people commenting on the new drafts will not fix the FIPS 140 evaluation procedure; inside people who wrote the specs on which FIPS 140 testing is based can do so.

--Paul Hoffman