|
List Info Thread: How important is FIPS 140-2 Level 1 cert?
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
How important is FIPS 140-2 Level 1 cert? |
|
List Info Thread: How important is FIPS 140-2 Level 1 cert?
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
rek.tjls.com> writes:
>On Tue, Dec 26, 2006 at 05:36:42PM +1300, Peter Gutmann
wrote:
>> In addition I've heard of evaluations where the
generator is required to use a
>> monotonically increasing counter (clock value) as
the seed, so you can't just
>> use the PRNG as a postprocessor for an entropy
polling mechanism. Then again
>> I know of some that have used it as exactly that
without any problems.
>
>This (braindamaged) requirements change was brought in
by the creation of a
>Known Answer Test for the cipher-based RNG. Prior to
the addition of that
>test, one could add additional entropy by changing the
seed value at each
>iteration of the generator. But that makes it, of
course, impossible to get
>Known Answers that confirm that the generator actually
imlements the
>standard. So suddenly the alternate form of the
generator -- in my opinion
>much less secure -- which uses a
monotonically-increasing counter for the
>seed, was the only permitted form.
I don't know if it's the only permitted form, the KAT simply
feeds in known
input and checks that the output is as required. You can
feed in anything you
want, there's no need for it to be a counter. The known
input just happens to
be in the form of a monotonically increasing counter (for
the Variable Seed
Test (VST), these are from test vectors that NIST has
published), the other
test, the Monte Carlo Test (MCT) is just a single random
seed value which
isn't a counter. The values created by the NIST tool are
actually rather odd
and consist of a one bit shifted down from the MSB, so you
get a successively
longer string of one bits as input to the VST until all 64
bits are ones. I
have no idea why they chose these particular values.
>I have yet to hear of anyone who has found a test lab
that will certify a
>generator implementation that uses the mono counter for
the KAT suite but a
>random seed in normal operation.
I know of at least one and possibly two (I'd have to go back
through old email
to see who did what), certified at the same time that others
couldn't get
certified when doing more or less the same thing.
>However, you are free to change the actual key for the
generator as often as
>you like. I'm not sure why OpenSSL doesn't implement
"fork protection" that
>way, for example -- or does it use the MAC-based
generator instead?
I'm not sure, I just read through the certification docs on
their web site,
but they don't go into this.
Peter.
------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomo