How important is FIPS 140-2 Level 1 cert?

Thor Lancelot Simon wrote:
> On Tue, Dec 26, 2006 at 05:36:42PM +1300, Peter Gutmann
wrote:
>> In addition I've heard of evaluations where the
generator is required to use a
>> monotonically increasing counter (clock value) as
the seed, so you can't just
>> use the PRNG as a postprocessor for an entropy
polling mechanism.  Then again
>> I know of some that have used it as exactly that
without any problems.
> 
> This (braindamaged) requirements change was brought in
by the creation of
> a Known Answer Test for the cipher-based RNG.  Prior to
the addition of
> that test, one could add additional entropy by changing
the seed value at
> each iteration of the generator.  But that makes it, of
course, impossible
> to get Known Answers that confirm that the generator
actually imlements
> the standard.  So suddenly the alternate form of the
generator -- in my
> opinion much less secure -- which uses a
monotonically-increasing counter
> for the seed, was the only permitted form.
> 
> I have yet to hear of anyone who has found a test lab
that will certify
> a generator implementation that uses the mono counter
for the KAT suite
> but a random seed in normal operation.  For good
reason, labs are usually
> very leery of algorithm implementations that come with
a "special test
> mode".
> 
> However, you are free to change the actual key for the
generator as often
> as you like.  I'm not sure why OpenSSL doesn't
implement "fork protection"
> that way, for example -- or does it use the MAC-based
generator instead?

No, it doesn't. Fork protection was originally implemented
inside the
"FIPS boundary" - which the test lab made us
remove. I guess it might be
possible to re-insert it outside the boundary, I'm not sure
that
occurred to us at the time. I seem to remember there was
some obstacle
to this, though, but I can't remember what it was.

While we're at it, an amusing fact I learnt about FIPS-140
while I was
implementing it for OpenSSL is that some of the Monte Carlo
tests have
output that's independent of the input.

Cheers,

Ben.

-- 
http://www.apache-
ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he
can go if he
doesn't mind who gets the credit." - Robert Woodruff

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

Ben Laurie <benalgroup.co.uk> writes:

>While we're at it, an amusing fact I learnt about
FIPS-140 while I was
>implementing it for OpenSSL is that some of the Monte
Carlo tests have output
>that's independent of the input.

Did you also notice that the MCT test vectors published in
"The Random Number
Generator Validation System (RNGVS)" are wrong?  Or is
that what you meant by
"independent of the input"?

Peter.

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

Peter Gutmann wrote:
> Ben Laurie <benalgroup.co.uk> writes:
> 
>> While we're at it, an amusing fact I learnt about
FIPS-140 while I was
>> implementing it for OpenSSL is that some of the
Monte Carlo tests have output
>> that's independent of the input.
> 
> Did you also notice that the MCT test vectors published
in "The Random Number
> Generator Validation System (RNGVS)" are wrong? 
Or is that what you meant by
> "independent of the input"?

When I did FIPS, there was no RNGVS 

-- 
http://www.apache-
ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he
can go if he
doesn't mind who gets the credit." - Robert Woodruff

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com