[145748] in cryptography@c2.net mail archive
Re: questions about RNGs and FIPS 140
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Thu Aug 26 12:19:16 2010
Date: Thu, 26 Aug 2010 12:13:06 -0400
From: "Perry E. Metzger" <perry@piermont.com>
To: travis+ml-cryptography@subspacefield.org
Cc: cryptography@metzdowd.com
In-Reply-To: <20100826151426.GA6521@subspacefield.org>
On Thu, 26 Aug 2010 08:14:26 -0700
travis+ml-cryptography@subspacefield.org wrote:
> On Thu, Aug 26, 2010 at 06:25:55AM -0400, Jerry Leichter wrote:
> > [F]IPS doesn't tell you how to *seed* your deterministic
> > generator. In effect, a FIPS-compliant generator has the
> > property that if you start it with an unpredictable seed, it will
> > produce unpredictable values.
>
> That brings up an interesting question... if you have a source of
> unpredictable values in the first place, why use a CSPRNG? ;-)
The rationale is clear, but I'll explain it again.
Say you are deploying a small security device into the field.
It is trivial to validate that an AES or SHA256 implementation on the
device is working correctly and to generate a seed in the factory to
place on the device to give it an operational lifetime of "good
enough" random numbers.
It is difficult to validate that a hardware RNG is working
correctly. How do you know the bits being put off aren't skewed
somehow by a manufacturing defect? How do you know that damage in the
field won't cause the RNG to become less random?
It is therefore both cheaper and far safer to use a deterministic
algorithm on the field deployable unit coupled with a high quality
seed from a source used only at the factory that you can spend time,
effort and money validating properly.
This same principle applies to things like virtual machines where it
is difficult to know that your hardware is giving you what you expect
but trivial to install a known-good seed at VM creation time.
I would have thought by now that this principle was widely understood.
Perry
--
Perry E. Metzger perry@piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
