[145751] in cryptography@c2.net mail archive
Re: questions about RNGs and FIPS 140
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Thu Aug 26 12:30:17 2010
Date: Thu, 26 Aug 2010 11:21:35 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: Jerry Leichter <leichter@lrw.com>
Cc: travis+ml-cryptography@subspacefield.org, cryptography@metzdowd.com
In-Reply-To: <D5EF5B10-B0F4-4FE8-826B-D64E497BDA09@lrw.com>
On Thu, Aug 26, 2010 at 06:25:55AM -0400, Jerry Leichter wrote:
> On Aug 25, 2010, at 4:37 PM,
> travis+ml-cryptography@subspacefield.org wrote:
> >
> >I also wanted to double-check these answers before I included them:
> >
> >1) Is Linux /dev/{u,}random FIPS 140 certified?
> >No, because FIPS 140-2 does not allow TRNGs (what they call non-
> >deterministic). I couldn't tell if FIPS 140-1 allowed it, but
> >FIPS 140-2 supersedes FIPS 140-1. I assume they don't allow non-
> >determinism because it makes the system harder to test/certify,
> >not because it's less secure.
> No one has figured out a way to certify, or even really describe in
> a way that could be certified, a non-deterministic generator.
Would it be possible to combine a FIPS 140-2 PRNG with a TRNG such that
testing and certification could be feasible?
I'm thinking of a system where a deterministic (seeded) RNG and
non-deterministic RNG are used to generate a seed for a deterministic
RNG, which is then used for the remained of the system's operation until
next boot or next re-seed. That is, the seed for the run-time PRNG
would be a safe combination (say, XOR) of the outputs of a FIPS 140-2
PRNG and non-certifiable TNG.
factory_prng = new PRNG(factory_seed, sequence_number, datetime);
trng = new TRNG(device_path);
runtime_prng = new PRNG(factory_prng.gen(seed_size) ^ trng.gen(seed_size), 0, 0);
One could then test and certify the deterministic RNG and show that the
non-deterministic RNG cannot destroy the security of the system (thus
the non-deterministic RNG would not require testing, much less
certification).
To me it seems obvious that the TRNG in the above scheme cannot
negatively affect the security of the system (given a sufficiently large
seed anyways).
Nico
--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
