[145757] in cryptography@c2.net mail archive
Re: questions about RNGs and FIPS 140
daemon@ATHENA.MIT.EDU (Thierry Moreau)
Thu Aug 26 13:54:38 2010
Date: Thu, 26 Aug 2010 13:43:31 -0400
From: Thierry Moreau <thierry.moreau@connotech.com>
To: Nicolas Williams <Nicolas.Williams@oracle.com>
CC: Jerry Leichter <leichter@lrw.com>,
travis+ml-cryptography@subspacefield.org, cryptography@metzdowd.com
In-Reply-To: <20100826162134.GP17097@oracle.com>
Nicolas Williams wrote:
> On Thu, Aug 26, 2010 at 06:25:55AM -0400, Jerry Leichter wrote:
>> On Aug 25, 2010, at 4:37 PM,
>> travis+ml-cryptography@subspacefield.org wrote:
>>> I also wanted to double-check these answers before I included them:
>>>
>>> 1) Is Linux /dev/{u,}random FIPS 140 certified?
>>> No, because FIPS 140-2 does not allow TRNGs (what they call non-
>>> deterministic). I couldn't tell if FIPS 140-1 allowed it, but
>>> FIPS 140-2 supersedes FIPS 140-1. I assume they don't allow non-
>>> determinism because it makes the system harder to test/certify,
>>> not because it's less secure.
>> No one has figured out a way to certify, or even really describe in
>> a way that could be certified, a non-deterministic generator.
>
> Would it be possible to combine a FIPS 140-2 PRNG with a TRNG such that
> testing and certification could be feasible?
>
> I'm thinking of a system where a deterministic (seeded) RNG and
> non-deterministic RNG are used to generate a seed for a deterministic
> RNG, which is then used for the remained of the system's operation until
> next boot or next re-seed. That is, the seed for the run-time PRNG
> would be a safe combination (say, XOR) of the outputs of a FIPS 140-2
> PRNG and non-certifiable TNG.
>
> factory_prng = new PRNG(factory_seed, sequence_number, datetime);
> trng = new TRNG(device_path);
> runtime_prng = new PRNG(factory_prng.gen(seed_size) ^ trng.gen(seed_size), 0, 0);
>
> One could then test and certify the deterministic RNG and show that the
> non-deterministic RNG cannot destroy the security of the system (thus
> the non-deterministic RNG would not require testing, much less
> certification).
>
> To me it seems obvious that the TRNG in the above scheme cannot
> negatively affect the security of the system (given a sufficiently large
> seed anyways).
>
> Nico
Such implementations may be *certified* but this mode of CSPRNG seeding
is unlikely to get *NIST*approved*. Cryptographic systems are
*certified* with by-the-seat-of-the-pant CSPRNG seeding strategies (I
guess) since crypto systems *are* being certified.
The tough part is to describe something with some hope of acquiring the
*NIST*approved* status at some point. The above proposal merely shifts
the difficulty to the TRNG. Practical Use of Dice for Entropy Collection
is unique because the unpredictable process (shuffling dice) has clear
and convincing statistical properties.
- Thierry Moreau
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
