On Fri, Aug 22, 2003 at 10:00:14AM -0700, Bob Baldwin PlusFive wrote: > Tim, > One issue to consider is whether the system > that includes the PRNG will ever need a FIPS-140-2 > rating. For example, people are now working on > a FIPS-140 validation for OpenSSL. If so, then > the generator for keys and IVs MUST be a FIPS > approved algorithm, whether or not there are
That's not quite right. 1) Various entities have already had various versions of OpenSSL FIPS-140-2 certified. 2) It is permissible to use a non-Approved deterministic RNG for IV generation, though not for keying. Since it's permissible to rekey the Approved PRNG, and there is no requirement for _how_ it is rekeyed save that the input must not have demonstrably less entropy than the output, it is possible to use, if not Yarrow, a _very_ similar design by using an entropy pool collecting input from one or more hardware sources to periodically rekey the Approved X9.17 generator. I am informed that in the past, implementations using Yarrow have, in fact, been certified, passing the code examination in the lab by documenting that Yarrow's output stage is, in fact, algorithmically equivalent to the X9.17 generator. Unfortunately, since those products were certified, there have been some particularly ill-considered interpretations of the X9.17 RNG specification by NIST which I believe would now make it impossible to have a Yarrow implementation certified; but you can get very close. Thor --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
