On 12 Sep 2007 20:18:22 -0700, Aram Perez wrote: > I don't about you, but when I hear terms like (please pardon my > cynicism):
> "with military grade AES encryption" - Hum, I'll have > to ask NIST > about that. AES can be permitted for use in classified environments. See http://csrc.nist.gov/CryptoToolkit/aes/CNSS15FS.pdf. And, yes, the DoD does use AES in certain circumstances. > > The encryption keys used to protect your data are generated > > in hardware by a FIPS 140-2 compliant True Random Number > > As opposed to a FIPS 140-2 compliant False Random Number Generator. While I don't understand this quibble about standard terminology, I do note that the IronKey language is somewhat misleading. There are no FIPS-approved non-deterministic RNGs at this point, as all of the FIPS-approved RNGs are deterministic (pseudo) RNGs. (See http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexc.pdf) It is possible to use a non-deterministic RNG to seed a FIPS-approved PRNG, but I don't know of anyone in the FIPS 140-2 world that claims doing so makes the non-deterministic RNG "FIPS 140-2 compliant." (Also, if random data is utilized during key generation within a FIPS 140-2 module, then a FIPS-approved RNG must be utilized to generate that data in order to meet FIPS 140-2 requirements. Since all the FIPS-approved RNGs are PRNGs, a true RNG is not going to meet the FIPS 140-2 requirement here.) Overall, colorful language and FIPS 140 hand-waving seem like the marketing norm in the "security products that utilize crypto" world. I think the language used by IronKey falls right in line with that, but I don't get a sense of snake oil. Then again, I don't really care either. -Andrew --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]