On  12 Sep 2007 20:18:22 -0700, Aram Perez wrote:
> I don't about you, but when I hear terms like (please pardon my
> cynicism):

>       "with military grade AES encryption" - Hum, I'll have
> to ask NIST
> about that.

AES can be permitted for use in classified environments. See
http://csrc.nist.gov/CryptoToolkit/aes/CNSS15FS.pdf. And, yes, the DoD
does use AES in certain circumstances.

> >     The encryption keys used to protect your data are generated
> >     in hardware by a FIPS 140-2 compliant True Random Number
> 
> As opposed to a FIPS 140-2 compliant False Random Number Generator.

While I don't understand this quibble about standard terminology, I do
note that the IronKey language is somewhat misleading. There are no
FIPS-approved non-deterministic RNGs at this point, as all of the
FIPS-approved RNGs are deterministic (pseudo) RNGs. (See
http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexc.pdf) It
is possible to use a non-deterministic RNG to seed a FIPS-approved PRNG,
but I don't know of anyone in the FIPS 140-2 world that claims doing so
makes the non-deterministic RNG "FIPS 140-2 compliant." 

(Also, if random data is utilized during key generation within a FIPS
140-2 module, then a FIPS-approved RNG must be utilized to generate that
data in order to meet FIPS 140-2 requirements. Since all the
FIPS-approved RNGs are PRNGs, a true RNG is not going to meet the FIPS
140-2 requirement here.)

Overall, colorful language and FIPS 140 hand-waving seem like the
marketing norm in the "security products that utilize crypto" world. I
think the language used by IronKey falls right in line with that, but I
don't get a sense of snake oil. Then again, I don't really care either.

-Andrew

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to