According to FIPS 140, the continuous test fails if two consecutive
values from the RNG are the same. No matter how strange or low-entropy
the seeding, this should happen only with vanishingly small
probability. So something is seriously wrong. You absolutely should
not try to work around this. You must find the root cause and fix it.
Also you imply that this is repeatable. Are the failures exactly
repeatable? If so, this would suggest that you have no entropy at all.
--David
On 9/24/13 2:23 PM, karanpopali wrote:
I'm using FIPS OpenSSL on Android and it FIPS_rand_bytes() fails continuous
test after sometime. I read in the SecurityPolicy that if it fails then we
need to uninstantiate and re-instantiate the DRBG.
Few questions:
1. Is there any way to avoid this? Will using HMAC DRBG or Hash DRBG help?
2. Is this a FATAL error?
3. If we hit this error, do we need to restart the process or just
uninstantiate/re-instantiate is enough?
Version info:
FIPS canister: 2.0.1
OpenSSL: 1.0.1c
Thanks,
Karan
--
View this message in context:
http://openssl.6102.n7.nabble.com/FIPS-OpenSSL-default-DRBG-continuous-test-failing-tp46646.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
