Re: FIPS OpenSSL default DRBG continuous test failing

Thu, 26 Sep 2013 01:53:16 -0700

I'm an expert on random number generators and knowledgeable about FIPS 140. But I'm not knowledegable about the RNG facilities on OpenSSL. In general you don't "set" the entropy, rather you set up an entropy source. However, some systems do allow running on a fixed input string. But the design of the system needs to combine that with some other things like date&time, processor serial number, etc., that together make a value that will never occur more than once. 

    --David

On 9/25/13 10:10 AM, Karan Popali wrote:

Thanks David.

If I use the default DRBG, do I need to set the entropy?

-Karan
On Wed, Sep 25, 2013 at 9:34 AM, David Jacobson <[email protected] <mailto:[email protected]>> wrote: 

    According to FIPS 140, the continuous test fails if two
    consecutive values from the RNG are the same. No matter how
    strange or low-entropy the seeding, this should happen only with
    vanishingly small probability.  So something is seriously wrong.
     You absolutely should not try to work around this.  You must find
    the root cause and fix it.

    Also you imply that this is repeatable.  Are the failures exactly
    repeatable?  If so, this would suggest that you have no entropy at
    all.

        --David

    On 9/24/13 2:23 PM, karanpopali wrote:

        I'm using FIPS OpenSSL on Android and it FIPS_rand_bytes()
        fails continuous
        test after sometime. I read in the SecurityPolicy that if it
        fails then we
        need to uninstantiate and re-instantiate the DRBG.

        Few questions:
        1. Is there any way to avoid this? Will using HMAC DRBG or
        Hash DRBG help?
        2. Is this a FATAL error?
        3. If we hit this error, do we need to restart the process or just
        uninstantiate/re-instantiate is enough?

        Version info:
        FIPS canister: 2.0.1
        OpenSSL: 1.0.1c

        Thanks,
        Karan



        --
        View this message in context:
        
http://openssl.6102.n7.nabble.com/FIPS-OpenSSL-default-DRBG-continuous-test-failing-tp46646.html
        Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
        ______________________________________________________________________
        OpenSSL Project http://www.openssl.org
        Development Mailing List [email protected]
        <mailto:[email protected]>
        Automated List Manager [email protected]
        <mailto:[email protected]>

Reply via email to