Re: CSPRNG algorithms
On Fri, Mar 13, 2009 at 1:16 PM, Travis travis+ml-cryptogra...@subspacefield.org wrote: I have never seen a good catalog of computationally-strong pseudo-random number generators. Here is a list of the FIPS-approved random number generators: http://csrc.nist.gov/groups/ST/toolkit/random_number.html NIST Special Publication 800-90 provides recommendations for deterministic random bit generators (not sure why they chose to use DRBG instead of PRNG) based on hash functions, block ciphers, and number theoretic problems (speculation exists that the latter contains a back door). Best regards, Darren Lasko Principal Engineer Advanced Development Group, Storage Products Fujitsu Computer Products of America - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Key Management Interoperability Protocol (KMIP)
Probably of interest to this group... http://www.webwire.com/ViewPressRel.asp?aId=87063 Best regards, Darren Lasko Principal Engineer Advanced Development Group, Storage Products Fujitsu Computer Products of America [Moderator's note: the page is about something called KMIP that a few companies seem to have privately developed. It is generally considered friendly to include enough information with a forwarded URL so that readers can decide if they want to look at what is being referenced. I may start being strict about that in the future. --Perry] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: once more, with feeling.
Arshad Noor wrote: A more optimal solution is to have this vulnerability accepted by the OWASP community as a Top 10 security vulnerability; it will have the appropriate intended effect since mitigation to the OWASP defined vulnerabilities is required in PCI-DSS: 6.5 Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines Isn't this vulnerability already in the Top 10, specifically A7 - Broken Authentication and Session Management ( http://www.owasp.org/index.php/Top_10_2007-A7)? From the Protection section for A7: Do not allow the login process to start from an unencrypted page. Always start the login process from a second, encrypted page with a fresh or new session token to prevent credential or session stealing, phishing attacks and session fixation attacks. Best regards, Darren Lasko Principal Engineer Advanced Development Group, Storage Products Fujitsu Computer Products of America - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: FIPS 140-2, PRNGs, and entropy sources
On 7/8/07, Joshua Hill [EMAIL PROTECTED] wrote: On Sat, Jul 07, 2007 at 10:53:17PM -0600, Darren Lasko wrote: 1) Can a product obtain FIPS 140-2 certification if it implements a PRNG from NIST SP 800-90 (and therefore is not listed in FIPS 140-2 Annex C)? If not, will Annex C be updated to include the PRNGs from SP 800-90? The PRNGs in SP800-90 are listed in the current Annex C (see item #6 on page 4; this occurred in January of this year). http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexc.pdf Hey, look at that! I guess I should have downloaded the latest version before posting my question... I was looking at a revision I downloaded back in November. Sorry for the superfluous question. There is no algorithm testing for the SP800-90 RNGs yet, but they are allowed for use in the approved mode of operation because of IG 1.10 (http://csrc.nist.gov/cryptval/140-1/FIPS1402IG.pdf). You'll also want to read IG 1.12, which directly pertains to the testing that is required to test the vendor's assertion that they have a compliant SP80-90 RNG. Thank you, that's very good information. 2) Does FIPS 140-2 have any requirements regarding the quality of the entropy source that is used for seeding a PRNG? Yes. The requirement imposed by FIPS 140-2 (http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf) are in section 4.7.2: Compromising the security of the key generation method (e.g., guessing the seed value to initialize the deterministic RNG) shall require as least as many operations as determining the value of the generated key. (which would apply to any RNG output that became a key) and in section 4.7.3: Compromising the security of the key establishment method (e.g., compromising the security of the algorithm used for key establishment) shall require at least as many operations as determining the value of the cryptographic key being transported or agreed upon. (which would apply to any RNG output that is used in a security relevant way in a key establishment scheme) Again, good information. However, it seems pretty nebulous about how they expect you to measure the number of operations required to compromise the security of the key generation method. Do you know what kind of documentation the labs require? SP 800-90, Appendix C.3, states that the min-entropy method shall be used for estimating entropy, but this method only uses the probabilities assigned to each possible sample value. I'm guessing that measuring ONLY the probabilities associated with each sample is insufficient for assessing your entropy source. For example, if I obtain 1 bit per sample and I measure 50% 0's and 50% 1's, I have full entropy by that measure, even if my entropy source always produces 1010101010101010. Is the NIST Statistical Test Suite sufficient for evaluating your entropy source, and will the certification labs accept results from the STS as an assessment of the entropy source? Thanks and best regards, Darren Lasko - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
FIPS 140-2, PRNGs, and entropy sources
Hello, I have a couple of questions related to FIPS 140-2: 1) Can a product obtain FIPS 140-2 certification if it implements a PRNG from NIST SP 800-90 (and therefore is not listed in FIPS 140-2 Annex C)? If not, will Annex C be updated to include the PRNGs from SP 800-90? 2) Does FIPS 140-2 have any requirements regarding the quality of the entropy source that is used for seeding a PRNG? I couldn't find any such requirement, which seems like a glaring oversight when evaluating the security of a product that may generate keys and other critical security parameters. Thanks for your help. Best regards, Darren Lasko
