Re: How important is FIPS 140-2 Level 1 cert?

2006-12-26 Thread Peter Gutmann
Leichter, Jerry [EMAIL PROTECTED] writes:
| From: [Name Withheld]
| Actually you cant even guarantee that because the FIPS 140 requirements
| for the ANSI X9.17/X9.31 PRNG include a pile of oddball things that made
| sense for the original X9.17 use (where it was assumed the only source
| of entropy was a DES3 key embedded in secure hardware) but are severe
| restrictions on current implementations. As a result a FIPS 140-
| certified key generator will be worse than a well-designed non-FIPS-140
| one because the FIPS requirements prevent you from doing several things
| that would improve the functioning like injecting extra entropy into the
| generator besides the DES3 key.
I think this was changed as FIPS 140 evolved.  Several things about the
random number generator evolved.  For example, in earlier versions, you had
to run some tests on your generator at every startup.  That disappeared by
FIPS 140-2.

That was because for a good RNG the only thing you'd ever get are false
positives, so it acted as a make your generator fail randomly test.

(It makes sense for a hardware generator, but never did for software.)

There are already a pile of huge mental leaps you have to make to apply some
of the more hardware-oriented bits of FIPS 140 to software implementations, if
you read Microsoft's CryptoAPI FIPS docs you'll see some examples of these in
there.  For example the physical module boundary is the case of the PC that
Windows is running on, the role-based access control covers one single user,
whoever's using the PC at the moment, and so on - it's compliance by creating
paperwork rather than by engineering.  (I'm not trying to bash Microsoft here,
other vendors have to resort to the same thing, see e.g. the Crypto++ docs for
another public example of this).  The problem here is that FIPS 140 was
designed for military-security-model crypto hardware, has been stretched to
cover embedded device crypto, and has been seriously over-stretched to try and
cover software crypto (that is, instead of creating a distinct profile to
cover software implementations, the hardware implementation was taken into
places it was never meant to go).  The only way to reconcile the two is
through increasingly tortuous interpretations of various hardware-derived
requirements that don't really work for software.

You're definitely free to set the starting state using any source of entropy
you like. I *think* you can add extra entropy along the way; though even if
this were not allowed, you could probably declare that you were restarting.

Depends entirely on who's doing the eval.  For example if you read the OpenSSL
FIPS docs (http://www.openssl.org/docs/fips/) they have an entire appendix
dedicated to a discussion of the absence of fork protection, which they
weren't allowed to add:

  The fact that this 'fork protection' is absent in the FIPS object module
  PRNG concerns many in the OpenSSL developer and user community, and will be
  the primary obstacle to making the fips configuration option a default.

In addition I've heard of evaluations where the generator is required to use a
monotonically increasing counter (clock value) as the seed, so you can't just
use the PRNG as a postprocessor for an entropy polling mechanism.  Then again
I know of some that have used it as exactly that without any problems.

(Maybe we could come up with a cross-reference of who will allow what, and
then people could choose the most sensible evaluator to submit things to).

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: gang uses crypto to hide identity theft databases

2006-12-26 Thread Travis H.
On Sun, Dec 24, 2006 at 11:10:40PM +, Rick van Rein wrote:
 This is not =entirely= true.  A key stored in the same (non-swappable)
 location for a long time will burn into the memory.  (I know that I am
 reacting beside the point of your story, to which I agree.)

Pimpin' Peters Papers:
http://www.cypherpunks.to/~peter/usenix01.pdf
-- 
A: No.
Q: Should I include quotations after my reply?
URL:http://www.subspacefield.org/~travis/ --


pgp8gThz9AZST.pgp
Description: PGP signature


secure CRNGs and FIPS (Re: How important is FIPS 140-2 Level 1 cert?)

2006-12-26 Thread Adam Back
Anoymous wrote:
 [criticizing FIPS CRNGs]

You can make a secure CRNG that you can obtain FIPS 140 certification
on using the FIPS 186-2 appendix 3.1 (one of my clients got FIPS 140
on an implementation of the FIPS 186-2 RNG that I implemented for
general key generation and such crypto use.)

You should apply change notice 1 under the section general purpose
random number generation, or you will be doing needless modulo q
bignum operations for general RNG use (the default, non-change-note
modified RNG is otherwise hard code for DSA k value generation and
related things 186-2 being the FIPS DSA standard doc).


Also about continuously adding seeding this is also provided with
186-2 rng via the XSEED parameter, which allows the system to add
extra entropy at any time.


About the criticisms of Common Critera evaluation in general, I think
why people complain it is a documentation exercise is because pretty
much all it does ensure that it does what it says it does.  So
basically you have to enumerates threats, state what threats the
system is designed to protect against, and which are out of scope.

Then the rest of the documentation is just saying that in increasing
detail, that you have not made mistakes in the design and
specification and to some extent implementation.


So as someone else said in the thread, as a user you need to read the
security target document section on security objectives and
assumptions, and check if they protect against attacks that are
relevant to you.

Another aspect of security targets is protection profiles.  A
protection profile is basically a sort of set of requirements for
security targets for a given type of system.  So you might get eg a
protection profile for hard disk encryption.  The protection profile
will be standardized on and so it makes it a bit easier for the
consumer as its less likely the protection profile will be massaged.
(I mean the consortium or standardization body creating the protection
profile will want some security quality bar).

Adam

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]