Re: FIPS 140-2, PRNGs, and entropy sources
On 9 Jul 2007 16:08:33 -0600, Darren Lasko wrote: 2) Does FIPS 140-2 have any requirements regarding the quality of the entropy source that is used for seeding a PRNG? Yes. The requirement imposed by FIPS 140-2 (http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf) are in section 4.7.2: Compromising the security of the key generation method (e.g., guessing the seed value to initialize the deterministic RNG) shall require as least as many operations as determining the value of the generated key. (which would apply to any RNG output that became a key) and in section 4.7.3: Compromising the security of the key establishment method (e.g., compromising the security of the algorithm used for key establishment) shall require at least as many operations as determining the value of the cryptographic key being transported or agreed upon. (which would apply to any RNG output that is used in a security relevant way in a key establishment scheme) For whatever reason, I get asked FIPS 140 questions and this one about FIPS 140-2 comes up on occasion. It is good someone finally asked in public and received a public reply. A bit convoluted, and this says nothing about seeding requirements for a PRNG not used for key generation/agreement, but it is the logic of FIPS 140-2 with regards to PRNG seeding. Again, good information. However, it seems pretty nebulous about how they expect you to measure the number of operations required to compromise the security of the key generation method. Do you know what kind of documentation the labs require? SP 800-90, Appendix C.3, states that the min-entropy method shall be used for estimating entropy, but this method only uses the probabilities assigned to each possible sample value. I'm guessing that measuring ONLY the probabilities associated with each sample is insufficient for assessing your entropy source. For example, if I obtain 1 bit per sample and I measure 50% 0's and 50% 1's, I have full entropy by that measure, even if my entropy source always produces 1010101010101010. Is the NIST Statistical Test Suite sufficient for evaluating your entropy source, and will the certification labs accept results from the STS as an assessment of the entropy source? From what I have seen, the labs understand what will pass muster with NIST/CSE for FIPS 140-2 based on their experience with the many FIPS 140-2 validation efforts performed to this point, so they are a good gauge of what NIST/CSE will smile upon here, even though there has been little formal guidance. Most labs are fine with standard techniques for gathering entropy from a system, such as polling various timings for things like disk access, plus whitening, such as running the results of the polling through a FIPS-approved hashing algorithm. Hardware RNGs, such as a noise source, which can be used either as just another source in the polling, or as the only source. When using a hardware RNG, most vendors focus on this as the primary source of entropy, and labs will often require many details about the hardware RNG as a result. As far as what to provide, well, you need to describe how the PRNG is seeded, give code pointers to the seeding and any entropy gathering routines, include details on any hardware RNGs, and construct a general rationale for why all this adds up to meeting the requirements. The labs can take it from there and ask for more information as needed, such as sample output from the entropy gathering routines to examine. If you are concerned about not meeting the requirements, chatting with a lab or consultant about what is required is not out of the question - it might even provide some metric as to how friendly and responsive the team you are considering working with for your validation will be. FWIW, up to this point in time, I have rarely seen formal calculations of entropy by vendors in the rationale for meeting these requirements (those few times were mostly with vendors that built their own hardware RNGs), and I have seen statistical tests used by vendors a little bit as a part of the rationale behind meeting these requirements. -Andrew - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: FIPS 140-2, PRNGs, and entropy sources
On Mon, Jul 09, 2007 at 04:08:33PM -0600, Darren Lasko wrote: However, it seems pretty nebulous about how they expect you to measure the number of operations required to compromise the security of the key generation method. Do you know what kind of documentation the labs require? The requirements are broadly worded, which means that just about any detectable security problem in the RNG seeding should result in the module being non-compliant. This broad wording also makes formulating (and evaluating) arguments for compliance with this requirement fairly difficult. The entropy requirements in section 8 of SP800-90 are (sadly) not enforced (as per IG 1.12). There is no CMVP-wide requirement for describing the computational resistance to attack of the RNG seed using min-entropy, though this entropy measure is well suited to the task. (Should I perform some sort of ritual to ward off the If it's not Shannon entropy, it's not entropy discussion?) An excellent way of approaching these requirements is to: 1) Understand the underlying physical process that produces uncertainty, and develop a statistical model for this process. 2) Use this statistical model to calculate the min-entropy of the source. 3) Test bulk data output from your system to verify that the data supports your min-entropy estimate. It can be quite difficult to produce this style of argument (and in some cases not feasible, as in the case where the vendor is using an RNG from another company). In any case, I suspect that you'll be well served by doing as much of this process as you can (in coordination with your testing lab) and hope that CMVP agrees with your reasoning. Sadly, there has been no firm guidance from CMVP that really tells the labs precisely what CMVP expects to happen. Is the NIST Statistical Test Suite sufficient for evaluating your entropy source, and will the certification labs accept results from the STS as an assessment of the entropy source? sts does a fairly good job at testing to see if the RNG under test produces data that appears to be statistically random. If you know a priori that your seed information is not full entropy, then you don't gain much by passing the seed data through sts, as the sts testing result will almost certainly be a 'fail, perhaps spectacularly so. Of course, if you pass almost any seed data through a cryptographic process, it will look statistically random, and will pass sts testing. This pass is also meaningless, as you could have effectively 0 min-entropy, and still pass sts testing. As a practical matter, I view passing sts testing with some suspicion. In my experience, entropy sources with perfect statistical properties are rare, but inclusion of cryptographic processing within the seeding process is common. As such, a passing sts test result is more likely to mean that the data has been cryptographically processed (and thus the test results are meaningless) than the seed inputs are full entropy. Additionally, sts is easy to misuse, and it seems that many users of the tool don't read through the SP800-22 document prior to using the tool. As a result, sts users often select some fairly odd testing parameters that yield results that are not statistically meaningful. Recent versions of sts catch many of these problems, but not all of them, so it's still important to read through the SP800-22 document prior to using the tool. Josh - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: FIPS 140-2, PRNGs, and entropy sources
On 7/8/07, Joshua Hill [EMAIL PROTECTED] wrote: On Sat, Jul 07, 2007 at 10:53:17PM -0600, Darren Lasko wrote: 1) Can a product obtain FIPS 140-2 certification if it implements a PRNG from NIST SP 800-90 (and therefore is not listed in FIPS 140-2 Annex C)? If not, will Annex C be updated to include the PRNGs from SP 800-90? The PRNGs in SP800-90 are listed in the current Annex C (see item #6 on page 4; this occurred in January of this year). http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexc.pdf Hey, look at that! I guess I should have downloaded the latest version before posting my question... I was looking at a revision I downloaded back in November. Sorry for the superfluous question. There is no algorithm testing for the SP800-90 RNGs yet, but they are allowed for use in the approved mode of operation because of IG 1.10 (http://csrc.nist.gov/cryptval/140-1/FIPS1402IG.pdf). You'll also want to read IG 1.12, which directly pertains to the testing that is required to test the vendor's assertion that they have a compliant SP80-90 RNG. Thank you, that's very good information. 2) Does FIPS 140-2 have any requirements regarding the quality of the entropy source that is used for seeding a PRNG? Yes. The requirement imposed by FIPS 140-2 (http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf) are in section 4.7.2: Compromising the security of the key generation method (e.g., guessing the seed value to initialize the deterministic RNG) shall require as least as many operations as determining the value of the generated key. (which would apply to any RNG output that became a key) and in section 4.7.3: Compromising the security of the key establishment method (e.g., compromising the security of the algorithm used for key establishment) shall require at least as many operations as determining the value of the cryptographic key being transported or agreed upon. (which would apply to any RNG output that is used in a security relevant way in a key establishment scheme) Again, good information. However, it seems pretty nebulous about how they expect you to measure the number of operations required to compromise the security of the key generation method. Do you know what kind of documentation the labs require? SP 800-90, Appendix C.3, states that the min-entropy method shall be used for estimating entropy, but this method only uses the probabilities assigned to each possible sample value. I'm guessing that measuring ONLY the probabilities associated with each sample is insufficient for assessing your entropy source. For example, if I obtain 1 bit per sample and I measure 50% 0's and 50% 1's, I have full entropy by that measure, even if my entropy source always produces 1010101010101010. Is the NIST Statistical Test Suite sufficient for evaluating your entropy source, and will the certification labs accept results from the STS as an assessment of the entropy source? Thanks and best regards, Darren Lasko - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
FIPS 140-2, PRNGs, and entropy sources
Hello, I have a couple of questions related to FIPS 140-2: 1) Can a product obtain FIPS 140-2 certification if it implements a PRNG from NIST SP 800-90 (and therefore is not listed in FIPS 140-2 Annex C)? If not, will Annex C be updated to include the PRNGs from SP 800-90? 2) Does FIPS 140-2 have any requirements regarding the quality of the entropy source that is used for seeding a PRNG? I couldn't find any such requirement, which seems like a glaring oversight when evaluating the security of a product that may generate keys and other critical security parameters. Thanks for your help. Best regards, Darren Lasko
Re: FIPS 140-2, PRNGs, and entropy sources
On Sat, Jul 07, 2007 at 10:53:17PM -0600, Darren Lasko wrote: 1) Can a product obtain FIPS 140-2 certification if it implements a PRNG from NIST SP 800-90 (and therefore is not listed in FIPS 140-2 Annex C)? If not, will Annex C be updated to include the PRNGs from SP 800-90? The PRNGs in SP800-90 are listed in the current Annex C (see item #6 on page 4; this occurred in January of this year). http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexc.pdf There is no algorithm testing for the SP800-90 RNGs yet, but they are allowed for use in the approved mode of operation because of IG 1.10 (http://csrc.nist.gov/cryptval/140-1/FIPS1402IG.pdf). You'll also want to read IG 1.12, which directly pertains to the testing that is required to test the vendor's assertion that they have a compliant SP80-90 RNG. 2) Does FIPS 140-2 have any requirements regarding the quality of the entropy source that is used for seeding a PRNG? Yes. The requirement imposed by FIPS 140-2 (http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf) are in section 4.7.2: Compromising the security of the key generation method (e.g., guessing the seed value to initialize the deterministic RNG) shall require as least as many operations as determining the value of the generated key. (which would apply to any RNG output that became a key) and in section 4.7.3: Compromising the security of the key establishment method (e.g., compromising the security of the algorithm used for key establishment) shall require at least as many operations as determining the value of the cryptographic key being transported or agreed upon. (which would apply to any RNG output that is used in a security relevant way in a key establishment scheme) Josh - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]