Adam Back wrote:
> About the criticisms of Common Critera evaluation in general, I think
> why people complain it is a documentation exercise is because pretty
> much all it does ensure that it does what it says it does. So
> basically you have to enumerates threats, state what threats the
> syste
On 27 Dec 2006 14:10:10 -0500, Thor Lancelot Simon wrote:
> On Tue, Dec 26, 2006 at 05:36:42PM +1300, Peter Gutmann wrote:
>> In addition I've heard of evaluations where the generator is required to use
>> a
>> monotonically increasing counter (clock value) as the seed, so you can't just
>> use th
Peter Gutmann wrote:
> Ben Laurie <[EMAIL PROTECTED]> writes:
>
>> While we're at it, an amusing fact I learnt about FIPS-140 while I was
>> implementing it for OpenSSL is that some of the Monte Carlo tests have output
>> that's independent of the input.
>
> Did you also notice that the MCT test
Ben Laurie <[EMAIL PROTECTED]> writes:
>While we're at it, an amusing fact I learnt about FIPS-140 while I was
>implementing it for OpenSSL is that some of the Monte Carlo tests have output
>that's independent of the input.
Did you also notice that the MCT test vectors published in "The Random Nu
Thor Lancelot Simon wrote:
> On Tue, Dec 26, 2006 at 05:36:42PM +1300, Peter Gutmann wrote:
>> In addition I've heard of evaluations where the generator is required to use
>> a
>> monotonically increasing counter (clock value) as the seed, so you can't just
>> use the PRNG as a postprocessor for a
Thor Lancelot Simon <[EMAIL PROTECTED]> writes:
>On Tue, Dec 26, 2006 at 05:36:42PM +1300, Peter Gutmann wrote:
>> In addition I've heard of evaluations where the generator is required to use
>> a
>> monotonically increasing counter (clock value) as the seed, so you can't just
>> use the PRNG as a
On 22 Dec 2006 11:43:58 -0500, Perry E. Metzger wrote:
> [I was asked to forward this anonymously. --Perry]
>
> From: [Name Withheld]
> To: cryptography@metzdowd.com
> Subject: Re: How important is FIPS 140-2 Level 1 cert?
>
> Paul Hoffman <[EMAIL PROTECTED]> wrote:
&g
On Tue, Dec 26, 2006 at 05:36:42PM +1300, Peter Gutmann wrote:
>
> In addition I've heard of evaluations where the generator is required to use a
> monotonically increasing counter (clock value) as the seed, so you can't just
> use the PRNG as a postprocessor for an entropy polling mechanism. The
Anoymous wrote:
> [criticizing FIPS CRNGs]
You can make a secure CRNG that you can obtain FIPS 140 certification
on using the FIPS 186-2 appendix 3.1 (one of my clients got FIPS 140
on an implementation of the FIPS 186-2 RNG that I implemented for
general key generation and such crypto use.)
You
"Leichter, Jerry" <[EMAIL PROTECTED]> writes:
>| From: [Name Withheld]
>| Actually you cant even guarantee that because the FIPS 140 requirements
>| for the ANSI X9.17/X9.31 PRNG include a pile of oddball things that made
>| sense for the original X9.17 use (where it was assumed the only source
>|
| From: [Name Withheld]
| To: cryptography@metzdowd.com
| Subject: Re: How important is FIPS 140-2 Level 1 cert?
|
| Paul Hoffman <[EMAIL PROTECTED]> wrote:
|
| > At 11:25 AM -0500 12/21/06, Saqib Ali wrote:
| > >If two products have exactly same feature set, but one is FIPS 140
> restrictions on current implementations. As a result a FIPS 140-
> certified key generator will be worse than a well-designed non-FIPS-140
> one because the FIPS requirements prevent you from doing several things
> that would improve the functioning like injecting extra entropy into the
> generat
[I was asked to forward this anonymously. --Perry]
From: [Name Withheld]
To: cryptography@metzdowd.com
Subject: Re: How important is FIPS 140-2 Level 1 cert?
Paul Hoffman <[EMAIL PROTECTED]> wrote:
> At 11:25 AM -0500 12/21/06, Saqib Ali wrote:
> >If two products have exactly s
At 8:15 PM -0500 12/21/06, Saqib Ali wrote:
Assuming that the two products use Internet protocols (as compared to
proprietary protocols):
I don't understand this statement. What do you mean by internet
protocol vs proprietary protocol???
Now seeing what your company does, I can see where you
Assuming that the two products use Internet protocols (as compared to
proprietary protocols):
I don't understand this statement. What do you mean by internet
protocol vs proprietary protocol???
And also we are looking at FDE solutions, so there are no internet
protocols involved in that.
no.
At 11:25 AM -0500 12/21/06, Saqib Ali wrote:
I would like to know how much weight people usually give to the FIPS
140-2 Level 1 certification.
US federal agencies are supposed to require that certification for
any system they buy that uses crypto.
Sometimes, US state agencies require it as w
16 matches
Mail list logo