Re: secure CRNGs and FIPS (Re: How important is FIPS 140-2 Level 1 cert?)

2007-01-08 Thread Matthias Bruestle
Adam Back wrote:
 About the criticisms of Common Critera evaluation in general, I think
 why people complain it is a documentation exercise is because pretty
 much all it does ensure that it does what it says it does.  So
 basically you have to enumerates threats, state what threats the
 system is designed to protect against, and which are out of scope.
 
 Then the rest of the documentation is just saying that in increasing
 detail, that you have not made mistakes in the design and
 specification and to some extent implementation.

CC has very good points. One of the best points is IMO the ST/PP concept
which encourages to think what to protect against what. And I do think
that most of the CC documents are helpful. But some, esp. these which
occupy the most paper, are IMO not worth their effort. These are the
low- and high-level design. They are meant to be the link between
specification and implementation, but I am sure that there are simpler
ways to show the link. And my experience is that these two documents do
not change the product in any way.

Matthias

-- 
Matthias Bruestle, Managing Director
Phone +49 (0) 91 19 55 14 91, Fax +49 (0) 91 19 55 14 97
MaskTech GmbH, Nordostpark 16, 90411 Nuernberg, Germany

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


secure CRNGs and FIPS (Re: How important is FIPS 140-2 Level 1 cert?)

2006-12-26 Thread Adam Back
Anoymous wrote:
 [criticizing FIPS CRNGs]

You can make a secure CRNG that you can obtain FIPS 140 certification
on using the FIPS 186-2 appendix 3.1 (one of my clients got FIPS 140
on an implementation of the FIPS 186-2 RNG that I implemented for
general key generation and such crypto use.)

You should apply change notice 1 under the section general purpose
random number generation, or you will be doing needless modulo q
bignum operations for general RNG use (the default, non-change-note
modified RNG is otherwise hard code for DSA k value generation and
related things 186-2 being the FIPS DSA standard doc).


Also about continuously adding seeding this is also provided with
186-2 rng via the XSEED parameter, which allows the system to add
extra entropy at any time.


About the criticisms of Common Critera evaluation in general, I think
why people complain it is a documentation exercise is because pretty
much all it does ensure that it does what it says it does.  So
basically you have to enumerates threats, state what threats the
system is designed to protect against, and which are out of scope.

Then the rest of the documentation is just saying that in increasing
detail, that you have not made mistakes in the design and
specification and to some extent implementation.


So as someone else said in the thread, as a user you need to read the
security target document section on security objectives and
assumptions, and check if they protect against attacks that are
relevant to you.

Another aspect of security targets is protection profiles.  A
protection profile is basically a sort of set of requirements for
security targets for a given type of system.  So you might get eg a
protection profile for hard disk encryption.  The protection profile
will be standardized on and so it makes it a bit easier for the
consumer as its less likely the protection profile will be massaged.
(I mean the consortium or standardization body creating the protection
profile will want some security quality bar).

Adam

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]