[10153] in cryptography@c2.net mail archive
Re: Linux-style kernel PRNGs and the FIPS140-2 test
daemon@ATHENA.MIT.EDU (Greg Rose)
Wed Jan 16 13:10:33 2002
Message-Id: <4.3.1.2.20020116121235.034735d0@127.0.0.1>
Date: Wed, 16 Jan 2002 13:20:17 +1100
To: Thor Lancelot Simon <tls@reefedge.com>
From: Greg Rose <ggr@qualcomm.com>
Cc: cryptography@wasabisystems.com, tls@reefedge.com
In-Reply-To: <20020115152305.A17304@pla-muek.reefedge.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
There was an error in the bounds for the runs test specified by NIST; last
october they updated FIPS 140-2 to specify new bounds. An updated version
of my code can be found at http://people.qualcomm.com/ggr/QC/ (our old web
pages are stale, and I'm still trying to have them taken down by our ex-ISP).
Here's an excerpt from the comment in the new code:
* Version 1.3 -- Bill Chauncey and his colleages pointed out to NIST that
* the bounds in the runs test were incorrect.
* They issued an update 2001-oct-10.
If the new one still shows an anomalous number of runs test failures, there
is a real problem.
regards,
Greg.
At 03:23 PM 1/15/2002 -0500, Thor Lancelot Simon wrote:
>Many operating systems use "Linux-style" (environmental noise
>stirred with a hash function) generators to provide "random"
>and pseudorandom data on /dev/random and /dev/urandom
>respectively. A few modify the general Linux design by adding an
>output buffer which is not stirred so that bits which have already
>been output are not stirred into the pool of "new" "random" data
>(IMO, not doing this is insane, but that's a different subject).
>
>The enclosed implementation of the FIPS140-1/2 statistical test
>appears to show that such generators fail the "runs" test quite
>regularly. Interestingly, the Linux generator seems to do better
>the longer you let it run (which, perhaps, suggests that quite a
>bit of data should be run through it at boot time and discarded)
>but other, related generators do not.
>
>The usual failure mode is "too many runs of 1 1s". Using MD5
>instead of SHA1 as the mixing function, the Linux generator
>also displays "too many runs of 1 0s". I have not yet seen
>other failure modes from these generators.
>
>To reproduce my results, just compile the enclosed and do
>"a.out < /dev/urandom" on your platform of choice.
>
>Thor
Greg Rose INTERNET: ggr@qualcomm.com
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr/
Gladesville NSW 2111 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
