[147897] in cryptography@c2.net mail archive
Re: [Cryptography] FIPS 140 testing hurting secure random bit
daemon@ATHENA.MIT.EDU (Stephan Mueller)
Wed Oct 30 14:37:34 2013
X-Original-To: cryptography@metzdowd.com
From: Stephan Mueller <smueller@chronox.de>
To: cryptography@metzdowd.com
Date: Wed, 30 Oct 2013 19:11:53 +0100
In-Reply-To: <9A6D57D8-DEA4-45A6-8AEF-75997083FA2B@vpnc.org>
Cc: John Kelsey <crypto.jmk@gmail.com>, Paul Hoffman <paul.hoffman@vpnc.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
Am Mittwoch, 30. Oktober 2013, 07:20:11 schrieb Paul Hoffman:
Hi Paul,
>On Oct 29, 2013, at 8:59 PM, John Kelsey <crypto.jmk@gmail.com> wrote:
>> On Oct 28, 2013, at 5:28 PM, dj@deadhat.com wrote:
>>
>> ...
>>
>>> But the specifications (SP800-90x & FIPS 140-2) make it
>>> spectacularly hard to mix in multiple sources in a compliant way.
>>> SP800-90 gives a way to mix in "additional entropy" and
>>> "personalization strings", but FIPS 140-2 states that all sources
>>> must be authenticated. All configuring entities must be
>>> authenticated. Try authenticating hardware on one end of chip
>>> against hardware at the other end of the chip. It is the mother of
>>> all chicken and egg problems.
>>
>> Wait, the FIPS labs refuse to let you put your own stuff into those
>> additional inputs?
>From what multiple implementers (not just Peter) have said: yes.
>
>> More broadly to everyone: If you see problems with how the FIPS
>> validation process plays with the DRBGs, or other problems, email a
>> formal comment in.
>This is a somewhat absurd suggestion for two reasons:
>
>- The NIST CMVP people have a reputation (that may or may not be
>deserved) for taking much longer to validate systems from
>boat-rockers. I have been told by implementers that their labs
>explicitly told them not to complain about anything during the 140-3
>development process because of this.
>
>- The folks in NIST Computer Security Division are down the hall from
>these people. They are writing rules for the documents generated by
>CSD. The people in CSD need to lead the charge for fixing the broken
>testing, not asking people who are already paying a hundreds of
>thousands of dollars, and losing even more of that in delayed sales,
>to do the work of fixing CMVP.
>
>This problem has been known by the CSD and CMVP people for many years.
>The other deep problems with the CMVP has been known for many years.
>Everyone looks at NIST as NIST, not as two departments. You can fix
>this, but we can't.
Being a FIPS tester, I am called by NIST to enforce such or similarly
strange requirements that at best do not help cryptography. Deviations
are not an option...
Ciao
Stephan
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
