On Thu, Aug 26, 2010 at 06:25:55AM -0400, Jerry Leichter wrote: > On Aug 25, 2010, at 4:37 PM, > travis+ml-cryptogra...@subspacefield.org wrote: > > > >I also wanted to double-check these answers before I included them: > > > >1) Is Linux /dev/{u,}random FIPS 140 certified? > >No, because FIPS 140-2 does not allow TRNGs (what they call non- > >deterministic). I couldn't tell if FIPS 140-1 allowed it, but > >FIPS 140-2 supersedes FIPS 140-1. I assume they don't allow non- > >determinism because it makes the system harder to test/certify, > >not because it's less secure. > No one has figured out a way to certify, or even really describe in > a way that could be certified, a non-deterministic generator.
Would it be possible to combine a FIPS 140-2 PRNG with a TRNG such that testing and certification could be feasible? I'm thinking of a system where a deterministic (seeded) RNG and non-deterministic RNG are used to generate a seed for a deterministic RNG, which is then used for the remained of the system's operation until next boot or next re-seed. That is, the seed for the run-time PRNG would be a safe combination (say, XOR) of the outputs of a FIPS 140-2 PRNG and non-certifiable TNG. factory_prng = new PRNG(factory_seed, sequence_number, datetime); trng = new TRNG(device_path); runtime_prng = new PRNG(factory_prng.gen(seed_size) ^ trng.gen(seed_size), 0, 0); One could then test and certify the deterministic RNG and show that the non-deterministic RNG cannot destroy the security of the system (thus the non-deterministic RNG would not require testing, much less certification). To me it seems obvious that the TRNG in the above scheme cannot negatively affect the security of the system (given a sufficiently large seed anyways). Nico -- --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com