Re: RNG continuous test failure

[Glen Beasley]

ksreedha...@gmail.com wrote:

On Apr 24, 10:03 am, Wan-Teh Chang <w...@google.com> wrote:

On Thu, Apr 23, 2009 at 1:51 PM,  <ksreedha...@gmail.com> wrote:

Hello,

NSS 3.11.4
NSPR 4.6.4

JSS. What does it return. do we get an java exception to the calling
function.

and this continuous tests fail during random number generation, do we
get an exception to the socket creation code.

I am using Mozilla JSS provider from Java. JSS 4.2.5 When the FIPS RNG continuous tests fail, what is the behavior in NSS/ For example, when Java code tries to establish a TLS Socket session,

I guess so.  In FIPS mode, once the continuous RNG test fails, the
NSS software crypto module ("softoken") enters an error state, and
all subsequent crypto operations will fail.  I don't know how these
NSS errors will be reflected in Java, but JSS definitely won't be able
to do TLS.

Wan-Teh- Hide quoted text -

- Show quoted text -

Thanks Wan for the reply.

I was also certain that JSS will not able to do TLS but it would be
helpful if a distinct exception/error is thrown incase of continuous
tests fail. It seems we need to flag/log these messages.

Understand that it very unlikely that the NSS 3.11.4 FIPS RNG would fail, but if the RNG continuous test failed, NSS would consider that a critical error, and would go into error state setting SEC_ERROR_LIBRARY_FAILURE and would allow no further cryptographic operation, until NSS was re-initialized. All JSS method requesting the NSS module to perform an operation would result with an exception, most likely with org.mozilla.jss.crypto.TokenRuntimeException

but this Exception is not guaranteed for all methods.

If any one can point me what kind of errors will be thrown, that would
be great.

Otherwise I may have to tweak the nss code.

you're welcome to tweak that NSS code but understand that would break NSS 3.11.4 FIPS compliance. meaning if you want to tweak the NSS code, you would have to submit a patch, have patch pass review, and

then have the release with that included patch pass a FIPS validation.





see Access to Audit Data in the NSS security policy:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf

-glen

if you want the JSS Exception consistent you would be tweaking the JSS code (not NSS), and providing patch for JSS. But right now I don't see the point. The JSS layer is FIPS compliant because it requests the NSS cryptographic module to perform any and all cryptographic operations. If the RNG continuous test fail the NSS cryptographic module enters an error state and is not usable. A java application configured to be FIPS compliant using JSS/NSS would be unusable for cryptographic operations until re-initialized. If the user configured NSS to audit data the user would view the configured log files.

Thanks,
Sreedhar

smime.p7s
Description: S/MIME Cryptographic Signature

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto