Thanks Wan-Teh for the reply. In the link you have sent it is stated that,
"The initial value of XKEY is derived using the following procedure. We obtain 1024 bytes from the system random number generator. On Windows XP SP 2, we call the CryptGenRandom function in the CryptoAPI. On Solaris, HP-UX, Linux, and Mac OS X, we read from the special device /dev/urandom." So, system random number generator (which is used for seed) is not FIPS approved RNG and continuous tests have to be performed on this right. Thanks, Sreedhar On Apr 28, 9:41 pm, Wan-Teh Chang <w...@google.com> wrote: > On Tue, Apr 28, 2009 at 6:02 PM, <ksreedha...@gmail.com> wrote: > > > For FIPS, Continuous RNG test should be performed on approved or non > > approved RNG that are used. > > > If I understand correctly, NSS uses /dev/urandom as entropy source but > > it does not generate the random number twice from /dev/urandom and > > compare them right. > > Right, but this is because the continuout RNG test requirement does > not apply to entropy sources. Many entropy sources aren't RNGs. > > Please see the following for more info on the RNG in the NSS crypto > module and its entropy > sources:https://wiki.mozilla.org/VE_07KeyMgmt#Random_Number_Generatorhttps://wiki.mozilla.org/VE_07KeyMgmt#Key_Generation > > In any case, the continuous RNG test is performed by the > crypto module itself, rather than by the user of the crypto > module. So you don't need to perform the continuous RNG > test. > > Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
