Chris Brook wrote:
>As far as I understand it, FIPS 140-2 requires that you use a FIPS approved
>RNG for generating keys (if that's what you meant below). This includes
>ANSI X9.31 and FIPS 186-2, neither of which of course are supported by
>OpenSSL which has its own PRNG. You might want to look at adding these if
>the FIPS effort is the direction you're heading. We'd be happy to contribute
>the routines, I think.
Actually the current FIPS PRNG is ANSI X9.31 (the comments identify it as
X9.17, but the actual algorithm implementation is the same as for X.31). I
should also mention that we've had some thoughtful feedback pointing out
errors in the FIPS PRNG code with respect to X9.17/X9.31, and are discussing
the same with the test lab; the final result will be X9.17/X9.31.
FIPS 186-2 would be nice, but at this point would require testing which
means $$$ (PRNG testing was not required for our submission on 5-28, but
new requirements have since been imposed).
-Steve M.
Steve Marquess
DMLSS Technical Manager
JMLFDC, 623 Porter Street, Ft. Detrick, MD 21702
DSN 343-3933, COM 301-619-3933, FAX 301-619-7831
[EMAIL PROTECTED]