-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Marquess, Steve Mr JMLFDC
Sent: Monday, July 12, 2004 10:34 AM
To: '[EMAIL PROTECTED]'
Subject: RE: Disabling for FIPS mode, take 2Chris Brook wrote:
>As far as I understand it, FIPS 140-2 requires that you use a FIPS approved
>RNG for generating keys (if that's what you meant below). This includes
>ANSI X9.31 and FIPS 186-2, neither of which of course are supported by
>OpenSSL which has its own PRNG. You might want to look at adding these if
>the FIPS effort is the direction you're heading. We'd be happy to contribute
>the routines, I think.Actually the current FIPS PRNG is ANSI X9.31 (the comments identify it as
X9.17, but the actual algorithm implementation is the same as for X.31). I
should also mention that we've had some thoughtful feedback pointing out
errors in the FIPS PRNG code with respect to X9.17/X9.31, and are discussing
the same with the test lab; the final result will be X9.17/X9.31.FIPS 186-2 would be nice, but at this point would require testing which
means $$$ (PRNG testing was not required for our submission on 5-28, but
new requirements have since been imposed).-Steve M.
Steve Marquess
DMLSS Technical Manager
JMLFDC, 623 Porter Street, Ft. Detrick, MD 21702
DSN 343-3933, COM 301-619-3933, FAX 301-619-7831
[EMAIL PROTECTED]
Title: RE: Disabling for FIPS mode, take 2
I had
heard that there were issues with the X9.31 implementation. As I said we
have got certs for both X9.31 and 186-2 so if you need anything let me
know. We could contribute the routines to OpenSSL if that would
help.
Chris
