On Tue, Nov 13, 2007 at 03:37:42PM -0800, Rodney Thayer wrote: > wasn't one of these MS RNG's tested via FIPS at some point?
This seems likely. FIPS 140-2 cert #103 seems like the relevant cert http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2000.htm#103 Further, the pseudocode outlined by the authors looks to me as if it's a really botched attempt ("attempted enhancement"?) of a FIPS 186-2 Appendix 3.1 RNG (though, the authors of the paper didn't think so). If this is indeed in the validated module, the lab doing the evaluation missed it. When this particular evaluation occurred, there was no requirement for algorithm testing for the RNG. You'll also note that there was also no requirement for algorithm testing the RNG for the Windows XP CAPI providers, so the design of those RNGs are also anyone's guess. Some more recent CAPI providers have algorithm certs, so this flaw presumably does not exist in all versions of the CryptGenRandom RNG: certs #321, #316, #314, #313, #292, #286, and #66) http://csrc.nist.gov/groups/STM/cavp/documents/rng/rngval.html (these cover some WinCE providers, Windows server 2003, and the "Windows Vista RNG implementation") > why, if win2k is essentially end-of-life, would they not > check windows xp? this makes me question their methodology. Their style of evaluation suggests that they reverse engineered the relevant components, which takes a fair bit of time. They may have looked at newer versions and noted that they were different and just not put the time into the analysis. It could also be that they want to be able to publish another paper later. :-) Josh ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
