On 12/23/2010 04:39 AM, Kurt Knochner wrote:
2010/12/22 Marsh Ray<ma...@extendedsubset.com>:
In any case, generic statistical tests might detect really
horrible brokenness but they're are not the thing to certify CSRNGs
with.
Really? So, how do you certify the IMPLEMENTATION (bold, not
shouting) of a CSRNG, (not the theoretical design)?
'Certify' means different things to different people of course. Most
professionals don't insist on having the implementations that they use
formally certified, but some do. For example, Firefox has a 'FIPS Mode'
https://developer.mozilla.org/en/NSS/FIPS_Mode_-_an_explanation
But I've never heard of anybody using it unless they have to.
It's a really good question: how do you prove that something is
unpredictable?
In the US, it is the agency NIST. They coordinate and adopt standards
for deterministic and non-det pseudorandom number generation.
(There are some really fascinating documents on that site.)
NIST ran the competition which chose AES and are currently running one
to select SHA-3. They have some people who know a bit about the subject:
http://csrc.nist.gov/staff/rolodex/kelsley_john.html
NIST publishes some stuff about random generation from their statistical
engineering division:
http://itl.nist.gov/div898/pubs/ar/ar1998/node6.html
http://www.itl.nist.gov/div898/pubs/ar/ar2000/node9.html
But the computer security division covers the cryptographic side:
http://csrc.nist.gov/groups/ST/toolkit/random_number.html
http://csrc.nist.gov/groups/ST/toolkit/rng/index.html
They are careful to point out the distinction between statistical
testing and cryptanalysis:
These tests may be useful as a first step in determining whether or
not a generator is suitable for a particular cryptographic
application. However, no set of statistical tests can absolutely
certify a generator as appropriate for usage in a particular
application, i.e., statistical testing cannot serve as a substitute
for cryptanalysis.
It looks like the FIPS standards are what cover the certification of an
actual "cryptographic module implementation".
http://csrc.nist.gov/groups/STM/cmvp/inprocess.html
So the process would involve an approved design and you would have to
submit your implementation to a NIST-approved "Cryptographic Security
and Testing laboratory" for testing.
You can probably find some war stories about that process if you search
around on line.
- Marsh
