On 07/17/2010 04:13 PM, Nelson B Bolyard wrote: > FIPS 140 will not allow *any* hardware pure noise source to be used by > itself as a random number/bit source. Instead, such a source MUST be > fed into a DRBG from which any internal random data is taken. > > Some of the FIPS 140 requirements are a bit bureaucratic, but this requirement actually makes cryptographic sense.
The problem with hardware pure noise sources is that it's impossible to evaluate their reliability. That is there is no way to know if the noise generator has some mechanical/electrical bias, or to know if the pure noise part of the source is interrupted to produce a large number of non-noise bits (all 1's, all 0's, or some fixed, repeating value). Because of these issues, NIST can't certify hardware pure noise sources for use direct use in cryptographic operations. What NIST can certify is that a particular PRNG is implemented using a well know cryptographically strong algorithm. A certified hardware rng would be one that has a hardware noise source as a seed or additional data which is added to a PRNG. With that system short bursts of 1's or 0's or some fixed repeating value does not destroy the integrity of the whole system, it simply fails to add new entropy into the PRNG internal state. The upshot is 1) NIST can't and won't certify pure hardware noise sources for cryptographic use and 2) this is the correct cryptographic choice. bob
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
