On 07/30/2012 10:40 AM, Vasantharangan, Shruthi M. wrote:
Hi,
Is there a way to set the Random Number Generator to use the DRBG instead
of DSA?
We are using a RHEL 5.6. We have the below NSS rpms in the system.
* nss-3.13.5-4.el5_8.i386.rpm
* nss-devel-3.13.5-4.el5_8.i386.rpm
* nss-tools-3.13.5-4.el5_8.i386.rpm
Rgds
Shruthi
No, The DRBG code isn't even implemented in the RHEL 5 version.
The softoken in RHEL 5 is 3.11.4. DRBG was implemented in 3.12.4.
The PRNG in RHEL 5 a is FIPS validated as a random number generator, so
the question is do you need a FIPS validated random number generator, or
do you specifically need a DRBG random number generator, and why do you
need DRBG specifically?
bob
-----Original Message-----
From: dev-tech-crypto-bounces+svasantharangan=idirect....@lists.mozilla.org
[mailto:dev-tech-crypto-bounces+svasantharangan=idirect....@lists.mozilla.org]
On Behalf Of Robert Relyea
Sent: Friday, 27 July, 2012 6:50 PM
To: dev-tech-crypto@lists.mozilla.org
Subject: Re: RandomNumberGenerator that is FIPS2complaint
On 07/27/2012 12:34 PM, Vasantharangan, Shruthi M. wrote:
We would like to use a randomNumberGenerator on "Red Hat Enterprise Linux Server
release 5.6 (Tikanga)" which is FIPS140-2 level2 certified. We have
nss-3.13.5-4.el5_8.i386.rpm (along with nss-tools and nspr) package installed on our
servers. Can we use DRBG with RHEL 5.6?
Thanks
Shruthi
yes, RHEL 5 ships the latest version of NSS, but with the softoken of NSS
3.11.4.
bob
Yes
-----Original Message-----
From:
dev-tech-crypto-bounces+svasantharangan=idirect....@lists.mozilla.org
[mailto:dev-tech-crypto-bounces+svasantharangan=idirect....@lists.mozi
lla.org] On Behalf Of Robert Relyea
Sent: Friday, 27 July, 2012 3:25 PM
To: dev-tech-crypto@lists.mozilla.org
Subject: Re: RandomNumberGenerator that is FIPS2complaint
On 07/25/2012 02:32 PM, Vasantharangan, Shruthi M. wrote:
Hi,
How can run drbg test vectors provided by NIST to validate the response
of the random output for the various algorithms on NSS.
Rgds
Shruthi
Softoken 3.11.4 uses the DSA RNG and not the DRBG (that would be RHEL 6 and
Softoken 3.12.9).
The test vectors were ran internally with some version of fipstest, not
necessarily the one shipping with the system (most likely not shipping with the
system).
Are you trying to do a reval for some reason? For most cases, you
simply need to refer to the FIPS validation
(http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#8
14) and the algorithm validation cert
(http://csrc.nist.gov/groups/STM/cavp/documents/rng/rngval.html#208) [ see also
755 and 608 ].
bob
_____________________________________________________
This electronic message and any files transmitted with it contains
information from iDirect, which may be privileged, proprietary and/or
confidential. It is intended solely for the use of the individual or
entity to whom they are addressed. If you are not the original
recipient or the person responsible for delivering the email to the
intended recipient, be advised that you have received this email in
error, and that any use, dissemination, forwarding, printing, or
copying of this email is strictly prohibited. If you received this
email in error, please delete it and immediately notify the sender.
_____________________________________________________
_____________________________________________________
This electronic message and any files transmitted with it contains
information from iDirect, which may be privileged, proprietary
and/or confidential. It is intended solely for the use of the individual
or entity to whom they are addressed. If you are not the original
recipient or the person responsible for delivering the email to the
intended recipient, be advised that you have received this email
in error, and that any use, dissemination, forwarding, printing, or
copying of this email is strictly prohibited. If you received this email
in error, please delete it and immediately notify the sender.
_____________________________________________________
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
