Your response to the below mail will be appreciated.
Thanks
Shruthi
From: Vasantharangan, Shruthi M.
Sent: Thursday, 2 August, 2012 12:19 PM
To: dev-tech-crypto@lists.mozilla.org
Subject: RE: RandomNumberGenerator that is FIPS2complaint
Hi,
I tried to use fipstest to validate the DRBG vector on a Linux 6 system
with the source tar NSS_3_13_5_RTM. I notice that the PRNG_instantiate call
returns SEC_Failure. The drbg.c and a few of the freebl files have been
modified on 28 Jun 2012. Does it mean that cmd/fipstest does not fully support
Hash DRBG test vector validations yet ?
>From the "NSS Cryptographic Module Version 3.12 " documentation I can see that
>random number generator supports Hash DRBG. So it means the public API
>C_GenerateRandom supports Hash DRBG on Linux 6 in FIPS Mode?
Below is the extract from the "NSS Cryptographic Module Version 3.12" document:
The FIPS 140-2 cipher suites consist solely of
* Triple DES (FIPS 46-3) or AES (FIPS 197) for symmetric key encryption
and decryption.
* Secure Hash Standard (SHA-1, SHA-256, SHA-384, and SHA-512) (FIPS
180-2) for hashing.
* HMAC (FIPS 198) for keyed hash.
* random number generator Hash DRBG (NIST SP800-90).
Rgds
Shruthi
-----Original Message-----
From:
dev-tech-crypto-bounces+svasantharangan=idirect....@lists.mozilla.org<mailto:dev-tech-crypto-bounces+svasantharangan=idirect....@lists.mozilla.org>
[mailto:dev-tech-crypto-bounces+svasantharangan=idirect....@lists.mozilla.org]<mailto:[mailto:dev-tech-crypto-bounces+svasantharangan=idirect....@lists.mozilla.org]>
On Behalf Of Robert Relyea
Sent: Monday, 30 July, 2012 2:42 PM
To: dev-tech-crypto@lists.mozilla.org<mailto:dev-tech-crypto@lists.mozilla.org>
Subject: Re: RandomNumberGenerator that is FIPS2complaint
On 07/30/2012 10:40 AM, Vasantharangan, Shruthi M. wrote:
> Hi,
> Is there a way to set the Random Number Generator to use the DRBG
> instead of DSA?
> We are using a RHEL 5.6. We have the below NSS rpms in the system.
> * nss-3.13.5-4.el5_8.i386.rpm
> * nss-devel-3.13.5-4.el5_8.i386.rpm
> * nss-tools-3.13.5-4.el5_8.i386.rpm
>
> Rgds
> Shruthi
No, The DRBG code isn't even implemented in the RHEL 5 version.
The softoken in RHEL 5 is 3.11.4. DRBG was implemented in 3.12.4.
The PRNG in RHEL 5 a is FIPS validated as a random number generator, so the
question is do you need a FIPS validated random number generator, or do you
specifically need a DRBG random number generator, and why do you need DRBG
specifically?
bob
>
> -----Original Message-----
> From:
> dev-tech-crypto-bounces+svasantharangan=idirect....@lists.mozilla.org<mailto:dev-tech-crypto-bounces+svasantharangan=idirect....@lists.mozilla.org>
> [mailto:dev-tech-crypto-bounces+svasantharangan=idirect....@lists.mozi
> lla.org] On Behalf Of Robert Relyea
> Sent: Friday, 27 July, 2012 6:50 PM
> To:
> dev-tech-crypto@lists.mozilla.org<mailto:dev-tech-crypto@lists.mozilla.org>
> Subject: Re: RandomNumberGenerator that is FIPS2complaint
>
> On 07/27/2012 12:34 PM, Vasantharangan, Shruthi M. wrote:
>> We would like to use a randomNumberGenerator on "Red Hat Enterprise Linux
>> Server release 5.6 (Tikanga)" which is FIPS140-2 level2 certified. We have
>> nss-3.13.5-4.el5_8.i386.rpm (along with nss-tools and nspr) package
>> installed on our servers. Can we use DRBG with RHEL 5.6?
>>
>> Thanks
>> Shruthi
> yes, RHEL 5 ships the latest version of NSS, but with the softoken of NSS
> 3.11.4.
>
> bob
>> Yes
>>
>> -----Original Message-----
>> From:
>> dev-tech-crypto-bounces+svasantharangan=idirect....@lists.mozilla.org<mailto:dev-tech-crypto-bounces+svasantharangan=idirect....@lists.mozilla.org>
>> [mailto:dev-tech-crypto-bounces+svasantharangan=idirect....@lists.moz
>> i
>> lla.org] On Behalf Of Robert Relyea
>> Sent: Friday, 27 July, 2012 3:25 PM
>> To:
>> dev-tech-crypto@lists.mozilla.org<mailto:dev-tech-crypto@lists.mozilla.org>
>> Subject: Re: RandomNumberGenerator that is FIPS2complaint
>>
>> On 07/25/2012 02:32 PM, Vasantharangan, Shruthi M. wrote:
>>> Hi,
>>> How can run drbg test vectors provided by NIST to validate the
>>> response of the random output for the various algorithms on NSS.
>>>
>>> Rgds
>>> Shruthi
>> Softoken 3.11.4 uses the DSA RNG and not the DRBG (that would be RHEL 6 and
>> Softoken 3.12.9).
>>
>> The test vectors were ran internally with some version of fipstest, not
>> necessarily the one shipping with the system (most likely not shipping with
>> the system).
>>
>> Are you trying to do a reval for some reason? For most cases, you
>> simply need to refer to the FIPS validation
>> (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#<http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm>
>> 8
>> 14) and the algorithm validation cert
>> (http://csrc.nist.gov/groups/STM/cavp/documents/rng/rngval.html#208) [ see
>> also 755 and 608 ].
>>
>> bob
>>
>>
>>
>> _____________________________________________________
>> This electronic message and any files transmitted with it contains
>> information from iDirect, which may be privileged, proprietary and/or
>> confidential. It is intended solely for the use of the individual or
>> entity to whom they are addressed. If you are not the original
>> recipient or the person responsible for delivering the email to the
>> intended recipient, be advised that you have received this email in
>> error, and that any use, dissemination, forwarding, printing, or
>> copying of this email is strictly prohibited. If you received this
>> email in error, please delete it and immediately notify the sender.
>> _____________________________________________________
>>
>
>
> _____________________________________________________
> This electronic message and any files transmitted with it contains
> information from iDirect, which may be privileged, proprietary and/or
> confidential. It is intended solely for the use of the individual or
> entity to whom they are addressed. If you are not the original
> recipient or the person responsible for delivering the email to the
> intended recipient, be advised that you have received this email in
> error, and that any use, dissemination, forwarding, printing, or
> copying of this email is strictly prohibited. If you received this
> email in error, please delete it and immediately notify the sender.
> _____________________________________________________
>
_____________________________________________________
This electronic message and any files transmitted with it contains
information from iDirect, which may be privileged, proprietary
and/or confidential. It is intended solely for the use of the individual
or entity to whom they are addressed. If you are not the original
recipient or the person responsible for delivering the email to the
intended recipient, be advised that you have received this email
in error, and that any use, dissemination, forwarding, printing, or
copying of this email is strictly prohibited. If you received this email
in error, please delete it and immediately notify the sender.
_____________________________________________________
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
