Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Windows 2008 FIPS 140-2 and CryptGenRandom
11 views
Skip to first unread message
venkat
Jul 25, 2009, 2:11:01 PM7/25/09
to
We are trying to obtain FIPS 140.2 certification for our product, and it
happens to use CryptGenRandom() method from Crypto API for initializing its
random seed. In Windows Server 2003 versions, the seed was described in:
happens to use CryptGenRandom() method from Crypto API for initializing its
random seed. In Windows Server 2003 versions, the seed was described in:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1012.pdf
I believe the entropy characteristics of seed buffer described in page 18-19
in section heading “Miscellaneous” was sufficient to satisfy seed
requirements. However, the corresponding RSAENH in Windows Server 2008 is
missing that, and there is only a statement that it gets a seed from the
kernel, but does not describe the size of the seed or its entropy
characteristics.
Windows Server 2008 RSAENH:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1010.pdf
Where can I obtain further information on the seed? What is the number of
bytes of random buffer that is required for meeting a certain entropy (say 80
bits of entropy).
Thanks.
Ateeq S
Oct 29, 2009, 12:16:02 AM10/29/09
to
As far as I can tell, the new CryptGenRandom is based on the DRBG specified
in NIST's SP800-90. NIST considers it "vendor-affirmed." So, it's a written
affirmation letter provided by Microsoft. I believe you can still use
CryptGenRandom() as you have used it before as your seed since RSAENH is
validated to 140-2.
in NIST's SP800-90. NIST considers it "vendor-affirmed." So, it's a written
affirmation letter provided by Microsoft. I believe you can still use
CryptGenRandom() as you have used it before as your seed since RSAENH is
validated to 140-2.
Ateeq
0 new messages