[openssl-users] FIPS, continuous tests, and error reporting

dj at deadhat.com dj at deadhat.com
Thu Feb 19 21:22:19 UTC 2015

> Hello,
> I have some questions regarding table '6b - Conditional Tests' of the
> 2.0.7 Security Policy.
> It is mentioned that there are continuous tests for stuck fault. Is
> the meaning of 'continuous' a the matter of frequency ?  Or are these
> continuous tests ran each time an algorithm is used ?

The CRNGT test is described in section 4.9.2 of FIPS 140-2. It is
continuous in that it is applied to all the output of the RNG. The spec is
absolutely not clear on what you do with a failure, nor is it an effective
stuck at fault test. It is not present in the ISO equivalent spec, nor was
it present in the drafts of the (now defunct) 140-3 draft. It is a data
modifying test and has interest mathematical properties that raise
concerns that it is something other than a stuck-at test.

More information about the openssl-users mailing list