[openssl-users] Testing FIPS mode using 0 randomness

[Tom Francis]

> On Mar 2, 2015, at 12:18 PM, jonetsu <jonetsu at teksavvy.com> wrote:
> 
> Hello,
> 
>   I tried a simple test to see if FIPS mode would fail, using the example given in the FIPS user guide 2.0.  The test consisted of replacing the /dev/random and /dev/urandom with /dev/zero.  I would have expected that no source of randomness would make the tests ran at the call of FIPS_mode_set(1) fail.
> 
> ex.:
> 
> cd dev
> rm random
> mknod -m 666 /dev/random c 1 5
> 
> Verify presence of zeroes all over:
> cat /dev/random | xxd
> 
> ./fips_hmac fips_hmac.o
> 
> If added a ret value to catch the return code from FIPS_mode_set(1).  Random or no random, it always returns 1.  
> 
> Shouldn't randomness be an important part of the power-up tests ?  I understand there are continuous RNG tests within OpenSSL FIPS mode, although 'later on' (eg. continuous). Wouldn't these tests be part of the power-up sequence as called by FIPS_mode_set(1) also ?

No.  The self-tests verify the output of the algorithms matches for given input.  This means when the PRNG is tested, it’s seeded with known values, and the output is checked against the correct output for the way it was seeded.  Inputs from /dev/random, /dev/urandom, or any other “random” source are not used.

Remember, the goal of FIPS 140 is NOT “good security”, it’s “verifying that known cryptographic algorithms are used”.  If the input and output are not predictably the same, then how can you verify the algorithm used is the algorithm that’s supposed to be used?  And attempting to account in the tests for every possible input (what you’d have to do if you didn’t only test a small number of known inputs) would be impractical, at best. :)

TOM

> Thanks.
> 
> 
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users