The Impending FIPS 140-2, Random Number Generator Crisis
Dec 12, 2014
A few years ago, there was a bit of a stir within the Federal Government when the National Institute of Standards and Technology (NIST) issued directions that SHA1 hashes used for digital signatures would be disallowed after 2013. The document where this was shared was NIST Special Publication 800-131A- Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths.
Curiously, other changes in SP 800-131A have not received as much attention. One key transition is to Random Number Generation. Random Number Generators that were acceptable in the past will be disallowed for use after 2015. Random Number Generators are critical in effective cryptographic key generation.
SP 800-131A makes clear that RNGs specified in FIPS 186-2, ANS X9.31-1998 and ANS X9.62-1998 will be disallowed after 2015. Only SP 800-90A based random number generators will continue to be approved. NIST SP 800-90A- Recommendation for Random Number Generation using Deterministic Random Bit Generators was published in January 2012. These are now referred to as deterministic random bit generators (DRBG). SP 800-90A lists four approved random number generators. These are Hash_DRBG, HMAC_DRBG, CTR_DRBG, and Dual_EC_DRBG. Support for Dual_EC_DRBG was removed after news reports in 2013 prompted public concern about the trustworthiness of Dual_EC_DRBG. There has been no controversy regarding the remaining three DRBG.
There is a quick and easy way to tell if the cryptographic module you are using uses a random number generator that will be disallowed. Look up the FIPS 140-2 validation on the NIST Cryptographic Module Validation Program (CVMP) Website. The FIPS certification lists the approved algorithms. You should see DRBG followed by parenthesis that contain the Cryptographic Algorithm Validation Program (CAVP) certification number of the algorithm. If you see a RNG followed by parenthesis instead of DRBG, this module will be affected.
What may come as a surprise to many people is that many recently certified FIPS 140-2 modules are still being certified with Random Number Generators that will be disallowed soon. A quick survey of very recent certifications show that approximately 15% were certified with the soon to be disallowed, older RNG. Because of this, you shouldn’t rely on the date your cryptographic module was validated to protect you from this issue.
So what should you do?
Check the FIPS 140-2 certifications of the products that you use to make sure they use NIST SP 800-90A DRBG. If they don’t, ask your vendor if they will be providing a software update that will address the random number generator and whether that module will be FIPS validated ahead of the deadline.
Keep in mind that FIPS validations can take months. For systems that will not be updated, or cannot be updated, start planning now to replace the system affected with a system that has been validated by NIST and that uses the newer SP 800-90A DRBG.
If you require FIPS 140-2 validation, don’t be left high and dry with a system that was FIPS validated, but uses a random number generator that will be disallowed on January 1, 2016.