Hi -- Thanks for the below info.
Below is some info on why I have been asking questions that are FIPs oriented. I'd appretiate if anything you see here that is not correct you would comment on -- we are new to FIPs process, which is, no doubt, probably obvious if you saw my other posts :) ***We are not trying to get/make a FIPs validated version of the OpenSSL Library -- its our PDA app that we are hoping to get submitted to a testing lab. That application is what we are trying to get FIPs validated. The application will use OpenSSL but OpenSSL will not itself validated. We have one of the well-known FIPs consulting companies guiding us in the process. As we have move through the process of preparing the application we have had a variety of requirements. One is that we force TLS and the correct cipher suite (3DES, RSA, SHA). We use OpenSSL 0.9.8a to accomplish that. Since FIPs requires alogorithm tests we did our own KATs for the OpenSSL and also we must do the PRNG tests. I'd like to use OpenSSL 0.9.7 since th etests are internal there but I have to use 0.9.8a since I have that in good working order on Windows CE 4.2 and 5.0. ***I am writing the tests outside of the OpenSSL -- I did not modify 0.9.8a but rather I when the app starts I call OpenSSL functions to do the KATs, etc. I am not sure what will happen with this project but the consultants we have say that we can use OpenSSL non-FIPs version provided we do the requirements (KATs, startup tests for the app and the openssl dlls, and PRNG tests, as well as all the other FIPs requirements). ***I assume that is correct since people must have gotten apps validated that used OpenSSL before OpenSSL had a FIPs version. With the above in mind I am trying to determine particularly how to do he PRNG seed value test -- outside of OpenSSL like I did the KATs. Also I am still wondering about the PRNG startup test: if I do seed, rand1, rand2 they do not come out the same. I think the requirement is to seed and get a rand and then to get a rand again using that seed and ensure they are the same. They are never the same -- I am missing why that does not work? Thank you for your time and expertise -- please comment on any of the above as it would be greatly appretiated! Best regards -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Friday, March 03, 2006 6:58 PM To: openssl-users@openssl.org Subject: SPAM-URL Re: Another RAND question... On Fri, Mar 03, 2006, OpenSSLGRT wrote: > I did see that but I think I misunderstood, so ... > I still am not sure then how I would accomplish the following: > 1.) Take a seed and the known output of the PRNG with that seed. > 2.) Seed the PRNG with the seed and get a RAND > 3.) See if that RAND in step 2 I sthe same as the one in Step 1 > The standard PRNG mixes in various random sources of data at various points and its output depends on its internal state which is affected by explicit calls to seed it and calls to obtain random data from it. BTW if this is for FIPS then you can't use the standard OpenSSL PRNG because it isn't FIPS compliant, that's why an alternative PRNG in the FIPS module in 0.9.7. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
