The National Institute of Standards and Technology (NIST) has published the second draft of a publication that details design principles for entropy sources, which measure the randomness of generated numbers.
As FCW’s Sean Lyngaas recently noted, cyber criminals can slice through a user’s communications without reliable random bit generators (RBGs).
“Security flaws in random number generators have been a significant source of vulnerabilities in cryptographic systems over many years,” Paul Kocher, chief scientist at the Cryptography Research Division of Rambus told the publication. “So it is crucially important to have random number generators that work well.”
According to Lyngass, the NIST draft specifies data that cryptographers can submit for entropy testing. The draft also describes the process of calculating initial entropy estimates, detailing how multiple noise sources of entropy can be factored into the calculation.
“The validation of an entropy source presents many challenges,” the NIST document reads. “No other part of an RBG is so dependent on the technological and environmental details of an implementation.”
Elaine Barker, one of the publication’s authors, told FCW that NIST was closely coordinating with those in charge of validating entropy sources.
“We don’t want to require anything that they can’t validate,” she explained. “As we deal with the various vendors, we get an idea of what they can and cannot do.”
The NIST is fielding feedback on its document via email through May 9th and will also offer a public workshop.
“NIST knows it needs to rebuild credibility after the Dual EC DRBG controversy, and seems to be doing the right things,” Kocher added. “These drafts from NIST are uncontroversial, and don’t have controversial constructions of the sort found in Dual EC DRBG that can harbor backdoors.”