FIPS: Is it Chaos or New CMVP Entropy Requirements?
An Update on IG G7.18 Entropy Estimation and Compliance with SP 800-90
27 February 2020
2020 begins as a year of transitions, and the Cryptographic Module Validation Program (CMVP) has introduced another change to note. Implementation Guidance (IG) G7.18, Entropy Estimation and Compliance with SP 800-90B, is quite prescriptive.
As of November 7, 2020, all entropy testing must be done according to NIST publication SP 800-90B. This takes some of the guesswork out of the CMVP testing requirements for entropy. However, vendors and labs still must check other guidance to see if the module requires an entropy assessment. IG 7.14 explains the scenarios requiring an entropy assessment, while IG 7.18 firms up the rather loose requirements given in IG 7.15.
Having to use the requirements given in SP 800-90B means that min-entropy will be used as a measure, not Shannon entropy, collision entropy or other entropic measurements. This will standardize the type of entropic discussions that a vendor must make. It also means the tests implemented in SP 800-90B must be implemented in the cryptomodule. All "shall" statements in SP 800-90B are required by CMVP.
The salient pieces of SP 800-90B are:
- Section 1: An Introduction.
- Section 2: Provides a general discussion with a definition of min-entropy and a mathematical formula for estimating it:
- Section three: Discusses entropy validation, including a flow chart that outlines the process:
- Data must be collected (1,000,000 bits of raw data before conditioning).
- If there is a conditioning component (not listed in section 3.1.5.1., List of Vetted Conditioning Components consisting of HMAC, CMAC, CBC-MAC, Any Approved hash function, or hash_df from SP 800-90A and Block_Cipher.df from SP 800-90A), then an additional 1,000,000 bits of conditioned data must be collected for testing.
- Restart tests must be run. The entropy source must be restarted 1000 times and the data is stored in a 1000 x 1000 matrix.
= min (−log2pi),
1≤i≤k
= −log2 max pi
1≤i≤k
There is also a source model and an explanation of the three types of interfaces that may be required for interacting with the entropy source: GetEntropy; GetNoise and HealthTest interfaces.
GetEntropy
Input | Output | ||
bits_of_entropy | the requested amount of entropy | entropy_bitstring | The string that provides the requested entropy |
|
| status | A Boolean value that is TRUE if the request has been satisfied and is FALSE otherwise. |
GetNoise
Input | Output | ||
number_of_samples_requested | An integer value that indicates the requested number of samples to be returned from the noise source. | noise_source_data | The sequence of samples from the noise source with a length of number_of_samples_requested. |
| status | A Boolean value that is TRUE if the request has been satisfied and is FALSE otherwise. | |
HealthTest
Input | Output | ||
type_of_test_requested | A bitstring that indicates the type or suite of tests to be performed (this may vary from one entropy source to another). | status | A Boolean value that is TRUE if the request has been satisfied and is FALSE otherwise. |
Once the data is collected it must then be tested using the min-entropy tests found at GitHub.
In each case, the lab must ensure that all of the "shall" statements in SP 800-90B have been met. The lab is also required to provide a heuristic discussion on the entropy source, as well as the more technical discussion of the entropy source and the type of bits produced (IID vs. non-IID). The vendor is required to provide access to the raw data; this is a departure from the past, since it has not always been possible to gain access to a third-party chip etc. However, as IG 7.18 requires this action from the vendor, achieving this may present special problems for some vendors. A restart test needs to be addressed.
Health Tests, to ensure the Entropy source is still able to produce entropic bits, are required. These are different than the DRBG health tests in SP 800-90A. An IID sample must be proven to be in fact IID, which will require an in-depth heuristic discussion *in addition* to the testing requirements in SP 800-90B. The version number of the test tool used must be in the Entropy report. There are other requirements as well, both for the vendor and the lab.
The testing for entropy sources has now been rigorously defined in IG 7.18, and vendors need to be aware of this. All modules that are re-validated after November 7, 2020, will be required to satisfy this new entropy requirement. This an IG is worth looking at – especially given all the changes that CMVP has planned for 2020.
Richard Adams,
Cryptographic and Security Testing Lab Manager
Richard Adams began work for Intertek EWA-Canada in 2009 as a Security Content Automation Protocol (SCAP) Tester and quickly moved into the role of Lead Tester. He trained and assisted in various other areas within the company, such as Cryptographic Module Validation (FIPS 140-2) testing; Common Criteria (CC) testing; Personal Identification Verification (PIV) testing; Visa Ready Program for Mobile Point of Sale (Visa mPOS) testing; and Certificate Authority (CA) Activities during this time. He was later promoted to the role of CST Lab Manager.
Dawn Adams,
Senior IT Security Specialist
Dawn Adams has been with Intertek EWA-Canada for more than 13 years. She has been involved with the FIPS program for 21 years; she was a Lab Manager for 9 years. She has worked in and was a Manager in the Common Criteria, PCI, PIV and SCAP workspaces as well. She is currently an IT Security Specialist working mainly in Common Criteria and auditing.