Stephan Mueller, Principal Consultant and Evaluator, atsec information security. Random numbers are the foundation that ensures the strength of any algorithm (with the exception of hashes) for the proper use of cryptography. Good random numbers rely on noise which needs to be demonstrably tested and assessed.

SP800-90B provides various formulas to perform a quantitative assessment, not only for completing a FIPS 140-2 validation, but also for a general assessment of the quality of a noise source. The application of these formulas is an interesting proposition that is subject to discussion.

This presentation provides a guide on how to perform entropy assessments on various noise sources using the SP800-90B mathematical guidance. The guide starts from an explanation of how a noise source should be measured, covers the preparation of data for processing with the SP800-90B math, and closes with guidance on how to interpret the results. The interpretation of the calculated results focuses on the argument of whether a noise source is good enough for use as part of FIPS 140-2 validations and for general cryptographic use cases.

Practical examples are given and cover software-based noise sources using the Linux /dev/random device as an example. In addition, an example with a Hardware-based noise sources demonstrates the assessment approach as well.

The closing remarks will provide an outlook for additional and future entropy assessment approaches that may supplement SP800-90B, such as Predictor Tests as well as the German AIS20/31 approach.

End-User Experience Track