Closed mattcaswell closed 3 months ago
The primary question is where should the SP 800-90B section 4 health tests be located:
With an external non-validated entropy source, which is correct or can either be used? Is the answer the same for our FIPS 140-2 and FIPS 140-3 validations?
A secondary question is: are the health tests we implemented for our FIPS 140-2 sufficient for our FIPS 140-3 validation or do they need to be modified? SP 800-90B section 4.4 outlines two approved heath tests, neither of which match what was done in the FIPS 140-2 validation. However, section 4.5 allows developer defined alternatives -- would this cover the FIPS 140-2 tests? Essentially, do we need to implement the 4.4 approved heath tests for our FIPS 140-3 validation or not?
FTR. I'm not sure the advice Red Hat got looked exactly this way
Just reopening this, because although @paulidale has done the requested task its not clear to me if anything has been done with the result of this. Has anyone actually sent this question to the lab?
Question(s) were sent to lab.
The rough consensus seems to be that the health check should be done on the raw output of the noise source which is not inside our FIPS module boundary.
@paulidale can you please confirm that the above answers the questions and close this?
@paulidale to write up a question to send to the lab with regards to the CRNG Tests issue (see openssl/openssl#24498)