スライド 1

IPA 2010 3 25 1

1 / / 2 (DRBG) DRBG NIST SP800-90 2

1 3

JCMVP 2009 1 JCATT AES 15 4

5

OK/NG OK ( ) ( ) 6

JCMVP JCATT JCATT http://www.ipa.go.jp/security/jcmvp/open_documents.html 7

332 (DES, Triple-DES, DSA, SHA1) 88(26.5%)(*1) 2007 7 2009 5 % (*1) CMVP FAQ http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf 8

9

JCATT (FSM VE FSM FSM 10

CMVP FIPS 140-2 (2001/5) FIPS 140-2 DTR (2001/5) (ISO) ISO/IEC 19790 (2006/3) ISO/IEC 24759 (2008/7) JIS X 19790 (2007/3) JIS X 24759 (2009/10) 11

12 12 12

JIS X 19790 Z Y X W X Z Y W CSP (Critical Security Parameter) : CSP CSP CSP 13

! 14

1 USB! USB USB 15

1 USB! (1) (2) AES (3)USB USB USB (4) : http://www.syss.de/fileadmin/ressources/040_veroeffentlichungen/dokumente/syss_cracks_kingst on_usb_flash_drive.pdf 16

1 USB! (1) (2) AES! 00 00 00 00 B5 D3 68 DC 8A 4D A5 B1 FD 2E 68 84 4D F2 0D 52 1E 2B F9 CD 00 00 00 00 00 00 00 00 (3) (4) AES (5) USB USB 17

1 USB!! (1) (2) AES (3)USB USB USB USB (4)!! 00 00 00 00 B5 D3 68 DC 8A 4D A5 B1 FD 2E 68 84 4D F2 0D 52 1E 2B F9 CD 00 00 00 00 00 00 00 00 18

2 Debian GNU/Linux OpenSSL OpenSSL Debian Valgrind( ) : CVE-2008-0166 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-0166) 19

3 IC IC () 20

JCMVP 2 21

2 (DRBG) DRBG NIST SP800-90 22

(DRBG) ( ) Initial Vector DRBG : Deterministic Random Bit Generators 23

DRBG (1) 128-bit 128-bit 2 128 ( ) 24

DRBG (2) DRBG DRBG 128-bit DRBG( ) 2 128 DRBG( ) 25

DRBG (3) NIST SP800-901.5 128 DRBG DRBG 26

(1) 4-bit X 16 X 78? 27

(2) Shannon H S H = P x)log ( P( x)) S x Ω X ( 2 Ω X Xx H S 3.1 3 Shannon 28

(3) H min H min = max P max 2 H min 2.3 2 log P 2 H min <= H S (ISO/IEC 18031:2005, Annex G) 29

(1) 1( )4 n-bit n 8,16, 256 (=2 28 ) n=8n2 28 2 28 /2 8 =2 20 =1024 2 P max 3 n=16n2 27 2 27 /2 16 =2 11 =2048 P max 3 30

(2) n 31

32

(3) Entropy and Entropy Sources in X9.82, John Kelsey, NIST, July 2004 http://csrc.nist.gov/groups/st/toolkit/documents/rng/ EntropySources.pdf Testing Issues with OS-based Entropy Sources, Peter Gutmann, University of Auckland http://csrc.nist.gov/groups/st/toolkit/documents/rng/ TestingOSSources.pdf NIST Special Publication 800-22rev1, A Statistical Test Suite for Random and Pseudorandom Number Generators http://csrc.nist.gov/publications/nistpubs/ 800-22-rev1/SP800-22rev1.pdf 33

RBG RBG prediction resistance reseeding backtracking resistance( ) DRBG DRBG 1 x x + 1 x + 2 x + 3 34

(RBG) (1) ISO/IEC 18031, Information technology Security techniques Random bit generation ANS X9.82 Draft AIS20AIS31 (NRBG : Non-deterministic Random Bit Generators) (DRBG) JIS X 19790 ANS X9.82, NIST SP800-90 ANS X9.82, Random Number Generation Part1:Overview and Basic Principles, Part3:Deterministic Random Bit GeneratorsPart2:Entropy Sources AIS20, Functionality classes and evaluation methodology for deterministic random number generators AIS31, Functionality classes and evaluation methodology for true (physical) random number generators FIPS 140-1 35

(RBG) (2) NIST SP800-90 (DRBG) ISO/IEC 18031 ANS X9.82:Part3 Draft ANS X9.82:Part3 Hash_DRBGNIST SP800-90 ANS X9.82:Part3 Hash_DRBGANSI-approved ( ANS X9.62:2005ECDSA) http://csrc.nist.gov/publications/nistpubs/ 800-90/SP800-90revised_March2007.pdf 36

NIST SP800-90DRBG(1) Personalization string Additional input Nonce Entropy Input Instantiate Instantiate Reseed Reseed Uninstantiate Generate Generate Health test DRBG Random Bit Generator (RBG) DRBG 37

NIST SP800-90DRBG(2) DRBG DRBGHealth Test Health Test DRBG (Instantiate, Reseed, Generate, Uninstantiate) DRBG (Seed ) Seed nonce Seed additional input ReseedGenerate personalization string DRBG 38

NIST SP800-90DRBG DRBG ( :HMAC_DRBG) Instantiate (a) Instantiate Reseed (b) Reseed Generate (c) Generate HMAC_DRBG_Instantiate_algorithm HMAC_DRBG_Reseed_algorithm HMAC_DRBG_Generate_algorithm HMAC Uninstantiate Health Test DRBG 39

NIST SP800-90 DRBG reseed_intervalgenerate Instantiate Generate Generate Reseed () Generate Generate Reseed Generate Generate Uninstantiate 40

JIS X 19790 ISO/IEC 18031JCMVP NIST SP800-90 Hash_DRBG HMAC_DRBG CTR_DRBG FIPS 140-3 NIST SP800-90 ( ) NIST SP800-90 Health Test FIPS 140-2RBG http://csrc.nist.gov/publications/drafts/fips140-3/ revised-draft-fips140-3_pdf-zip_document-annexa-to-annexg.zip 41

NIST SP800-90 DRBG DRBG Instantiate Generate Generate Reseed Generate Generate Uninstantiate DRBG 42

NIST SP800-90 Instantiate(1) Instantiate Instantiate Instantiate [ ] [ ] [] [ ] Uninstantiate [] [ ] 43

NIST SP800-90 Instantiate(2) Instantiate Instantiate Instantiate [] [ ] 44

NIST SP800-90 DRBG DRBG Instantiate Generate Generate Reseed Generate Generate Uninstantiate DRBG 45

NIST SP800-90 Generate(1) Generate Generate Reseed Generate [ ] [ ] [] [ ] Uninstantiate [] [ ] 46

NIST SP800-90 Generate(2) Generate Generate Generate [ ] Uninstantiate [] [] [ ] 47

NIST SP800-90 DRBG DRBG DRBG DRBG DRBG FIPS 140-2, JIS X 19790 48

NIST SP800-90 122 (7 11 ) 49

JCMVP http://www.ipa.go.jp/security/jcmvp/ jcmvp-info@ipa.go.jp 50