December 5, 2014

The RNG Transition is Coming!

The RNG transition in 2016 is fast approaching.  Is your cryptographic module prepared?

Per the SP800-131A transition guidance, the following is stated in regards to the RNG transition:

"The use of the RNGs specified in FIPS 186-2, [X9.31] and [X9.62] is deprecated from 2011 through December 31, 2015, and disallowed after 2015".

Put simply, if a module utilizes one of the Random Number Generators (RNGs) in question for the purposes of key generation, the module will no longer have a compliant key generation method starting in January 2016. All cryptographic keys generated using the disallowed RNG will no longer be considered Approved.

This will not only affect future validations but be retroactive for all currently validated cryptographic modules.  Although CMVP would not confirm their specific course of action on January 1, 2016, we do know that a large percentage of FIPS 140-2 validated modules will be without a compliant mechanism to generate approved cryptographic keys, placing agencies using these cryptographic modules in a precarious position as they are required to use FIPS validated cryptographic modules.  Without updates to this functionality, federal agencies would be in direct violation of FISMA 2002.

So what are your options? If you are currently in the process, or plan to undergo FIPS 140-2 validation testing on a new module in the near future, you will need to ensure that your RNG is one defined in Special Publication 800-90A.  If you already have a FIPS 140-2 validated product and that device implements one or more of the soon to be disallowed RNGs, you will need to undergo revalidation testing with an approved RNG in order to maintain your validation.