December 5, 2014

The RNG Transition is Coming!

The RNG transition in 2016 is fast approaching.  Is your cryptographic module prepared?

Per the SP800-131A transition guidance, the following is stated in regards to the RNG transition:

"The use of the RNGs specified in FIPS 186-2, [X9.31] and [X9.62] is deprecated from 2011 through December 31, 2015, and disallowed after 2015".

Put simply, if a module utilizes one of the Random Number Generators (RNGs) in question for the purposes of key generation, the module will no longer have a compliant key generation method starting in January 2016. All cryptographic keys generated using the disallowed RNG will no longer be considered Approved.

This will not only affect future validations but be retroactive for all currently validated cryptographic modules.  Although CMVP would not confirm their specific course of action on January 1, 2016, we do know that a large percentage of FIPS 140-2 validated modules will be without a compliant mechanism to generate approved cryptographic keys, placing agencies using these cryptographic modules in a precarious position as they are required to use FIPS validated cryptographic modules.  Without updates to this functionality, federal agencies would be in direct violation of FISMA 2002.

So what are your options? If you are currently in the process, or plan to undergo FIPS 140-2 validation testing on a new module in the near future, you will need to ensure that your RNG is one defined in Special Publication 800-90A.  If you already have a FIPS 140-2 validated product and that device implements one or more of the soon to be disallowed RNGs, you will need to undergo revalidation testing with an approved RNG in order to maintain your validation.


  1. It seems that X9.31 is simply X9.17 using DES or 3DES as the block cipher. Was X9.17 with AES256 as the block cipher ever a FIPS 140-2 approved RNG? And does this guidance affect that?

    I would expect that as long as the block cipher remains approved, so would X9.17 using that block cipher. Unfortunately, scavenger hunting through the web of FIPS and ANSI documents has not provided clarity.

  2. Hi Alan,

    I don't know the exact relationship between X9.17 and X9.31, but no, X9.17 was never an Approved RNG. But regardless, this guidance would affect that anyway. It is now very clear that the only Approved random number generation methods will be those defined in SP800-90A. I agree with your thought that as long as the block cipher remains approved, so should the RNG utilizing it. Unfortunately, it has never really been explained why NIST is no longer considering these RNGs strong enough.

    I hope that helps.

  3. I just wanted to comment your blog and say that I really enjoyed reading your blog post here.
    It was very informative and I also digg the way you write!I also provide this service u can visit my site.

    software validation