[SERVER-9058] Use FIPS-140-2 Approved Pseudorandom Number Generator for SecureRandom Created: 21/Mar/13  Updated: 06/Dec/22

Status: Backlog
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Andy Schwerin Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
related to SERVER-21253 Improve structure and functionality o... Backlog
related to SERVER-20919 Use OpenSSL to generate IVs Closed
is related to SERVER-2360 Add a stronger password authenticatio... Closed
is related to SERVER-7648 Support Use of FIPS 140-2 Compliant C... Closed
is related to SERVER-17422 Improve random number number gen Closed
Assigned Teams:
Server Security
Participants:

 Description   

On systems with a /dev/urandom, we defer to the operating system for our source of secure pseudorandom numbers. On other systems, we sort of let the ball drop. We should use a FIPS-140-2 compliant PRNG for SecureRandom on all systems, one way or another.



 Comments   
Comment by Mark Benvenuto [ 08/Sep/15 ]

CNG in WIndows is FIPS-140-2 certified. See https://msdn.microsoft.com/en-us/library/windows/desktop/bb204775%28v=vs.85%29.aspx

CNG is validated to Federal Information Processing Standards (FIPS) 140-2 and is part of the Target of Evaluation for the Windows Common Criteria certification. CNG was designed to be usable as a component in a FIPS level 2 validated system.

Generated at Thu Feb 08 03:19:14 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.