NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0390:  Cryptographically Secure RNG

Publication Date
2019.02.24

Protection Profiles
PP_APP_v1.2

Other References
FCS_RBG_EXT.1

Issue Description

TD0172 makes reference to System.Random which is not a cryptographically secure method for generating random numbers for Windows platforms. The PP itself also references the Namespace System.Random that is documented by Microsoft for the .NET frameworks. 

Resolution

This TD replaces TD0172.

In FCS_RBG_EXT.1, the Assurance Activity for Windows shall be updated as follows:

For Windows:

The evaluator shall verify that rand_s, RtlGenRandom, BCryptGenRandom, or CryptGenRandom API is used for classic desktop applications. The evaluator shall verify that the System.Random API RNGCryptoServiceProvider class or a class derived from System.Security.Cryptography.RandomNumberGenerator is used for Windows Universal Applications. It is only required that the API is called/invoked, there is no requirement that the API be used directly. In future versions of this document, CryptGenRandom may be removed as an option as it is no longer the preferred API per vendor documentation.

Justification

The Remarks section of the Microsoft document  at https://docs.microsoft.com/en-us/dotnet/api/system.random?view=netframework-4.7.2 contains recommendations for generation of cryptographically secure random numbers.

 
 
Site Map              Contact Us              Home