How to justify mbedtls_ctr_drbg algorithm in MK81 for FIPS certification?

Thiru_S · ‎08-21-2023

Dear Team,

We have used mbedtls based ctr_drbg algorithm along with hardware LTC based AES-256 encryption in our project on MK81 MCU.

We want to apply for FIPS certification to justify the DRBG algorithm is standard one.

Please help to give some sample input and output data to test and validate the ctr_drbg with LTC based AES-256 bit encryption as backend.

Currently we got some info from FIPS, but they have used software based AES backend in ctr_drbg to generate inputs and outputs, we are unable to validate the result in our hardware which is having different results due to the AES backend difference.

Please help to get validate the correct output using the crt_drbg algorithm for FIPS.

Thank you.

Thiru.

Thiru_S · ‎09-03-2023

Hi @RaRo ,

I have SDK for MK81, But i'm not able to find any specific example for the CTR DRBG only found the selftest code in ctr_drbg.c file under mbedtls modules.

This self test procedure is not suitable for the FIPS sample inputs and outputs.

Is the NXP supports FIPS certification for CTR_DRBG algorithm (STD: SP800-90A)?

Thank you.

Thiru.

RaRo · ‎09-13-2023

Hello @Thiru_S,

First of all, let us apologize for the delay.

K81 doesn't provide CTR_DRBG implementation. You could combine TRNG as seed and CTR-AES to implement CTR_DRBG according to FIPS CTR_DRBG specification such as mbedTLS as reference.

K81 supports part of FIPS CAVP certification, please refer to the following link: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?product=1593

Best regards, Raul.

RaRo · ‎09-07-2023

Hello @Thiru_S,

Let us double check the information for the K81. In general, NXP have EdgeLock SE050 | Enhanced IoT Security | NXP Semiconductors which supports FIPS certification.

At the meantime, have you checked the Recommendation for Random Number Generation Using Deterministic Random Bit Generators? It might be useful to take a look at as it provides example pseudocode for each DRBG mechanism, which you could access here.

Best regards, Raul.

Thiru_S · ‎08-24-2023

Hi Raul,

Thank you for the info.

"TWR-K81F150M" SDK is not present in the SDK builder, your link shows like below,

Please advise.

Thank you.

Thiru.

RaRo · ‎08-25-2023

Hello @Thiru_S,

Could you please go to Support | NXP Semiconductors and request an NDA to obtain the K81's SDK?

Best regards, Raul.

RaRo · ‎08-24-2023

Hello @Thiru_S,

Have you checked the TWR-K81F150M SDK's mbedtls examples? You could download the SDK here.

Also, might be useful to take a look at the Mbed TLS documentation hub about FIPS.

Best regards, Raul.