Test 1-2


TEST 1

Test Case ID: BIS-1.9.1 Test Name: TC_CHECK_CRYPTOGRAPHIC_PRNG_UTILIZATION_DOC


Objective

To verify, through documentation review, that the random number generators (RNGs) used in the DUT—whether hardware-based or software-based—are compliant with industry standards for cryptographic use and are suitable for generating high-entropy, secure random values.


Tools Used

  • OEM-provided SoC datasheet and device technical specifications

  • RNG compliance and certification documents (e.g., NIST SP 800-90, FIPS 140-3 validation reports)

  • Vendor documentation for software RNG libraries used (if applicable)


Test Execution Steps

  1. Documentation Acquisition

    • Obtain vendor-provided documentation including the SoC datasheet and technical specifications detailing RNG capabilities.

  2. Hardware RNG Documentation Review

    • Verify that documentation specifies:

      • Entropy source (e.g., thermal noise, oscillator jitter)

      • Generation algorithm (e.g., DRBG, TRNG architecture)

      • Compliance with cryptographic standards (e.g., NIST, FIPS).

  3. Software RNG Documentation Review

    • Review details of the software RNG library being used (e.g., OpenSSL RAND, mbedTLS CTR_DRBG).

    • Verify the library meets industry cryptographic standards and has no known vulnerabilities.

  4. Suitability Assessment

    • Ensure the RNG (hardware or software) is designed for cryptographic applications, not general-purpose random generation.


Expected Results for Pass

  • Documentation confirms the RNG’s compliance with cryptographic standards.

  • Hardware RNGs specify a valid entropy source and compliant algorithm.

  • Software RNGs use secure, approved libraries with proven cryptographic strength.


Test Observations

(Insert findings here — e.g., "SoC datasheet confirms hardware TRNG compliant with NIST SP 800-90A; entropy sourced from oscillator jitter; software fallback uses mbedTLS CTR_DRBG.")


Evidence Provided

  • Excerpts from SoC datasheet detailing RNG specifications

  • Vendor RNG compliance reports or certifications

  • Documentation for software RNG libraries used


Test Case Result

Pass – Documentation confirms RNG suitability for cryptographic purposes ☐ Fail – RNG does not meet cryptographic standards or lacks sufficient documentation



TEST 2

Test Case ID: BIS-1.9.2 Test Name: TC_CHECK_CRYPTOGRAPHIC_PRNG_UTILIZATION_CODE


Objective

To verify, through static and manual code review, that the random number generators (RNGs) or related libraries used in the device are implemented correctly, securely, and in compliance with cryptographic best practices.


Tools Used

  • Static Application Security Testing (SAST) tool (e.g., Fortify SCA, SonarQube, Checkmarx)

  • Source code repository access (Git/SVN)

  • Manual secure coding review checklist (aligned with OWASP, NIST SP 800-90 recommendations)

  • Vendor documentation for RNG implementation details


Test Execution Steps

  1. Automated Code Analysis

    • Run the SAST tool on the device’s codebase, targeting modules/functions responsible for generating random numbers.

  2. Automated Results Review

    • Examine tool-generated reports for:

      • Usage of deprecated RNG functions (e.g., rand(), srand() in C/C++).

      • Low-entropy sources or improper seeding.

      • Predictable output patterns.

  3. Manual Code Review

    • Manually inspect code sections handling cryptographic operations that depend on RNGs.

    • Confirm correct initialization and secure invocation of PRNG functions.

    • Validate that hardware RNGs (TRNG) or approved cryptographic PRNG libraries (e.g., OpenSSL RAND, mbedTLS CTR_DRBG) are used where applicable.

  4. Contextual Validation

    • Assess usage context to ensure RNG output is not reused insecurely and is integrated properly with key generation, session handling, and other sensitive operations.


Expected Results for Pass

  • SAST report confirms that secure, approved RNG methods are used without insecure or deprecated functions.

  • Manual review validates correct PRNG usage and confirms compliance with security best practices.

  • RNG functions provide sufficient entropy and unpredictability for cryptographic purposes.


Test Observations

(Insert findings here — e.g., "All cryptographic functions use hardware TRNG via mbedTLS CTR_DRBG; no deprecated RNG functions detected; seeding follows NIST recommendations.")


Evidence Provided

  • SAST tool output reports with relevant findings highlighted

  • Code snippets showing secure RNG implementation

  • Vendor documentation excerpts describing PRNG usage


Test Case Result

Pass – RNG implementation verified as secure and compliant ☐ Fail – Insecure RNG usage or best practice deviations found


Overall Test Result

(Summarize BIS-1.9.1 and BIS-1.9.2 results — e.g., "Both documentation and code review confirm secure implementation of cryptographic PRNGs; requirement met.")

Last updated

Was this helpful?