Test 1-2
TEST 1
Test Case ID: BIS-1.9.1 Test Name: TC_CHECK_CRYPTOGRAPHIC_PRNG_UTILIZATION_DOC
Objective
To verify, through documentation review, that the random number generators (RNGs) used in the DUT—whether hardware-based or software-based—are compliant with industry standards for cryptographic use and are suitable for generating high-entropy, secure random values.
Tools Used
OEM-provided SoC datasheet and device technical specifications
RNG compliance and certification documents (e.g., NIST SP 800-90, FIPS 140-3 validation reports)
Vendor documentation for software RNG libraries used (if applicable)
Test Execution Steps
Documentation Acquisition
Obtain vendor-provided documentation including the SoC datasheet and technical specifications detailing RNG capabilities.
Hardware RNG Documentation Review
Verify that documentation specifies:
Entropy source (e.g., thermal noise, oscillator jitter)
Generation algorithm (e.g., DRBG, TRNG architecture)
Compliance with cryptographic standards (e.g., NIST, FIPS).
Software RNG Documentation Review
Review details of the software RNG library being used (e.g., OpenSSL RAND, mbedTLS CTR_DRBG).
Verify the library meets industry cryptographic standards and has no known vulnerabilities.
Suitability Assessment
Ensure the RNG (hardware or software) is designed for cryptographic applications, not general-purpose random generation.
Expected Results for Pass
Documentation confirms the RNG’s compliance with cryptographic standards.
Hardware RNGs specify a valid entropy source and compliant algorithm.
Software RNGs use secure, approved libraries with proven cryptographic strength.
Test Observations
(Insert findings here — e.g., "SoC datasheet confirms hardware TRNG compliant with NIST SP 800-90A; entropy sourced from oscillator jitter; software fallback uses mbedTLS CTR_DRBG.")
Evidence Provided
Excerpts from SoC datasheet detailing RNG specifications
Vendor RNG compliance reports or certifications
Documentation for software RNG libraries used
Test Case Result
☐ Pass – Documentation confirms RNG suitability for cryptographic purposes ☐ Fail – RNG does not meet cryptographic standards or lacks sufficient documentation
TEST 2
Test Case ID: BIS-1.9.2 Test Name: TC_CHECK_CRYPTOGRAPHIC_PRNG_UTILIZATION_CODE
Objective
To verify, through static and manual code review, that the random number generators (RNGs) or related libraries used in the device are implemented correctly, securely, and in compliance with cryptographic best practices.
Tools Used
Static Application Security Testing (SAST) tool (e.g., Fortify SCA, SonarQube, Checkmarx)
Source code repository access (Git/SVN)
Manual secure coding review checklist (aligned with OWASP, NIST SP 800-90 recommendations)
Vendor documentation for RNG implementation details
Test Execution Steps
Automated Code Analysis
Run the SAST tool on the device’s codebase, targeting modules/functions responsible for generating random numbers.
Automated Results Review
Examine tool-generated reports for:
Usage of deprecated RNG functions (e.g.,
rand()
,srand()
in C/C++).Low-entropy sources or improper seeding.
Predictable output patterns.
Manual Code Review
Manually inspect code sections handling cryptographic operations that depend on RNGs.
Confirm correct initialization and secure invocation of PRNG functions.
Validate that hardware RNGs (TRNG) or approved cryptographic PRNG libraries (e.g., OpenSSL RAND, mbedTLS CTR_DRBG) are used where applicable.
Contextual Validation
Assess usage context to ensure RNG output is not reused insecurely and is integrated properly with key generation, session handling, and other sensitive operations.
Expected Results for Pass
SAST report confirms that secure, approved RNG methods are used without insecure or deprecated functions.
Manual review validates correct PRNG usage and confirms compliance with security best practices.
RNG functions provide sufficient entropy and unpredictability for cryptographic purposes.
Test Observations
(Insert findings here — e.g., "All cryptographic functions use hardware TRNG via mbedTLS CTR_DRBG; no deprecated RNG functions detected; seeding follows NIST recommendations.")
Evidence Provided
SAST tool output reports with relevant findings highlighted
Code snippets showing secure RNG implementation
Vendor documentation excerpts describing PRNG usage
Test Case Result
☐ Pass – RNG implementation verified as secure and compliant ☐ Fail – Insecure RNG usage or best practice deviations found
Overall Test Result
(Summarize BIS-1.9.1 and BIS-1.9.2 results — e.g., "Both documentation and code review confirm secure implementation of cryptographic PRNGs; requirement met.")
Last updated
Was this helpful?