Certifiable Random Number Generation in Virtualized Environments According to AIS 20/31 (A31c)
Secure cryptographic mechanisms and protocols fundamentally depend on high-quality random numbers. However, developers often face challenges in finding a suitable random number generator that is also certifiable. When the Target of Evaluation is operated within a virtual machine or cloud environment, users frequently have little or no control over the configuration of the host machine. As a result, random numbers provided by the host operating system to guests are often unusable, as they typically rely on entropy generated by the processor. Such noise sources cannot be used at higher evaluation assurance levels because their implementation representation is usually not available to the developer. In recent years, Stephan Müller’s Jitter RNG, which enables random number generation in user space, has emerged as a popular alternative. This talk will introduce initial findings from a study on the Jitter RNG commissioned by the German Federal Office for Information Security (BSI), and outline the evaluation methodology used in certification procedures. In addition, a brief overview of the AIS 20/31 framework, used in Germany and other European countries for the evaluation of random number generators, will be provided. The talk will further highlight ongoing efforts toward harmonization, particularly with NIST, and discuss initiatives to establish the AIS 20/31 as a state-of-the-art document or guideline within EUCC.