[13979] in cryptography@c2.net mail archive
Re: PRNG design document?
daemon@ATHENA.MIT.EDU (Thor Lancelot Simon)
Fri Aug 29 15:59:01 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 29 Aug 2003 15:45:50 -0400
From: Thor Lancelot Simon <tls@rek.tjls.com>
To: cryptography@metzdowd.com
Reply-To: tls@rek.tjls.com
In-Reply-To: <3F4F2A9D.8050205@algroup.co.uk>
On Fri, Aug 29, 2003 at 11:27:41AM +0100, Ben Laurie wrote:
> >
> > As you mentioned, the FIPS-140-2 approved PRNG
> > are deterministic, they take a random seed and extend it
> > to more random bytes. But FIPS-140-2 has no
> > provision for generating the seed in the first place,
> > this is where something like Yarrow or the cryptlib
> > RNG come in handy.
>
> Actually, FIPS-140 _does_ have provision for seeding, at least for X9.17
> (you use the time :-), but not for keying.
I think there's some confusion of terminology here. A "time", Ti for each
iteration of the algorithm, is one of the inputs to the X9.17 generator
(otherwise, you might as well just use DES/3DES in any chaining or feedback
mode, for all practical purposes). However, it has always been permitted
to use a free-running counter instead of the time, and indeed the current
interpretation by NIST *requires* that a counter, not the time, be used.
As for keying, you're allowed to key with whatever you want, whenever you
want, but at least from my conversations with a number of people during a
recent certification, you'd better be prepared to explain why your source
of key material is strong.
One implementation with which I was involved essentially rekeyed the
generator as soon as enough entropy had accumulated from a hardware
source; another rekeyed it depending on the number of output blocks.
Both approaches are permissible.
I do have some more thoughts on the quality of the various generators
the standard allows but I haven't had time to get them down in writing;
I'll try to do so before this thread is totally stale...
--
Thor Lancelot Simon tls@rek.tjls.com
But as he knew no bad language, he had called him all the names of common
objects that he could think of, and had screamed: "You lamp! You towel! You
plate!" and so on. --Sigmund Freud
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
