[13992] in cryptography@c2.net mail archive
Re: PRNG design document?
daemon@ATHENA.MIT.EDU (Thor Lancelot Simon)
Tue Sep 2 15:27:34 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 2 Sep 2003 12:33:29 -0400
From: Thor Lancelot Simon <tls@rek.tjls.com>
To: cryptography@metzdowd.com
Reply-To: tls@rek.tjls.com
In-Reply-To: <0e3c01c3716c$b76dd120$3f00a8c0@p1038mobile>
On Tue, Sep 02, 2003 at 12:10:23PM -0400, Anton Stiglic wrote:
>
> Right. So I don't actually have the original ANSI X9.17 document (and it is
> no longer available in the ANSI X9 catalogue). My references are
> HAC section 5.3.1
> http://www.cacr.math.uwaterloo.ca/hac/about/chap5.pdf
> and Kelsey, Schneier, Wagner and Hall's paper
> http://www.counterpane.com/pseudorandom_number.pdf
>
> In both of the above references, ANSI X9.17 PRNG is described as taking
> a 64-bit seed s along with a DES E-D-E encryption key k.
> The encrypted time is XORed with the seed and this result is encrypted to
> obtain the output, the seed is updated by encrypting the last output XORed
> with the encrypted time.
> So there is possibility of re-keying (the key that is used for the
> encryption),
> and re-seeding (explicitly, not relying on the self-re-seeding...).
>
> It is important to chose both a random seed and random key, and FIPS 140
> has no provision for this.
Well, it certainly doesn't forbid it; again, a simple approach is to treat
the seed as part of the key material and replace it when sufficient entropy
is available from hardware sources.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
