[14005] in cryptography@c2.net mail archive
Re: PRNG design document?
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Wed Sep 3 09:21:17 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 3 Sep 2003 13:41:08 +1200
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: astiglic@okiok.com, ben@algroup.co.uk, cryptography@metzdowd.com,
tls@rek.tjls.com
"Anton Stiglic" <astiglic@okiok.com> writes:
>It is important to chose both a random seed and random key, and FIPS 140 has
>no provision for this.
Yes it does, you just have to interpret it correctly.
The post-processed pool output [from the cryptlib generator] is not sent
directly to the caller but is first passed through an X9.17 PRNG that is
rekeyed every time a certain number of output blocks have been produced with
it, with the currently active key being destroyed. Since the X9.17
generator produces a 1:1 mapping, it can never make the output any worse,
and it provides an extra level of protection for the generator output (as
well as making it easier to obtain FIPS 140 certification). Using the
generator in this manner is valid since X9.17 requires the use of DT, "a
date/time vector which is updated on each key generation", and cryptlib
chooses to represent this value as a complex hash of assorted incidental
data and the date and time. The fact that 99.9999% of the value of the
X9.17 generator is coming from the "timestamp" is as coincidental as the
side effect of the engine-cooling fan in the Brabham ground-effect cars
[Reference].
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
