[145812] in cryptography@c2.net mail archive
Re: questions about RNGs and FIPS 140
daemon@ATHENA.MIT.EDU (Ben Laurie)
Sun Sep 5 18:10:25 2010
Date: Sun, 05 Sep 2010 15:11:39 +0100
From: Ben Laurie <ben@links.org>
To: Joshua Hill <josh-lists@untruth.org>
CC: Peter Gutmann <pgut001@cs.auckland.ac.nz>, leichter@lrw.com,
Nicolas.Williams@oracle.com, cryptography@metzdowd.com,
travis+ml-cryptography@subspacefield.org
In-Reply-To: <20100827113831.A27177@chiba.halibut.com>
On 27/08/2010 19:38, Joshua Hill wrote:
> The fact is that all of the approved deterministic RNGs have places that
> you are expected to use to seed the generator. The text of the standard
> explicitly states that you can use non-approved non-deterministic RNGs
> to seed your approved deterministic RNG.
This is nice.
> It's an even better situation if you look at the modern deterministic RNGs
> described in NIST SP800-90. (You'll want to use these, anyway. They are
> better designs and last I heard, NIST was planning on retiring the other
> approved deterministic RNGs.) Every design in SP800-90 requires that your
> initial seed is appropriately large and unpredictable, and the designs all
> allow (indeed, require!) periodic reseeding in similarly reasonable ways.
Given that we seem to have agreed that "unpredictable" is kinda hard,
I'm amused that SP800-90 requires it. If it is a requirement then I
wonder why NIST didn't specify how to generate and validate such a seed?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
