PRNG design document?

Thor Lancelot Simon tls at
Mon Aug 25 21:15:00 EDT 2003

On Fri, Aug 22, 2003 at 10:00:14AM -0700, Bob Baldwin PlusFive wrote:
> Tim,
>      One issue to consider is whether the system
> that includes the PRNG will ever need a FIPS-140-2
> rating.  For example, people are now working on
> a FIPS-140 validation for OpenSSL.  If so, then
> the generator for keys and IVs MUST be a FIPS
> approved algorithm, whether or not there are

That's not quite right.

1) Various entities have already had various versions of 
   OpenSSL FIPS-140-2 certified.

2) It is permissible to use a non-Approved deterministic
   RNG for IV generation, though not for keying.

Since it's permissible to rekey the Approved PRNG, and there is no
requirement for _how_ it is rekeyed save that the input must not have
demonstrably less entropy than the output, it is possible to use, if
not Yarrow, a _very_ similar design by using an entropy pool collecting
input from one or more hardware sources to periodically rekey the
Approved X9.17 generator.

I am informed that in the past, implementations using Yarrow have, in
fact, been certified, passing the code examination in the lab by
documenting that Yarrow's output stage is, in fact, algorithmically
equivalent to the X9.17 generator.  Unfortunately, since those products
were certified, there have been some particularly ill-considered
interpretations of the X9.17 RNG specification by NIST which I believe
would now make it impossible to have a Yarrow implementation certified;
but you can get very close.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list