PRNG design document?

Thor Lancelot Simon tls at rek.tjls.com
Fri Aug 29 15:45:50 EDT 2003 

On Fri, Aug 29, 2003 at 11:27:41AM +0100, Ben Laurie wrote:
> > 
> > As you mentioned, the FIPS-140-2 approved PRNG 
> > are deterministic, they take a random seed and extend it
> > to more random bytes.  But FIPS-140-2 has no 
> > provision for generating the seed in the first place, 
> > this is where something like Yarrow or the cryptlib
> > RNG come in handy.
> 
> Actually, FIPS-140 _does_ have provision for seeding, at least for X9.17
> (you use the time :-), but not for keying.

I think there's some confusion of terminology here.  A "time", Ti for each
iteration of the algorithm, is one of the inputs to the X9.17 generator
(otherwise, you might as well just use DES/3DES in any chaining or feedback
mode, for all practical purposes).  However, it has always been permitted
to use a free-running counter instead of the time, and indeed the current 
interpretation by NIST *requires* that a counter, not the time, be used.

As for keying, you're allowed to key with whatever you want, whenever you
want, but at least from my conversations with a number of people during a
recent certification, you'd better be prepared to explain why your source
of key material is strong.

One implementation with which I was involved essentially rekeyed the
generator as soon as enough entropy had accumulated from a hardware
source; another rekeyed it depending on the number of output blocks.
Both approaches are permissible.

I do have some more thoughts on the quality of the various generators
the standard allows but I haven't had time to get them down in writing;
I'll try to do so before this thread is totally stale...

-- 
 Thor Lancelot Simon	                                      tls at rek.tjls.com
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list