PRNG design document?
Anton Stiglic
astiglic at okiok.com
Tue Sep 2 12:10:23 EDT 2003
----- Original Message -----
From: "Thor Lancelot Simon" <tls at rek.tjls.com>
To: <cryptography at metzdowd.com>
Sent: Friday, August 29, 2003 3:45 PM
Subject: Re: PRNG design document?
> On Fri, Aug 29, 2003 at 11:27:41AM +0100, Ben Laurie wrote:
> > >
> > > As you mentioned, the FIPS-140-2 approved PRNG
> > > are deterministic, they take a random seed and extend it
> > > to more random bytes. But FIPS-140-2 has no
> > > provision for generating the seed in the first place,
> > > this is where something like Yarrow or the cryptlib
> > > RNG come in handy.
> >
> > Actually, FIPS-140 _does_ have provision for seeding, at least for X9.17
> > (you use the time :-), but not for keying.
>
> I think there's some confusion of terminology here. A "time", Ti for each
> iteration of the algorithm, is one of the inputs to the X9.17 generator
> (otherwise, you might as well just use DES/3DES in any chaining or
feedback
> mode, for all practical purposes).
Right. So I don't actually have the original ANSI X9.17 document (and it is
no longer available in the ANSI X9 catalogue). My references are
HAC section 5.3.1
http://www.cacr.math.uwaterloo.ca/hac/about/chap5.pdf
and Kelsey, Schneier, Wagner and Hall's paper
http://www.counterpane.com/pseudorandom_number.pdf
In both of the above references, ANSI X9.17 PRNG is described as taking
a 64-bit seed s along with a DES E-D-E encryption key k.
The encrypted time is XORed with the seed and this result is encrypted to
obtain the output, the seed is updated by encrypting the last output XORed
with the encrypted time.
So there is possibility of re-keying (the key that is used for the
encryption),
and re-seeding (explicitly, not relying on the self-re-seeding...).
It is important to chose both a random seed and random key, and FIPS 140
has no provision for this.
--Anton
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list