PRNG design document?
Thor Lancelot Simon
tls at rek.tjls.com
Tue Sep 2 12:33:29 EDT 2003
On Tue, Sep 02, 2003 at 12:10:23PM -0400, Anton Stiglic wrote:
>
> Right. So I don't actually have the original ANSI X9.17 document (and it is
> no longer available in the ANSI X9 catalogue). My references are
> HAC section 5.3.1
> http://www.cacr.math.uwaterloo.ca/hac/about/chap5.pdf
> and Kelsey, Schneier, Wagner and Hall's paper
> http://www.counterpane.com/pseudorandom_number.pdf
>
> In both of the above references, ANSI X9.17 PRNG is described as taking
> a 64-bit seed s along with a DES E-D-E encryption key k.
> The encrypted time is XORed with the seed and this result is encrypted to
> obtain the output, the seed is updated by encrypting the last output XORed
> with the encrypted time.
> So there is possibility of re-keying (the key that is used for the
> encryption),
> and re-seeding (explicitly, not relying on the self-re-seeding...).
>
> It is important to chose both a random seed and random key, and FIPS 140
> has no provision for this.
Well, it certainly doesn't forbid it; again, a simple approach is to treat
the seed as part of the key material and replace it when sufficient entropy
is available from hardware sources.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list