PRNG design document?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Sep 2 21:41:08 EDT 2003


"Anton Stiglic" <astiglic at okiok.com> writes:

>It is important to chose both a random seed and random key, and FIPS 140 has
>no provision for this.

Yes it does, you just have to interpret it correctly.

  The post-processed pool output [from the cryptlib generator] is not sent
  directly to the caller but is first passed through an X9.17 PRNG that is
  rekeyed every time a certain number of output blocks have been produced with
  it, with the currently active key being destroyed.  Since the X9.17
  generator produces a 1:1 mapping, it can never make the output any worse,
  and it provides an extra level of protection for the generator output (as
  well as making it easier to obtain FIPS 140 certification).  Using the
  generator in this manner is valid since X9.17 requires the use of DT, "a
  date/time vector which is updated on each key generation", and cryptlib
  chooses to represent this value as a complex hash of assorted incidental
  data and the date and time.  The fact that 99.9999% of the value of the
  X9.17 generator is coming from the "timestamp" is as coincidental as the
  side effect of the engine-cooling fan in the Brabham ground-effect cars
  [Reference].

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list