questions about RNGs and FIPS 140

[Thor Lancelot Simon]

On Sun, Aug 29, 2010 at 06:40:46PM +1200, Peter Gutmann wrote:
> Thor Lancelot Simon <tls at rek.tjls.com> writes:
> 
> >That doesn't make any sense.  DT in that generator is really meant to serve
> >the role of a counter, and, in fact, the test harness for that generator
> >*requires* it to be a counter.
> >
> >The seed for that generator is K.
> 
> Well, at least in your opinion it is :-).  And this illustrates the problem
> here, just from the small number of contributors to this thread (including
> some off-list ones) we've already had a whole pile of different opinions on
> how to apply the PRNGs, and as with the labs there's quite some leeway in the
> interpretations.

I'm sorry, I don't buy it.  I am aware that some labs will not allow the
use of actual time and date in DT to feed in additional entropy as the
generator runs.  But when this discussion started, as far as I can tell
you were claiming that some lab does not allow the use of non-deterministic
entropy sources to seed the X9.17 generator *at all*.

I don't believe that, because it amounts to telling you how and when to
set K, which is the key used to key the cipher that is the core of this
DRNG, and the how and when that you'd have to, in this case, be told,
would appear to directly contradict the Derived Test Requirements.

Believe me, I was quite annoyed the first time I discovered I could
not actually use the real date and time in DT, since that is the only
measure that provides any resistance to keystream recovery in this
generator between rekeyings.  I think I've mentioned it before on
this list.  But that does not mean that you can't key the 9.17 generator
from a hardware entropy source; it is really another question entirely.

Thor

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com