[Cryptography] SP800-90A B & C

dj at deadhat.com dj at deadhat.com
Mon Nov 11 16:18:37 EST 2013


> On 10/11/13 23:09 PM, Watson Ladd wrote:
...
>>>
>>> The current comments are here:
>>> http://www.davidsdesktop.com/media/sp80090/SP800-90commentsNov8th_2013.pdf
...
>>>
>> I disagree with some of these comments, and agree with others, but I
>> think it would be productive to have a broader discussion of the
>> issues you raise (modulo
>> editorial foibles)
>>
>> There are (broadly speaking) two different designs for random number
>> generators.
...
>
> Is guaranteed on paper, but this only works if we assume there is no
> manipulation.  Which is the topic de jeur.
>


Part of my argument was that we can have both. The design must ensure that
if designed to the spec without manipulation, it will offer secure random
numbers. The spec can allow that users can mix in their own sources to
mitigate the issues that the former model raises.

In reality, pool constructions are really just the merging of conditioning
with reseeding. SP800-90 thinks in terms of having a good seed, condensed
from a larger volume of partially entropic data and so for example (in CTR
DRBG) just XORs in the seed to the DRBG state. A pool construction stirs
in the new entropy to the state of the PRNG in what amounts to an entropy
extraction process.

I don't see that as a big difference. It's just how you label your
algorithms. But SP800-90 and FIPS140-2 is hostile to user sourced entropy.




More information about the cryptography mailing list