<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On Aug 25, 2019, at 4:07 AM, Bill Cox <<a href="mailto:waywardgeek@gmail.com" class="">waywardgeek@gmail.com</a>> wrote:</div><div class=""><div dir="ltr" class=""><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"></blockquote><div class=""><br class=""></div><div class=""><div class="">It's just <a href="https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=920992" class="">a bad paper</a>, and a confusing article based on it.  Here's the heart of their protocol:</div><div class=""><br class=""></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="">The
 client makes a HTTP GET request to the EaaS server, with the number of 
bytes of random data to return, and its own public key, which is used to
 encrypt the returned payload.  </div></blockquote></div></div></div></div></blockquote><div class=""><br class=""></div>Using these numbers to seed an RND is dubious at best.</div><div class=""><br class=""></div><div class="">Another (more reasonable) approach to public random numbers (explicitly not keys) is </div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class=""><a href="https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8213-draft.pdf" class="">https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8213-draft.pdf</a></div></blockquote><br class=""><div class="">Section 7 has ways that it can be used. </div><div class=""><br class=""></div><div class="">I expect that it has already been discussed… </div><div class=""><br class=""></div><div class=""><br class=""></div></div></body></html>