Subject: Re: arc4random(9)
To: None <firstname.lastname@example.org, email@example.com>
From: Thor Lancelot Simon <firstname.lastname@example.org>
Date: 05/29/2002 00:58:13
On Tue, May 28, 2002 at 11:13:23PM -0400, Thor Lancelot Simon wrote:
> Yarrow would be a nice idea, but unfortunately the standards in question
> are quite strict, many people building products with NetBSD are _forced_
> to strictly conform to them, and neither one permits Yarrow. The X9.31
> generator, perhaps hooked to an API that lets you choose the block cipher
> used, is probably the best bet.
Sigh. Too much conformance work for too many standards at my day job. I
got my standard names mixed up -- sorry!
The RNG in question is in fact mentioned in X9.31, but it's actually
specified in X9.17. The algorithm, stated simply (thanks to Dorothy
Denning's online lecture notes for the statement-in-text), is:
Generate random 64-bit seed V0
Generate random key generating key K
Generate random keys Ri, i = 0, 1, ...
Ri = EK (EK (Ti) XOR Vi )
Vi = EK (EK (Ti) XOR Vi )
where Ti is current time.
EK is encryption with DES and key K
Current FIPS-140 certification practice allows 3DES to be used as EK
instead of single-DES -- or so the FIPS-certification people I've talked
to recently say, anyway. Obviously, this works okay with any block cipher
as EK, and nothing says you can't generate a new V0 from time to time,
either; FIPS 186 does say you have to do some simple statistical tests on
the generator's output when you reseed it, though.
Thor Lancelot Simon email@example.com
But as he knew no bad language, he had called him all the names of common
objects that he could think of, and had screamed: "You lamp! You towel! You
plate!" and so on. --Sigmund Freud