Subject: Re: arc4random(9)
To: None <,>
From: Thor Lancelot Simon <>
List: tech-kern
Date: 05/29/2002 00:58:13
On Tue, May 28, 2002 at 11:13:23PM -0400, Thor Lancelot Simon wrote:
> Yarrow would be a nice idea, but unfortunately the standards in question
> are quite strict, many people building products with NetBSD are _forced_
> to strictly conform to them, and neither one permits Yarrow.  The X9.31
> generator, perhaps hooked to an API that lets you choose the block cipher
> used, is probably the best bet.

Sigh.  Too much conformance work for too many standards at my day job.  I
got my standard names mixed up -- sorry!

The RNG in question is in fact mentioned in X9.31, but it's actually
specified in X9.17.  The algorithm, stated simply (thanks to Dorothy
Denning's online lecture notes for the statement-in-text), is:

	Generate random 64-bit seed V0

	Generate random key generating key K

	Generate random keys Ri, i = 0, 1, ...

	Ri = EK (EK (Ti) XOR Vi )

	Vi = EK (EK (Ti) XOR Vi )

	where Ti is current time.

	EK is encryption with DES and key K 

Current FIPS-140 certification practice allows 3DES to be used as EK
instead of single-DES -- or so the FIPS-certification people I've talked
to recently say, anyway.  Obviously, this works okay with any block cipher
as EK, and nothing says you can't generate a new V0 from time to time, 
either; FIPS 186 does say you have to do some simple statistical tests on
the generator's output when you reseed it, though.

 Thor Lancelot Simon	                            
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud