Subject: Re: arc4random(9)
To: Steven M. Bellovin <smb@research.att.com>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-security
Date: 05/29/2002 05:35:28
On Wed, May 29, 2002 at 11:17:14AM +0200, Steven M. Bellovin wrote:
> 
> Not necessarily -- reproducibility is important for other reasons.  
> PRNGs, in general, should not be reseeded except by explicit program 
> action, and the usual choice is a constant or "random" initial seed.
> 
> The question about rekeying is "why?"  Why do I want a PRNG to rekey 
> itself at random times?  I think we agree that we're not producing 
> key-grade random numbers, and that's the application that most needs 
> rekeying.

The Yarrow-160 paper hints at this: if you use a cipher as a PRNG, you
risk the disclosure of *all* of the outputs if the key is disclosed.  (Of
course, their solution, to use a cipher in combination with a MAC, is
better; but as you point out, we aren't producing key-grade numbers here
and that's very expensive).

Even if you're not generating cryptographic keys, this would seem to me
to be an undesirable result.  Periodic rekeying at least limits the
scope of the damage resulting from the compromise of the key -- this
doesn't seem like a bad thing to me, so long as you can turn it off when
you want to.

The other reason I can think of off the top of my head is if you're using
a block cipher with a small block size (even 64 bits).  There, you need
to rekey simply because you've sucked a certain amount of output out of
it, no?

-- 
 Thor Lancelot Simon	                                      tls@rek.tjls.com
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud