On Fri, Aug 29, 2003 at 11:27:41AM +0100, Ben Laurie wrote: > > > > As you mentioned, the FIPS-140-2 approved PRNG > > are deterministic, they take a random seed and extend it > > to more random bytes. But FIPS-140-2 has no > > provision for generating the seed in the first place, > > this is where something like Yarrow or the cryptlib > > RNG come in handy. > > Actually, FIPS-140 _does_ have provision for seeding, at least for X9.17 > (you use the time :-), but not for keying.
I think there's some confusion of terminology here. A "time", Ti for each iteration of the algorithm, is one of the inputs to the X9.17 generator (otherwise, you might as well just use DES/3DES in any chaining or feedback mode, for all practical purposes). However, it has always been permitted to use a free-running counter instead of the time, and indeed the current interpretation by NIST *requires* that a counter, not the time, be used. As for keying, you're allowed to key with whatever you want, whenever you want, but at least from my conversations with a number of people during a recent certification, you'd better be prepared to explain why your source of key material is strong. One implementation with which I was involved essentially rekeyed the generator as soon as enough entropy had accumulated from a hardware source; another rekeyed it depending on the number of output blocks. Both approaches are permissible. I do have some more thoughts on the quality of the various generators the standard allows but I haven't had time to get them down in writing; I'll try to do so before this thread is totally stale... -- Thor Lancelot Simon [EMAIL PROTECTED] But as he knew no bad language, he had called him all the names of common objects that he could think of, and had screamed: "You lamp! You towel! You plate!" and so on. --Sigmund Freud --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
