On Tue, Dec 26, 2006 at 05:36:42PM +1300, Peter Gutmann wrote: > > In addition I've heard of evaluations where the generator is required to use a > monotonically increasing counter (clock value) as the seed, so you can't just > use the PRNG as a postprocessor for an entropy polling mechanism. Then again > I know of some that have used it as exactly that without any problems.
This (braindamaged) requirements change was brought in by the creation of a Known Answer Test for the cipher-based RNG. Prior to the addition of that test, one could add additional entropy by changing the seed value at each iteration of the generator. But that makes it, of course, impossible to get Known Answers that confirm that the generator actually imlements the standard. So suddenly the alternate form of the generator -- in my opinion much less secure -- which uses a monotonically-increasing counter for the seed, was the only permitted form. I have yet to hear of anyone who has found a test lab that will certify a generator implementation that uses the mono counter for the KAT suite but a random seed in normal operation. For good reason, labs are usually very leery of algorithm implementations that come with a "special test mode". However, you are free to change the actual key for the generator as often as you like. I'm not sure why OpenSSL doesn't implement "fork protection" that way, for example -- or does it use the MAC-based generator instead? Thor --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]