On Tue, Dec 26, 2006 at 05:36:42PM +1300, Peter Gutmann wrote:
> 
> In addition I've heard of evaluations where the generator is required to use a
> monotonically increasing counter (clock value) as the seed, so you can't just
> use the PRNG as a postprocessor for an entropy polling mechanism.  Then again
> I know of some that have used it as exactly that without any problems.

This (braindamaged) requirements change was brought in by the creation of
a Known Answer Test for the cipher-based RNG.  Prior to the addition of
that test, one could add additional entropy by changing the seed value at
each iteration of the generator.  But that makes it, of course, impossible
to get Known Answers that confirm that the generator actually imlements
the standard.  So suddenly the alternate form of the generator -- in my
opinion much less secure -- which uses a monotonically-increasing counter
for the seed, was the only permitted form.

I have yet to hear of anyone who has found a test lab that will certify
a generator implementation that uses the mono counter for the KAT suite
but a random seed in normal operation.  For good reason, labs are usually
very leery of algorithm implementations that come with a "special test
mode".

However, you are free to change the actual key for the generator as often
as you like.  I'm not sure why OpenSSL doesn't implement "fork protection"
that way, for example -- or does it use the MAC-based generator instead?

Thor

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to