Thor Lancelot Simon wrote: > On Tue, Dec 26, 2006 at 05:36:42PM +1300, Peter Gutmann wrote: >> In addition I've heard of evaluations where the generator is required to use >> a >> monotonically increasing counter (clock value) as the seed, so you can't just >> use the PRNG as a postprocessor for an entropy polling mechanism. Then again >> I know of some that have used it as exactly that without any problems. > > This (braindamaged) requirements change was brought in by the creation of > a Known Answer Test for the cipher-based RNG. Prior to the addition of > that test, one could add additional entropy by changing the seed value at > each iteration of the generator. But that makes it, of course, impossible > to get Known Answers that confirm that the generator actually imlements > the standard. So suddenly the alternate form of the generator -- in my > opinion much less secure -- which uses a monotonically-increasing counter > for the seed, was the only permitted form. > > I have yet to hear of anyone who has found a test lab that will certify > a generator implementation that uses the mono counter for the KAT suite > but a random seed in normal operation. For good reason, labs are usually > very leery of algorithm implementations that come with a "special test > mode". > > However, you are free to change the actual key for the generator as often > as you like. I'm not sure why OpenSSL doesn't implement "fork protection" > that way, for example -- or does it use the MAC-based generator instead?
No, it doesn't. Fork protection was originally implemented inside the "FIPS boundary" - which the test lab made us remove. I guess it might be possible to re-insert it outside the boundary, I'm not sure that occurred to us at the time. I seem to remember there was some obstacle to this, though, but I can't remember what it was. While we're at it, an amusing fact I learnt about FIPS-140 while I was implementing it for OpenSSL is that some of the Monte Carlo tests have output that's independent of the input. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]