Re: Pseudorandom Number Generator in Ansi X9.17
In Practical Cryptography, Schneier discusses a new PRNG design called Fortuna. It has some neat features. He also discusses problems with the ANSI PRNG here: http://www.schneier.com/paper-prngs.html -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Pseudorandom Number Generator in Ansi X9.17
Terence Joseph wrote: > Hi, > > The Pseudorandom Number Generator specified in Ansi X9.17 used to be one > of the best PRNGs available if I am correct. It was? When? I had to replace the OpenSSL PRNG with X9.31 (as has been discussed elsewhere, this is the same PRNG) for the FIPS-140 certification, and in my opinion it was a large step backwards. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Pseudorandom Number Generator in Ansi X9.17
On Thu, Nov 10, 2005 at 10:33:18AM +, Terence Joseph wrote: > Hi, > > The Pseudorandom Number Generator specified in Ansi X9.17 used to be one of > the best PRNGs available if I am correct. I was just wondering if this is > still considered to be the case? Is it widely used in practical situations > or is there some better implementation available? What would be the > advantages/disadvantages of modifying the Ansi X9.17 PRNG to use AES > instead of 3DES? Is this feasible at all? Asides from the relatively small internal state, and the state compromise extension problems noted by Schneier, Wagner, et al, X9.17/X9.31 are AFAIK good PRNGs. It is very trivial to use AES instead of 3DES (just swap out the algorithms, and change the size of the various internal values to match the 128-bit block size), and you get a larger keyspace, larger internal state, and faster operation, so I'd say doing so is a complete win. Technically, X9.17 has been withdrawn by ANSI, but X9.31 contains the exact same PRNG in Appenxix A.2.4. ANSI still requires 2-key 3DES, but NIST allows the use of 3-key 3DES or of AES with any keylength instead. -Jack - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Pseudorandom Number Generator in Ansi X9.17
On Thu, 10 Nov 2005, Terence Joseph wrote: > The Pseudorandom Number Generator specified in Ansi X9.17 used to be one of > the best PRNGs available if I am correct. I was just wondering if this is > still considered to be the case? Is it widely used in practical situations > or is there some better implementation available? What would be the > advantages/disadvantages of modifying the Ansi X9.17 PRNG to use AES instead > of 3DES? Is this feasible at all? It is now called ANSI X9.31 Appendix A.2.4 http://csrc.nist.gov/CryptoToolkit/tkrng.html and yes, there is NIST-Recommended Random Number Generator Based on ANSI X9.31 Appendix A.2.4 Using the 3-Key Triple DES and AES Algorithms http://csrc.nist.gov/cryptval/rng/931rngext.pdf Btw, anybody was lucky enough to cache the draft of X9.82 which was posted on the NIST site some time ago? -- Regards, ASK - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
