Re: Pseudorandom Number Generator in Ansi X9.17

2005-11-15 Thread Travis H.
In Practical Cryptography, Schneier discusses a new PRNG design called Fortuna.

It has some neat features.

He also discusses problems with the ANSI PRNG here:

http://www.schneier.com/paper-prngs.html
--
http://www.lightconsulting.com/~travis/  --
We already have enough fast, insecure systems. -- Schneier  Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Pseudorandom Number Generator in Ansi X9.17

2005-11-13 Thread Ben Laurie
Terence Joseph wrote:
 Hi,
 
 The Pseudorandom Number Generator specified in Ansi X9.17 used to be one
 of the best PRNGs available if I am correct.

It was? When? I had to replace the OpenSSL PRNG with X9.31 (as has been
discussed elsewhere, this is the same PRNG) for the FIPS-140
certification, and in my opinion it was a large step backwards.

-- 
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Pseudorandom Number Generator in Ansi X9.17

2005-11-10 Thread Alexander Klimov
On Thu, 10 Nov 2005, Terence Joseph wrote:
 The Pseudorandom Number Generator specified in Ansi X9.17 used to be one of
 the best PRNGs available if I am correct.  I was just wondering if this is
 still considered to be the case?  Is it widely used in practical situations
 or is there some better implementation available?  What would be the
 advantages/disadvantages of modifying the Ansi X9.17 PRNG to use AES instead
 of 3DES? Is this feasible at all?

It is now called ANSI X9.31 Appendix A.2.4

 http://csrc.nist.gov/CryptoToolkit/tkrng.html

and yes, there is

 NIST-Recommended Random Number Generator
 Based on ANSI X9.31 Appendix A.2.4
 Using the 3-Key Triple DES and AES Algorithms

 http://csrc.nist.gov/cryptval/rng/931rngext.pdf

Btw, anybody was lucky enough to cache the draft of X9.82 which was
posted on the NIST site some time ago?

-- 
Regards,
ASK

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Pseudorandom Number Generator in Ansi X9.17

2005-11-10 Thread Jack Lloyd
On Thu, Nov 10, 2005 at 10:33:18AM +, Terence Joseph wrote:
 Hi,
 
 The Pseudorandom Number Generator specified in Ansi X9.17 used to be one of 
 the best PRNGs available if I am correct.  I was just wondering if this is 
 still considered to be the case?  Is it widely used in practical situations 
 or is there some better implementation available?  What would be the 
 advantages/disadvantages of modifying the Ansi X9.17 PRNG to use AES 
 instead of 3DES? Is this feasible at all?

Asides from the relatively small internal state, and the state compromise
extension problems noted by Schneier, Wagner, et al, X9.17/X9.31 are AFAIK good
PRNGs. It is very trivial to use AES instead of 3DES (just swap out the
algorithms, and change the size of the various internal values to match the
128-bit block size), and you get a larger keyspace, larger internal state, and
faster operation, so I'd say doing so is a complete win.

Technically, X9.17 has been withdrawn by ANSI, but X9.31 contains the exact
same PRNG in Appenxix A.2.4. ANSI still requires 2-key 3DES, but NIST allows
the use of 3-key 3DES or of AES with any keylength instead.

-Jack

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]