Subject: Re: arc4random(9)
To: None <tech-kern@netbsd.org, tech-security@netbsd.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-security
Date: 05/29/2002 00:58:13
On Tue, May 28, 2002 at 11:13:23PM -0400, Thor Lancelot Simon wrote:
[...]
> Yarrow would be a nice idea, but unfortunately the standards in question
> are quite strict, many people building products with NetBSD are _forced_
> to strictly conform to them, and neither one permits Yarrow.  The X9.31
> generator, perhaps hooked to an API that lets you choose the block cipher
> used, is probably the best bet.

Sigh.  Too much conformance work for too many standards at my day job.  I
got my standard names mixed up -- sorry!

The RNG in question is in fact mentioned in X9.31, but it's actually
specified in X9.17.  The algorithm, stated simply (thanks to Dorothy
Denning's online lecture notes for the statement-in-text), is:

	Generate random 64-bit seed V0

	Generate random key generating key K

	Generate random keys Ri, i = 0, 1, ...

	Ri = EK (EK (Ti) XOR Vi )

	Vi = EK (EK (Ti) XOR Vi )

	where Ti is current time.

	EK is encryption with DES and key K 

Current FIPS-140 certification practice allows 3DES to be used as EK
instead of single-DES -- or so the FIPS-certification people I've talked
to recently say, anyway.  Obviously, this works okay with any block cipher
as EK, and nothing says you can't generate a new V0 from time to time, 
either; FIPS 186 does say you have to do some simple statistical tests on
the generator's output when you reseed it, though.

-- 
 Thor Lancelot Simon	                                      tls@rek.tjls.com
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud