< draft-eastlake-randomness2-06.txt   draft-eastlake-randomness2-07.txt >
彥繬etwork Working Group Donald E. Eastlake, 3rd
Network Working Group Donald E. Eastlake, 3rd
OBSOLETES RFC 1750 Jeffrey I. Schiller OBSOLETES RFC 1750 Jeffrey I. Schiller
Steve Crocker Steve Crocker
Expires October 2004 April 2004 Expires December 2004 June 2004
Randomness Requirements for Security Randomness Requirements for Security
---------- ------------ --- -------- ---------- ------------ --- --------
<draft-eastlake-randomness2-06.txt> <draft-eastlake-randomness2-07.txt>
Status of This Document Status of This Document
This document is intended to become a Best Current Practice. This dacument is intended to become a Best Current Practice.
Comments should be sent to the authors. Distribution is unlimited. Comments should be sent to the authors. Distribution is unlimited.
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC 2026. Internet-Drafts are all provisions of Section 10 of RFC 2026. Internet-Drafts are
working documents of the Internet Engineering Task Force (IETF), its working documents of the Internet Engineering Task Force (IETF), its
areas, and its working groups. Note that other groups may also areas, and its working groups. Note that other groups may also
distribute working documents as Internet-Drafts. distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
skipping to change at page 2, line 7 skipping to change at page 2, line 7
pitfalls in using traditional pseudo-random number generation pitfalls in using traditional pseudo-random number generation
techniques for choosing such quantities. It recommends the use of techniques for choosing such quantities. It recommends the use of
truly random hardware techniques and shows that the existing hardware truly random hardware techniques and shows that the existing hardware
on many systems can be used for this purpose. It provides suggestions on many systems can be used for this purpose. It provides suggestions
to ameliorate the problem when a hardware solution is not available. to ameliorate the problem when a hardware solution is not available.
And it gives examples of how large such quantities need to be for And it gives examples of how large such quantities need to be for
some applications. some applications.
Acknowledgements Acknowledgements
Special thanks to Peter Gutmann who has permitted the incorporation Special thanks to Peter Gutmann, who has permitted the incorporation
of material from his paper "Software Generation of Practically Strong of material from his paper "Software Generation of Practically Strong
Random Numbers". Random Numbers", and to Paul Hoffman for his extensive comments.
The following other persons (in alphabetic order) contributed The following other persons (in alphabetic order) have also
substantially to this document: contributed substantially to this document:
Tony Hansen, Sandy Harris, Paul Hoffman, Russ Housley Tony Hansen, Sandy Harris, Russ Housley
The following persons (in alphabetic order) contributed to RFC 1750, The following persons (in alphabetic order) contributed to RFC 1750,
the predecessor of this document: the predecessor of this document:
David M. Balenson, Don T. Davis, Carl Ellison, Marc Horowitz, David M. Balenson, Don T. Davis, Carl Ellison, Marc Horowitz,
Christian Huitema, Charlie Kaufman, Steve Kent, Hal Murray, Neil Christian Huitema, Charlie Kaufman, Steve Kent, Hal Murray, Neil
Haller, Richard Pitkin, Tim Redmond, and Doug Tygar. Haller, Richard Pitkin, Tim Redmond, and Doug Tygar.
Table of Contents Table of Contents
skipping to change at page 4, line 18 skipping to change at page 4, line 18
8.1 Password Generation..................................32 8.1 Password Generation..................................32
8.2 A Very High Security Cryptographic Key................33 8.2 A Very High Security Cryptographic Key................33
8.2.1 Effort per Key Trial................................33 8.2.1 Effort per Key Trial................................33
8.2.2 Meet in the Middle Attacks..........................34 8.2.2 Meet in the Middle Attacks..........................34
8.2.3 Other Considerations................................35 8.2.3 Other Considerations................................35
9. Conclusion.............................................36 9. Conclusion.............................................36
10. Security Considerations...............................37 10. Security Considerations...............................37
11. Intellectual Property Considerations..................37 11. Intellectual Property Considerations..................37
12. Copyright and Disclaimer..............................37
12. Appendix A: Changes from RFC 1750.....................38 13. Appendix A: Changes from RFC 1750.....................38
13. Informative References................................39 14. Informative References................................39
Authors Addresses.........................................43 Authors Addresses.........................................43
File Name and Expiration..................................43 File Name and Expiration..................................43
1. Introduction 1. Introduction
Software cryptography is coming into wider use and is continuing to Software cryptography is coming into wider use and is continuing to
spread, although there is a long way to go until it becomes spread, although there is a long way to go until it becomes
pervasive. pervasive.
skipping to change at page 9, line 12 skipping to change at page 9, line 12
carry) of bits from selected fixed taps into the register. For carry) of bits from selected fixed taps into the register. For
example: example:
+----+ +----+ +----+ +----+ +----+ +----+ +----+ +----+
| B | <-- | B | <-- | B | <-- . . . . . . <-- | B | <-+ | B | <-- | B | <-- | B | <-- . . . . . . <-- | B | <-+
| 0 | | 1 | | 2 | | n | | | 0 | | 1 | | 2 | | n | |
+----+ +----+ +----+ +----+ | +----+ +----+ +----+ +----+ |
| | | | | | | |
| | V +-----+ | | V +-----+
| V +----------------> | | | V +----------------> | |
V +-----------------------------> | XOR | V 们们们眉贸贸贸贸贸贸贸贸贸贸贸贸贸贸贸贸裙 +-----------------------------> | XOR |
+---------------------------------------------------> | | +---------------------------------------------------> | |
+-----+ +-----+
V = ( ( V * 2 ) + B .xor. B ... )(Mod 2^n) V = ( ( V * 2 ) + B .xor. B ... )(Mod 2^n)
N+1 N 0 2 N+1 N 0 2
The goodness of traditional pseudo-random number generator algorithms The goodness of traditional pseudo-random number generator algorithms
is measured by statistical tests on such sequences. Carefully chosen is measured by statistical tests on such sequences. Carefully chosen
values a, b, c, and initial V or the placement of shift register tap values a, b, c, and initial V or the placement of shift register tap
in the above simple processes can produce excellent statistics. in the above simple processes can produce excellent statistics.
skipping to change at page 18, line 11 skipping to change at page 18, line 11
drive failure will normally be rapidly noticed. Thus, problems with drive failure will normally be rapidly noticed. Thus, problems with
this method of random number generation due to hardware failure are this method of random number generation due to hardware failure are
unlikely. unlikely.
5.4 Ring Oscillator Sources 5.4 Ring Oscillator Sources
If an integrated circuit is being designed or field programmed, an If an integrated circuit is being designed or field programmed, an
odd number of gates can be connected in series to produce a free- odd number of gates can be connected in series to produce a free-
running ring oscillator. By sampling a point in the ring at a fixed running ring oscillator. By sampling a point in the ring at a fixed
frequency, say one determined by a stable crystal oscillator, some frequency, say one determined by a stable crystal oscillator, some
amount of entropy can be extracted due to slight variations in the amount of entropy can be extracted due to variations in the free-
free-running oscillator timing. It is possible to increase the rate running oscillator timing. It is possible to increase the rate of
of entropy by xor'ing sampled values from a few ring oscillators with entropy by xor'ing sampled values from a few ring oscillators with
relatively prime lengths. Another possibility is to sample the output relatively prime lengths. It is sometimes recommended that an odd
of a noisy diode. number of rings be used so that, even if the rings somehow become
synchronously locked to each other, there will still be sampled bit
transitions. Another possibility source to sample is the output of a
noisy diode.
Bits from such sources will have to be heavily de-skewed, as disk Sampled bits from such sources will have to be heavily de-skewed, as
rotation timings must be (Section 5.3.2). An engineering study would disk rotation timings must be (Section 5.3.2). An engineering study
be needed to determine the amount of entropy being produced depending would be needed to determine the amount of entropy being produced
on the particular design. In any case, these can be good sources depending on the particular design. In any case, these can be good
whose cost is a trivial amount of hardware by modern standards. sources whose cost is a trivial amount of hardware by modern
standards.
As an example, IEEE 802.11 suggests that circuit below be considered As an example, IEEE 802.11i suggests that the circuit below be
with due attention in the design to isolation of the rings from each considered, with due attention in the design to isolation of the
other and from clocked circuits to avoid undesired synchronization, rings from each other and from clocked circuits to avoid undesired
etc., and extensive post processing. [IEEE 802.11i] synchronization, etc., and extensive post processing. [IEEE 802.11i]
|\ |\ |\ |\ |\ |\
+-->| >0-->| >0-- 19 total --| >0--+-------+ +-->| >0-->| >0-- 19 total --| >0--+----,命葮p4(们们们们们们眉贸贸葼葪们葼--+
| |/ |/ |/ | | | |/ |/ |/ | |
| | | | | |
+----------------------------------+ V +----------------------------------+ V
+-----+ +-----+
|\ |\ |\ | | output |\ |\ |\ | | output
+-->| >0-->| >0-- 23 total --| >0--+--->| XOR |------> +-->| >0-->| >0-- 23 total --| >0--+--->| XOR |------>
| |/ |/ |/ | | | 裙惹贸贸葼葪们裙惹贸贸们汝阮命孺没孺绵脳们贸么葪们裙惹贸贸眉贸贸贸葼葪命a=H命葪贸贸贸贸贸贸裙 | |/ |/ |/ | | |
| | +-----+ | | +-----+
+----------------------------------+ ^ ^ +----------------------------------+ ^ ^
| | | |
|\ |\ |\ | | |\ |\ |\ | |
+-->| >0-->| >0-- 29 total --| >0--+------+ | +-->| >0-->| >0-- 29 total --| >0--+------+ |
| |/ |/ |/ | | | |/ |/ 们汝锐命孺没孺绵脳们贸么葪们裙 |/ | |
| | | | | |
+----------------------------------+ | +----------------------------------+ |
| |
other randomness if available--------------+ other randomness if available--------------+
6. Recommended Software Strategy 6. Recommended Software Strategy
What is the best overall strategy for meeting the requirement for What is the best overall strategy for meeting the requirement for
unguessable random numbers in the absence of a reliable hardware unguessable random numbers in the absence of a reliable hardware
source? It is to obtain random input from a number of uncorrelated source? It is to obtain random input from a number of uncorrelated
skipping to change at page 27, line 28 skipping to change at page 27, line 28
6.3.3 Entropy Pool Techniques 6.3.3 Entropy Pool Techniques
Many modern pseudo-random number sources utilize the technique of Many modern pseudo-random number sources utilize the technique of
maintaining a "pool" of bits and providing operations for strongly maintaining a "pool" of bits and providing operations for strongly
mixing input with some randomness into the pool and extracting psuedo mixing input with some randomness into the pool and extracting psuedo
random bits from the pool. This is illustrated in the figure below. random bits from the pool. This is illustrated in the figure below.
+--------+ +------+ +---------+ +--------+ +------+ +---------+
--->| Mix In |--->| POOL |--->| Extract |---> --->| Mix In |--->| POOL |--->| Extract |--->
| Bits | | | | Bits | 们们贸贸贸裙 | Bits | | | | Bits |
+--------+ +------+ +---------+ +--------+ +------+ +---------+
^ V ^ V
| | | |
+-----------+ +-----------+
Bits to be feed into the pool can be any of the various hardware, Bits to be feed into the pool can be any of the various hardware,
environmental, or user input sources discussed above. It is also environmental, or user input sources discussed above. It is also
common to save the state of the pool on system shut down and restore common to save the state of the pool on system shut down and restore
it on re-starting, if stable storage is available. it on re-starting, if stable storage is available.
skipping to change at page 30, line 8 skipping to change at page 30, line 8
j+1 j j j+1 j j
The quantities X thus produced are the pseudo-random sequence of The quantities X thus produced are the pseudo-random sequence of
values in the rang 0 to q. Two functions can be used for "G" above. values in the rang 0 to q. Two functions can be used for "G" above.
Each produces a 160-bit value and takes two arguments, the first a Each produces a 160-bit value and takes two arguments, the first a
160-bit value and the second a 512 bit value. 160-bit value and the second a 512 bit value.
The first is based on SHA-1 and works by setting the 5 linking The first is based on SHA-1 and works by setting the 5 linking
variables, denoted H with subscripts in the SHA-1 specification, to variables, denoted H with subscripts in the SHA-1 specification, to
the first argument divided into fifths. Then steps (a) through (e) of the first argument divided into fifths. Then steps (a) through (e) of
section 7 of the SHA-1 specification are run over the second argument section 7 of the NIST SHA-1 specification are run over the second
as if it were a 512-bit data block. The values of the linking argument as if it were a 512-bit data block. The values of the
variable after those steps are then concatenated to produce the linking variable after those steps are then concatenated to produce
output of G. [SHA-1] the output of G. [SHA-1]
As an alternative, NIST also defined an alternate G function based on As an alternative second methold, NIST also defined an alternate G
multiple applications of the DES encryption function [DSS]. function based on multiple applications of the DES encryption
function [DSS].
7.4 X9.82 Pseudo-Random Number Generation 7.4 X9.82 Pseudo-Random Number Generation
The National Institute for Standards and Technology (NIST) and the The National Institute for Standards and Technology (NIST) and the
American National Standards Institutes (ANSI) X9F1 committee are in American National Standards Institutes (ANSI) X9F1 committee are in
the final stages of creating a standard for random number generation. the final stages of creating a standard for random number generation.
This standard includes a number of random number generators for use This standard includes a number of random number generators for use
with AES and other block ciphers. It also includes random number with AES and other block ciphers. It also includes random number
generators based on hash functions and the arithmetic of elliptic generators based on hash functions and the arithmetic of elliptic
curves [X9.82]. curves [X9.82].
skipping to change at page 30, line 45 skipping to change at page 30, line 46
When an event occurs, such as a disk drive interrupt, the time of the When an event occurs, such as a disk drive interrupt, the time of the
event is xor'ed into the pool and the pool is stirred via a primitive event is xor'ed into the pool and the pool is stirred via a primitive
polynomial of degree 128. The pool itself is treated as a ring polynomial of degree 128. The pool itself is treated as a ring
buffer, with new data being XORed (after stirring with the buffer, with new data being XORed (after stirring with the
polynomial) across the entire pool. polynomial) across the entire pool.
Each call that adds entropy to the pool estimates the amount of Each call that adds entropy to the pool estimates the amount of
likely true entropy the input contains. The pool itself contains a likely true entropy the input contains. The pool itself contains a
accumulator that estimates the total over all entropy of the pool. accumulator that estimates the total over all entropy of the pool.
Input events come from several sources: Input events come from several sources as listed below.
Unfortunately, for server machines without human operators, the first
and third are not available and entropy may be added very slowly in
that case.
1. Keyboard interrupts. The time of the interrupt as well as the scan 1. Keyboard interrupts. The time of the interrupt as well as the scan
code are added to the pool. This in effect adds entropy from the code are added to the pool. This in effect adds entropy from the
human operator by measuring inter-keystroke arrival times. human operator by measuring inter-keystroke arrival times.
2. Disk completion and other interrupts. A system being used by a 2. Disk completion and other interrupts. A system being used by a
person will likely have a hard to predict pattern of disk person will likely have a hard to predict pattern of disk
accesses. accesses. (But not all disk drivers support capturing this timing
information with sufficient accuracy to be useful.)
3. Mouse motion. The timing as well as mouse position is added in. 3. Mouse motion. The timing as well as mouse position is added in.
When random bytes are required, the pool is hashed with SHA-1 [SHA1] When random bytes are required, the pool is hashed with SHA-1 [SHA1]
to yield the returned bytes of randomness. If more bytes are required to yield the returned bytes of randomness. If more bytes are required
than the output of SHA-1 (20 bytes), then the hashed output is than the output of SHA-1 (20 bytes), then the hashed output is
stirred back into the pool and a new hash performed to obtain the stirred back into the pool and a new hash performed to obtain the
next 20 bytes. As bytes are removed from the pool, the estimate of next 20 bytes. As bytes are removed from the pool, the estimate of
entropy is similarly decremented. entropy is similarly decremented.
To ensure a reasonable random pool upon system startup, the standard To ensure a reasonable random pool upon system startup, the standard
startup scripts (and shutdown scripts) save the pool to a disk file startup scripts (and shutdown scripts) save the pool to a disk file
at shutdown and read this file at system startup. at shutdown and read this file at system startup.
There are two user exported interfaces. /dev/random returns bytes There are two user exported interfaces. /dev/random returns bytes
from the pool, but blocks when the estimated entropy drops to zero. from the pool, but blocks when the estimated entropy drops to zero.
As entropy is added to the pool from events, more data becomes As entropy is added to the pool from events, more data becomes
available via /dev/random. Random data obtained from such a available via /dev/random. Random data obtained from such a
/dev/random device is suitable for key generation for long term keys. /dev/random device is suitable for key generation for long term keys,
if enough random bits are in the pool or are added in a reasonable
amount of time.
/dev/urandom works like /dev/random, however it provides data even /dev/urandom works like /dev/random, however it provides data even
when the entropy estimate for the random pool drops to zero. This may when the entropy estimate for the random pool drops to zero. This may
be adequate for session keys. The risk of continuing to take data be adequate for session keys or for other key generation tasks where
even when the pool's entropy estimate is small in that past output blocking while waiting for more random bits is not acceptable. The
may be computable from current output provided an attacker can risk of continuing to take data even when the pool's entropy estimate
reverse SHA-1. Given that SHA-1 is designed to be non-invertible, is small in that past output may be computable from current output
this is a reasonable risk. provided an attacker can reverse SHA-1. Given that SHA-1 is designed
to be non-invertible, this is a reasonable risk.
To obtain random numbers under Linux, Solaris, or other UNIX systems To obtain random numbers under Linux, Solaris, or other UNIX systems
equiped with code as described above, all an application needs to do equiped with code as described above, all an application needs to do
is open either /dev/random or /dev/urandom and read the desired is open either /dev/random or /dev/urandom and read the desired
number of bytes. number of bytes.
(The Linux Random device was written by Theodore Ts'o. It was based (The Linux Random device was written by Theodore Ts'o. It was based
loosely on the random number generator in PGP 2.X and PGP 3.0 (aka loosely on the random number generator in PGP 2.X and PGP 3.0 (aka
PGP 5.0).) PGP 5.0).)
skipping to change at page 36, line 15 skipping to change at page 36, line 15
9. Conclusion 9. Conclusion
Generation of unguessable "random" secret quantities for security use Generation of unguessable "random" secret quantities for security use
is an essential but difficult task. is an essential but difficult task.
Hardware techniques to produce such randomness would be relatively Hardware techniques to produce such randomness would be relatively
simple. In particular, the volume and quality would not need to be simple. In particular, the volume and quality would not need to be
high and existing computer hardware, such as disk drives, can be high and existing computer hardware, such as disk drives, can be
used. used.
Computational techniques are available to process low quality random Widely available computational techniques are available to process
quantities from multiple sources or a larger quantity of such low low quality random quantities from multiple sources or a larger
quality input from one source and produce a smaller quantity of quantity of such low quality input from one source and produce a
higher quality keying material. In the absence of hardware sources of smaller quantity of higher quality keying material. In the absence of
randomness, a variety of user and software sources can frequently, hardware sources of randomness, a variety of user and software
with care, be used instead; however, most modern systems already have sources can frequently, with care, be used instead; however, most
hardware, such as disk drives or audio input, that could be used to modern systems already have hardware, such as disk drives or audio
produce high quality randomness. input, that could be used to produce high quality randomness.
Once a sufficient quantity of high quality seed key material (a Once a sufficient quantity of high quality seed key material (a
couple of hundred bits) is available, computational techniques are couple of hundred bits) is available, computational techniques are
available to produce cryptographically strong sequences of available to produce cryptographically strong sequences of
unpredictable quantities from this seed material. unpredictable quantities from this seed material.
10. Security Considerations 10. Security Considerations
The entirety of this document concerns techniques and recommendations The entirety of this document concerns techniques and recommendations
for generating unguessable "random" quantities for use as passwords, for generating unguessable "random" quantities for use as passwords,
cryptographic keys, initialization vectors, sequence numbers, and cryptographic keys, initialization vectors, sequence numbers, and
similar security uses. similar security uses.
11. Intellectual Property Considerations 11. Intellectual Property Considerations
The IETF takes no position regarding the validity or scope of any By submitting this Internet-Draft, I certify that any applicable
Intellectual Property Rights or other rights that might be claimed to patent or other IPR claims of which I am aware have been disclosed,
pertain to the implementation or use of the technology described in and any of which I become aware will be disclosed, in accordance with
this document or the extent to which any license under such rights RFC 3668.
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information The IETF takes no position regarding the validity or scope
on the procedures with respect to rights in RFC documents can be of any Intellectual Property Rights or other rights that might be
found in BCP 78 and BCP 79. claimed to pertain to the implementation or use of the technology
described in this document or the extent to which any license under
such rights might or might not be available; nor does it represent
that it has made any independent effort to identify any such rights.
Information on the procedures with respect to rights in RFC documents
can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf- this standard. Please address the information to the IETF at ietf-
ipr@ietf.org. ipr@ietf.org.
12. Appendix A: Changes from RFC 1750 12. Copyright and Disclaimer
Copyright (C) The Internet Society 2004. This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
13. Appendix A: Changes from RFC 1750
1. Additional acknowledgements have been added. 1. Additional acknowledgements have been added.
2. Insertion of section 5.2.4 on de-skewing with S-boxes. 2. Insertion of section 5.2.4 on de-skewing with S-boxes.
3. Addition of section 5.4 on Ring Oscillator randomness sources. 3. Addition of section 5.4 on Ring Oscillator randomness sources.
4. AES and the members of the SHA series producing more than 160 4. AES and the members of the SHA series producing more than 160
bits have been added. Use of AES has been emphasized and the use bits have been added. Use of AES has been emphasized and the use
of DES minimized. of DES de-emphasized.
5. Addition of section 6.3.3 on entropy pool techniques. 5. Addition of section 6.3.3 on entropy pool techniques.
6. Addition of section 7.3 on the pseudo-random number generation 6. Addition of section 7.3 on the pseudo-random number generation
techniques given in FIPS 186-2, 7.4 on those given in X9.82, and techniques given in FIPS 186-2, 7.4 on those given in X9.82, and
section 7.5 on the random number generation techniques of the section 7.5 on the random number generation techniques of the
/dev/random device in Linux and other UNIX systems. /dev/random device in Linux and other UNIX systems.
7. Addition of references to the "Minimal Key Lengths for Symmetric 7. Addition of references to the "Minimal Key Lengths for Symmetric
Ciphers to Provide Adequate Commercial Security" study published Ciphers to Provide Adequate Commercial Security" study published
in January 1996 [KeyStudy]. in January 1996 [KeyStudy].
8. Minor wording changes and reference updates. 8. Minor wording changes and reference updates.
13. Informative References 14. Informative References
[AES] - "Specification of the Advanced Encryption Standard (AES)", [AES] - "Specification of the Advanced Encryption Standard (AES)",
United States of America, US National Institute of Standards and United States of America, US National Institute of Standards and
Technology, FIPS 197, November 2001. Technology, FIPS 197, November 2001.
[ASYMMETRIC] - "Secure Communications and Asymmetric Cryptosystems", [ASYMMETRIC] - "Secure Communications and Asymmetric Cryptosystems",
edited by Gustavus J. Simmons, AAAS Selected Symposium 69, Westview edited by Gustavus J. Simmons, AAAS Selected Symposium 69, Westview
Press, Inc. Press, Inc.
[BBS] - "A Simple Unpredictable Pseudo-Random Number Generator", SIAM [BBS] - "A Simple Unpredictable Pseudo-Random Number Generator", SIAM
skipping to change at page 40, line 5 skipping to change at page 40, line 5
[DSS] - "Digital Signature Standard (DSS)", US National Institute of [DSS] - "Digital Signature Standard (DSS)", US National Institute of
Standards and Technology, FIPS 186-2, January 2000. Standards and Technology, FIPS 186-2, January 2000.
[FERGUSON] - "Practical Cryptography", Niels Ferguson and Bruce [FERGUSON] - "Practical Cryptography", Niels Ferguson and Bruce
Schneier, Wiley Publishing Inc., ISBN 047122894X, April 2003. Schneier, Wiley Publishing Inc., ISBN 047122894X, April 2003.
[GIFFORD] - "Natural Random Number", MIT/LCS/TM-371, David K. [GIFFORD] - "Natural Random Number", MIT/LCS/TM-371, David K.
Gifford, September 1988. Gifford, September 1988.
[IEEE 802.11i] - "Draft Amendment to Standard for Telecommunications [IEEE 802.11i] - "Amendment to Standard for Telecommunications and
and Information Exchange Between Systems - LAN/MAN Specific Information Exchange Between Systems - LAN/MAN Specific Requirements
Requirements - Part 11: Wireless Medium Access Control (MAC) and - Part 11: Wireless Medium Access Control (MAC) and physical layer
physical layer (PHY) specifications: Medium Access Control (MAC) (PHY) specifications: Medium Access Control (MAC) Security
Security Enhancements", The Institute for Electrical and Electronics Enhancements", The Institute for Electrical and Electronics
Engineers, January 2004. Engineers, January 2004.
[IPSEC] - RFC 2401, "Security Architecture for the Internet [IPSEC] - RFC 2401, "Security Architecture for the Internet
Protocol", S. Kent, R. Atkinson, November 1998. Protocol", S. Kent, R. Atkinson, November 1998.
[KAUFMAN] - "Network Security: Private Communication in a Public [KAUFMAN] - "Network Security: Private Communication in a Public
World", Charlie Kaufman, Radia Perlman, and Mike Speciner, Prentis World", Charlie Kaufman, Radia Perlman, and Mike Speciner, Prentis
Hall PTR, ISBN 0-13-046019-2, 2nd Edition 2002. Hall PTR, ISBN 0-13-046019-2, 2nd Edition 2002.
[KeyStudy] - "Minimal Key Lengths for Symmetric Ciphers to Provide [KeyStudy] - "Minimal Key Lengths for Symmetric Ciphers to Provide
Adequate Commercial Security: A Report by an Ad Hoc Group of Adequate Commercial Security: A Report by an Ad Hoc Group of
Cryptographers and Computer Scientists", M. Blaze, W. Diffie, R. Cryptographers and Computer Scientists", M. Blaze, W. Diffie, R.
Rivest, B. Schneier, T. Shimomura, E. Thompson, and M. Weiner, Rivest, B. Schneier, T. Shimomura, E. Thompson, and M. Weiner,
January 1996, <www.counterpane.com/keylength.html>. January 1996, <www.counterpane.com/keylength.html>.
[KNUTH] - "The Art of Computer Programming", Volume 2: Seminumerical [KNUTH] - "The Art of Compute谩抿妊脴抿脿氓孺冕脿庙孺么脳葼r Programming", Volume 2: Seminumerical
Algorithms, Chapter 3: Random Numbers. Addison Wesley Publishing Algorithms, Chapter 3: Random Numbers. Addison Wesley Publishing
Company, 3rd Edition November 1997, Donald E. Knuth. Company, 3rd Edition November 1997, Donald E. Knuth.
[KRAWCZYK] - "How to Predict Congruential Generators", Journal of [KRAWCZYK] - "How to Predict Congruential Generators", Journal of
Algorithms, V. 13, N. 4, December 1992, H. Krawczyk Algorithms, V. 13, N. 4, December 1992, H. Krawczyk
[MAIL PEM] - RFCs 1421 through 1424: [MAIL PEM] - RFCs 1421 through 1424:
- RFC 1421, Privacy Enhancement for Internet Electronic Mail: - RFC 1421, Privacy Enhancement for Internet Electronic Mail:
Part I: Message Encryption and Authentication Procedures, 02/10/1993, Part I: Message Encryption and Authentication Procedures, 02/10/1993,
J. Linn J. Linn
skipping to change at page 43, line 30 skipping to change at page 43, line 30
Telephone: +1 617-253-0161 Telephone: +1 617-253-0161
E-mail: jis@mit.edu E-mail: jis@mit.edu
Steve Crocker Steve Crocker
EMail: steve@stevecrocker.com EMail: steve@stevecrocker.com
File Name and Expiration File Name and Expiration
This is file draft-eastlake-randomness2-06.txt. This is file draft-eastlake-randomness2-07.txt.
It expires October 2004. It expires December 2004.
 End of changes. 34 change blocks. 
71 lines changed or deleted 102 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/