Ecosyste.ms: Repos
An open API service providing repository metadata for many open source software ecosystems.
GitHub / aaronArinder / programming_notes
repo of programming notes; newer ones in markdown
JSON API: https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aaronArinder%2Fprogramming_notes
Stars: 0
Forks: 0
Open Issues: 5
License: None
Language: JavaScript
Repo Size: 99.7 MB
Dependencies:
1,784
Created: about 5 years ago
Updated: 11 days ago
Last pushed: over 1 year ago
Last synced: 11 days ago
Files
Loading...
Readme
Loading...
Dependencies
- 0-262-18178-9 ,EricS.Raymond,1996.
- 0.001ofa50 *
- 047122894X ,April2003.
- 0691025460 ,8January1996.
- 1.0 *
- 1.Additionalacknowledgementshavebeenadded. *
- 1.IntroductionandOverview *
- 1.IntroductionandOverview.......................................3 *
- 1.Keyboardinterrupts.Thetimeoftheinterruptandthescancode *
- 10 ,000bitsasecond.Thistechniqueisusedinrandomnumber
- 10.Additionofdiscussionofmin-entropyandRenyientropyand *
- 10.SecurityConsiderations *
- 10.SecurityConsiderations........................................38 *
- 10asa1.Assumethattheprobabilityofa1is0.5 *
- 11.Acknowledgements *
- 11.Acknowledgments................................................39 *
- 11.Majorrestructuring ,minorwordingchanges,andavarietyof
- 112 ,
- 128-bitkeys. *
- 128bits ,and,asweshowinanexampleinSection8,eventhe
- 1320 ,April1992.
- 1321 ,April1992.
- 155BeaverStreet *
- 160-bitvalues.Twofunctionscanbeusedfor *
- 186-2ChangeNotice1 ,5,October2001.
- 192bitkeysizederivedabove. *
- 1984. *
- 1996. *
- 1996.Currentlyavailableat *
- 1998. *
- 1dependsonwhetherNisoddoreven. *
- 2.Diskcompletionandotherinterrupts.Asystembeingusedbya *
- 2.GeneralRequirements *
- 2.GeneralRequirements............................................4 *
- 2.Insertionofsection5.3onmixingwithS-boxes. *
- 2002. *
- 2004 ,areasonablekeylengthisinthe81
- 22i *
- 3.1.VolumeRequired *
- 3.1.VolumeRequired............................................7 *
- 3.2.1.UsingExistingSound *
- 3.2.2.UsingExistingDiskDrives *
- 3.2.2.UsingExistingDiskDrives..........................8 *
- 3.2.ExistingHardwareCanBeUsedForRandomness *
- 3.2.ExistingHardwareCanBeUsedForRandomness...............8 *
- 3.3.RingOscillatorSources *
- 3.3.RingOscillatorSources....................................9 *
- 3.4.ProblemswithClocksandSerialNumbers *
- 3.4.ProblemswithClocksandSerialNumbers...................10 *
- 3.5.TimingandValueofExternalEvents *
- 3.5.TimingandValueofExternalEvents.......................11 *
- 3.6 *
- 3.6.Non-hardwareSourcesofRandomness *
- 3.6.Non-hardwareSourcesofRandomness........................12 *
- 3.Additionofsection3.3onRingOscillatorrandomnesssources. *
- 3.EntropySources *
- 3.EntropySources.................................................7 *
- 3.Mousemotion.Thetimingandmousepositionareaddedin. *
- 308-bitskewedsequencecontainsover5bitsofinformation.Thus ,
- 384bitsofinput *
- 4.1.UsingStreamParitytoDe-Skew *
- 4.1.UsingStreamParitytoDe-Skew............................13 *
- 4.1above ,thentheoutputeccentricityrelatestotheinput
- 4.2.UsingTransitionMappingstoDe-Skew *
- 4.2.UsingTransitionMappingstoDe-Skew......................14 *
- 4.3.UsingFFTtoDe-Skew *
- 4.3.UsingFFTtoDe-Skew......................................15 *
- 4.4.UsingCompressiontoDe-Skew *
- 4.4.UsingCompressiontoDe-Skew..............................15 *
- 4.AdditionofAESandthemembersoftheSHAseriesproducingmore *
- 4.De-skewing *
- 4.De-skewing.....................................................12 *
- 5.1.ATrivialMixingFunction *
- 5.1.ATrivialMixingFunction.................................17 *
- 5.2.StrongerMixingFunctions *
- 5.2.StrongerMixingFunctions.................................18 *
- 5.3.UsingS-BoxesforMixing *
- 5.3.UsingS-BoxesforMixing..................................19 *
- 5.4.Diffie-HellmanasaMixingFunction *
- 5.4.Diffie-HellmanasaMixingFunction.......................19 *
- 5.5.UsingaMixingFunctiontoStretchRandomBits *
- 5.5.UsingaMixingFunctiontoStretchRandomBits............20 *
- 5.6.OtherFactorsinChoosingaMixingFunction *
- 5.6.OtherFactorsinChoosingaMixingFunction...............20 *
- 5.Additionofsection6.3onentropypooltechniques. *
- 5.Mixing *
- 5.Mixing.........................................................16 *
- 500 ,000triesimpliesauniverseofatleast500,000,000passwords,
- 6.1.1.TheFallacyofComplexManipulation *
- 6.1.1.TheFallacyofComplexManipulation................21 *
- 6.1.2.TheFallacyofSelectionfromaLargeDatabase *
- 6.1.2.TheFallacyofSelectionfromaLargeDatabase.....22 *
- 6.1.3.Thisisnotamajordrawbackifitisusedformoderately- *
- 6.1.3.TraditionalPseudo-randomSequences *
- 6.1.3.TraditionalPseudo-randomSequences................23 *
- 6.1.SomeBadIdeas *
- 6.1.SomeBadIdeas............................................21 *
- 6.2 *
- 6.2.1.OFBandCTRSequences *
- 6.2.1.OFBandCTRSequences..............................25 *
- 6.2.2.TheBlumBlumShubSequenceGenerator *
- 6.2.2.TheBlumBlumShubSequenceGenerator..............26 *
- 6.2.CryptographicallyStrongSequences *
- 6.2.CryptographicallyStrongSequences........................24 *
- 6.3.EntropyPoolTechniques *
- 6.3.EntropyPoolTechniques...................................27 *
- 6.Additionofsection7.2.3onthepseudo-randomnumbergeneration *
- 6.Pseudo-randomNumberGenerators *
- 6.Pseudo-randomNumberGenerators................................21 *
- 69 ,ISBN0
- 7.1.1.USDoDRecommendationsforPasswordGeneration *
- 7.1.1.USDoDRecommendationsforPasswordGeneration.....28 *
- 7.1.2.The *
- 7.1.3.WindowsCryptGenRandom *
- 7.1.3.WindowsCryptGenRandom.............................30 *
- 7.1.CompleteRandomnessGenerators *
- 7.1.CompleteRandomnessGenerators............................28 *
- 7.2.1.1.Notation *
- 7.2.1.2.InitializingtheGenerator *
- 7.2.1.3.GeneratingRandomBits *
- 7.2.1.X9.82Pseudo-RandomNumberGeneration *
- 7.2.1.X9.82Pseudo-RandomNumberGeneration..............31 *
- 7.2.2.X9.17KeyGeneration *
- 7.2.2.X9.17KeyGeneration...............................33 *
- 7.2.3.DSSPseudo-randomNumberGeneration *
- 7.2.3.DSSPseudo-randomNumberGeneration................34 *
- 7.2.GeneratorsAssumingaSourceofEntropy *
- 7.2.GeneratorsAssumingaSourceofEntropy...................31 *
- 7.Additionofreferencestothe *
- 7.RandomnessGenerationExamplesandStandards *
- 7.RandomnessGenerationExamplesandStandards...................28 *
- 77MassachusettsAvenue *
- 8.1.PasswordGeneration *
- 8.1.PasswordGeneration.......................................35 *
- 8.2.1.EffortperKeyTrial *
- 8.2.2.Meet-in-the-MiddleAttacks *
- 8.2.3.OtherConsiderations *
- 8.2.AVeryHighSecurityCryptographicKey *
- 8.2.AVeryHighSecurityCryptographicKey....................36 *
- 8.AddedcaveatstousingDiffie-Hellmanasamixingfunctionand ,
- 8.ExamplesofRandomnessRequired *
- 8.ExamplesofRandomnessRequired................................34 *
- 86 ,RFC3766,April2004.
- 9.AdditionofreferencestotheX9.82effortandthe and
- 9.Conclusion *
- 9.Conclusion.....................................................38 *
- AES *
- AESwasselectedbyarobust ,public,andinternationalprocess.It
- ANSIX3.106-1983. *
- ANSIX9iscurrentlydevelopingastandardthatincludesapart *
- Abstract *
- AccessControl *
- Acknowledgement *
- Acontinuousspectrumofentropies ,sometimescalledRenyientropy,
- Adetailedexaminationofthistypeofrandomnesssourceappearsin *
- Adversarieswhoknewroughlywhenthegeneratorwasstartedwould *
- Afterextractingandsavingthepseudo-randomoutputbitsas *
- Algorithm1 *
- Algorithms ,andSourceCodeinC
- Also *
- Also ,
- Althoughitisnotnecessaryforamixingfunctiontoproducethe *
- Althoughthemessagedigestfunctionsaredesignedforvariable *
- AlthoughthisistrueiftheDiffie-Hellmancomputationisperformed *
- America ,DepartmentofDefense,ComputerSecurity
- AnS-Boxinwhicheachoutputbitisproducedbyabentfunctionsuch *
- Anexampleisshownbelowinwhichshiftingandmaskingareusedto *
- Aninterestingcharacteristicofthisgeneratoristhatanyofthes *
- Anotherapproachthatcangiveamisleadingappearanceof *
- Anothergoodfamilyofmixingfunctionsisthe *
- Anotherseriousstrategicerroristoassumethataverycomplex *
- Anothertechnique ,originallyduetovonNeumann
- Appendix3oftheNISTDigitalSignatureStandard providesa
- AppendixA *
- Applications *
- Applicationshementionsaresimulationsofnaturalphenomena ,
- Asanalternativemethod ,NISTalsodefinedanalternateGfunction
- Asanexample ,IEEE802.11isuggeststhecircuitbelow,withdue
- Asasimplebutnotparticularlypracticalexample ,considertakinga
- Asdescribedbelow ,manycomputerscomewithhardwarethatcan,with
- Asentropyisaddedtothepoolfromevents ,moredatabecomes
- Asofthetimeofthisdocument ,theauthorsknowofnopatentclaims
- Association ,1985.
- Assumethataveryhighsecuritykeyisneededforsymmetric *
- Assumethatuserpasswordschangeonceayearandthatitisdesired *
- Astrongmixingfunctionisonethatcombinesinputsandproducesan *
- AsymmetricCryptosystems *
- Attacks *
- Atypicalpseudo-randomnumbergenerationtechniqueisthelinear *
- August2001. *
- AuthenticationProcedures *
- Authors *
- BCP *
- Becarefultouseonlyafewbitsfromthebottomofeachs.Itis *
- Belowaretwoexamplesshowingroughcalculationsofrandomness *
- Bitsofinformation =
- Bitstobefedintothepoolcancomefromanyofthevarious *
- BothSHA *
- But ,applyingtheequationforinformationgiveninSection2,this
- Cambridge ,MA02139
- Caremustbetakenthatenoughentropyhasbeenaddedtothepoolto *
- Category *
- Center ,CSC
- ChangeNotice1 toproducethefollowingalgorithmfor
- Choosingrandomquantitiestofoilaresourcefulandmotivated *
- ChristianHuitema ,CharlieKaufman,SteveKent,HalMurray,Neil
- CipherstoProvideAdequateCommercialSecurity *
- CollectedWorks ,Vol.5,PergamonPress,1963.
- Combiningthisapproachwithcompressiontode-skew *
- CommercialSecurity *
- Communication *
- Computerclocksandsimilaroperatingsystemorhardwarevalues ,
- Considertheproblemofconvertingastreamofbitsthatisskewed *
- CopiesofIPRdisclosuresmadetotheIETFSecretariatandany *
- Copyright *
- CopyrightNotice *
- CryptographersandComputerScientists *
- Cryptographictechniquescanbeusedtoprovideavarietyof *
- Cryptography ,Eurocrypt
- Cryptography *
- Currentlythegeneratorwhichhasthestrongestpublicproofof *
- DES ,withits64
- DES *
- DavidM.Balenson ,DonT.Davis,CarlEllison,MarcHorowitz,
- December1992. *
- December1994. *
- December2002. *
- Designingportableapplicationcodetogenerateunpredictablenumbers *
- Diffie-Hellmanexponentialkeyexchangeisatechniquethatyieldsa *
- Diskdriveshavesmallrandomfluctuationsintheirrotationalspeed *
- DonaldE.Eastlake3rd *
- DonaldW.Daviesshowedthatthissortofshiftedpartialoutput *
- Drives *
- EMail *
- ENGINEERINGTASKFORCEDISCLAIMALLWARRANTIES ,EXPRESSORIMPLIED,
- Eachcallthataddsentropytothepoolestimatestheamountof *
- Eastlake ,etal.StandardsTrack
- Edition ,November1997.
- ElectronicMail *
- EncryptionStandard inOutputFeedbackMode
- EnhancedMailprotocol .
- Enhancements *
- Enormousresourcesmayberequiredtomountameet-in-the-middle *
- Entropysourcestendtobeveryimplementationdependent.Onceone *
- Eveniflogfilesareonlycheckedmonthly ,500,000triesismore
- Everyincreaseinprocessorspeed ,whichincreasestheresolution
- Extensions *
- FERGUSON ,KAUFMAN
- FFT ,isinterestingprimarilyfortheoreticalreasons.Itcanbe
- FIPS112iscurrentlyavailableat *
- February1997. *
- Forahigher-securitypassword ,thenumberofbitsrequiredgoesup.
- Foranexampleofusingastrongmixingfunction ,reconsiderthecase
- Forexample ,onsomeversionsofLinux,thegeneratorconsistsofa
- Forexample ,onsomeUNIX
- Forexample ,itislikelythatacompanythatmanufacturesboth
- Forexample ,considerthefollowing
- Forexample ,theuseofawidelyavailableconstantsequence,suchas
- Forexample ,consideracryptographicsystemthatuses128
- Forexpositorypurposeswedescribeatrivialexampleforsinglebit *
- Forfurtherexamplesofconservativedesignprinciples ,see
- Forfurtherinformation ,see
- Forj =0to...
- Forlocaluse ,AEShastheadvantagesthatithasbeenwidelytested
- Fortestingthe *
- FullCopyrightStatement *
- FundingfortheRFCEditorfunctioniscurrentlyprovidedbythe *
- Furthermore ,mixingtofewerbitsthanareinputwilltendto
- Generallyspeaking ,theaboveexamplesalsoillustratetwodifferent
- GeneratedStreamCypherSystems *
- Generationofunguessable *
- Generators *
- HMACsasfollows *
- Hacker *
- Haller ,RichardPitkin,TimRedmond,andDougTygar.
- Handling *
- Hansen ,SandyHarris,PaulHoffman,ScottHollenback,Russ
- Hardwaretechniquesforproducingtheneededentropywouldbe *
- Hoffman ,P.,
- Housley ,ChristianHuitema,JohnKelsey,MatsNaslund,andDamir
- However ,inthesecases,theadversarynormallyhasonlyasingle
- However ,notethattheabovecalculationsassumethattheinputsare
- However ,manycompressiontechniquesaddasomewhatpredictable
- Howmucheffortwillittaketotryeachkey *
- Howmuchunpredictabilityisneeded *
- IBM ,wasprimarilytostrengthenit.Therehasbeennoannouncement
- INCLUDINGBUTNOTLIMITEDTOANYWARRANTYTHATTHEUSEOFTHE *
- INFORMATIONHEREINWILLNOTINFRINGEANYRIGHTSORANYIMPLIED *
- IPSEC ,TLS,S
- Identifiers *
- Ifanintegratedcircuitisbeingdesignedorfield-programmed ,an
- Ifchosenorknownplaintextandtheresultingencryptedtextare *
- IfgsubnistobeusedasaDESkey ,theneveryeighthbitshould
- Ifinputs1and2areuncorrelatedandcombinedinthisfashion ,then
- Iftheadversarycancommandahighlyparallelprocessororalarge *
- Ifthereare2 *
- Iftheseinitialquantitiesarerandomanduncorrelated ,thenthe
- Ifthesekeysarederivedusingafixedpseudo-randomnumber *
- Ifthesystemhasenoughgaintodetectanything ,suchinputcan
- Inaddition ,
- Inarealsystem ,ofcourse,thereareotherfactors.Forexample,
- Incaseswhereaseriesofrandomquantitiesmustbegenerated ,an
- InformationExchangeBetweenSystems-LAN *
- InformativeReferences *
- InformativeReferences.............................................41 *
- Inmostofthesecases ,anadversarycantrytodeterminethe
- Inprinciple ,almostanyexternalsensor,suchasrawradioreception
- Inputeventscomefromseveralsources ,aslistedbelow.
- Insomecases ,suchastheuseofsymmetricencryptionwiththeone
- InstituteofStandardsandTechnology ,FIPS197,
- InstituteofStandardsandTechnology ,FIPS186
- IntellectualProperty *
- IntellectualPropertyRightsorotherrightsthatmightbeclaimedto *
- InternetCommunity ,andrequestsdiscussionandsuggestionsfor
- InternetSociety. *
- Inthefollowingsections ,thenotationgivebelowisused
- Inthesubsectionsbelow ,theHMAChashconstructissimplyreferred
- Isthereanyhopefortrue ,strong,portablerandomnessinthe
- Isthereanyspecificrequirementontheshapeofthedistributionof *
- Itispossibletomeasurethetimingandcontentofmousemovement ,
- Itistoobtaininputfromanumberofuncorrelatedsourcesandto *
- Itmayalsobepossibletousean *
- Itprovidessuggestionstoamelioratetheproblemwhenahardware *
- January2000. *
- JeffreyI.Schiller *
- JournalonComputing ,v.15,n.2,1986.
- Juels ,
- June2005 *
- KeyLengthsforSymmetricCipherstoProvideAdequate *
- KeyManagement *
- Keyed-HashingforMessageAuthentication *
- Kisabitstringofsizehash_lengththatispartofthestateof *
- LaboratoriesBulletin *
- MIT ,RoomE40
- Management *
- Manycomputersarebuiltwithinputsthatdigitizesomereal-world *
- Manymodernblockencryptionfunctions ,includingDESandAES,
- Manymodernpseudo-randomnumbersources ,suchasthosedescribedin
- Manyotherrequirementscomefromthecryptographicarena. *
- Microsoft *
- Milford ,MA01757USA
- Min-entropy =
- Mode.Alternatively ,theinputcouldbepackedintoone128
- Moore *
- Morecomplexmixingshouldbeusedifmorethan128bitsofoutput *
- MotorolaLaboratories *
- NN *
- NationalInstituteofStandardsandTechnology ,FIPS
- Neitherofthesewilleverbeexactly0.5unlessEiszero ,butwe
- NetworkWorkingGroupD.Eastlake ,3rd
- Note *
- Notethatifashiftofoneisused ,thisisthesameastheshift
- Notethatkeylengthcalculationssuchasthoseaboveare *
- Notethattherequirementisfordatathatanadversaryhasavery *
- Notonlydoescomplexmanipulationnothelpyouifyouhavealimited *
- Notonlyhavelinearcongruentgeneratorsbeenbroken ,buttechniques
- November2001 *
- November2001. *
- Numbers ,Addison
- ORISSPONSOREDBY *
- Obsoletes *
- October2000. *
- Onceasufficientquantityofhigh-qualityseedkeymaterial *
- Onceonehasusedgoodsources ,suchassomeofthoselistedin
- Oneapproachthatmaygiveamisleadingappearanceof *
- Onewaytoproduceastrongsequenceistotakeaseedvalueandhash *
- Operation *
- Originallyfrom *
- Otherexternalevents ,suchasnetworkpacketarrivaltimesand
- Otherrandomness ,ifavailable
- Others ,describedinsection7.2,providethepseudo
- PGP5.0 *
- Part1-OverviewandGeneralPrinciples. *
- Part2-Non-DeterministicRandomBitGenerators *
- Part3-DeterministicRandomBitGenerators *
- Phone *
- PrentisHallPTR ,ISBN0
- Press ,RevisedEdition,1982.
- Problemssuchasthosedescribedabovemaketheproductionofcodeto *
- ProceedingsoftheFifthACMConferenceonComputer *
- Progress ,2005.
- Protocol *
- PublicKeysUsedForExchangingSymmetricKeys *
- RFC2631 ,June1999.
- RFC2634 ,June1999.
- RFC4086RandomnessRequirementsforSecurityJune2005 *
- RNGCryptoServiceProvider.GetBytesmethodinterface. *
- Rajnovic. *
- Ramsdell ,B.,
- RandomNumbers *
- RandomnessRequirementsforSecurity *
- RelatedServices *
- Renyientropyisanon-increasingfunctionofr ,somin
- RequestforComments *
- Requirements *
- Reversiblecompressiontechniquesalsoprovideacrudemethodofde- *
- Roessler ,
- RubberPublishingCompany. *
- S-BoxessometimesincorporatebentBooleanfunctions *
- S-boxesandvariousrepeatedapplicationsorcascadesofsuchboxes *
- S.Rose ,
- Sampledbitsfromsuchsourceswillhavetobeheavilyde-skewed ,as
- ScienceandTechnology ,FIPS180
- SecondEdition *
- Section3 ,andmixedthemasdescribedinthissection,onehasa
- Section3andpossiblyde-skewedandmixedasdescribedinSections4 *
- Section5.2. *
- Sections7.1.2and7.1.3utilizethetechniqueofmaintaininga *
- Security *
- Securitysystemsarebuiltonstrongcryptographicalgorithmsthat *
- SeeSection7andPart3of .
- SelectedAreasinCryptography ,1996.
- September1988. *
- SetKtoallzerobytes ,thenset
- SetVtoallzerobytes ,exceptthelow
- Severalpublicstandardsandwidelydeployedexamplesarenowin *
- SeveralversionsoftheUNIXoperatingsystemprovideakernel- *
- Shannonentropyandr =infinityismin
- Shimomura ,T.,Thompson,E.,andM.Weiner,
- Simplychoosetwolargeprimenumbers *
- SinceEisnevergreaterthan1 *
- Sincep *
- Software *
- Softwarecryptographyiscomingintowideruse ,althoughthereisa
- SolvingforNyieldsN >log
- Someofthesourceslistedabovewouldbequitestrongonmulti-user *
- Sonotethatpassingorfailingstatisticaltestsdoesn *
- SpecialthankstoPaulHoffmanandJohnKelseyfortheirextensive *
- SpecificRequirements-Part11 *
- Specification *
- Springer-VerlagLectureNotesinComputerScience *
- StandardsInstitute ,ANSIX9F1,WorkinProgress.
- StandardsInstitute ,ANSIX3.92
- StandardsandTechnology ,FIPS46
- StandardsandTechnology ,FIPS81,December1980.
- StatisticallytestedrandomnessinthetraditionalsenseisNOTthe *
- StatusofThisMemo *
- SteveBellovin ,DanielBrown,DonDavis,PeterGutmann,Tony
- SteveCrocker *
- Suchacompositealgorithmwouldbesubjecttoameet-in-the-middle *
- Supposethattheratioofonestozerosis *
- SymmetricCipherstoProvideAdequateCommercialSecurity *
- SymmetricandAsymmetricKeyLengths *
- TableofContents *
- Testshavebeendoneonclocksonnumeroussystems ,anditwasfound
- Thayer ,
- TheANSIX9F1committeeisinthefinalstagesofcreatingastandard *
- TheAmericanNationalStandardsInstitutehasspecifiedthe *
- TheIETFinvitesanyinterestedpartytobringtoitsattentionany *
- TheIETFtakesnopositionregardingthevalidityorscopeofany *
- TheUSGovernmentAdvancedEncryptionStandard isanexampleof
- TheUnitedStatesDepartmentofDefensehasspecificrecommendations *
- TheWindowsCryptAPIcryptographicserviceproviderstoresaseed *
- Theabovetechniquealsoprovidesanotherillustrationofhowa *
- Theabovetechniquehasastrongrelationshiptolinearshift *
- Theabovetechniquesarequitepowerfulagainstattackersthathave *
- Theamountofmousemovementandtheactualkeystrokesareusually *
- Theansweristhatnotverymuchisneeded.ForAES ,thekeycanbe
- Thebestsourceofinputentropywouldbeahardware-basedrandom *
- Thecorrecttechniqueistostartwithastrongrandomseed ,totake
- Thedesignofsuchpseudo-randomnumbergenerationalgorithms ,like
- Theentiretyofthisdocumentconcernstechniquesandrecommendations *
- ThefirstisbasedonSHA-1andworksbysettingthe5linking *
- Thefollowinganalysisgivesthenumberofbitsthatmustbesampled *
- Thefollowingisanoversimplifiedexplanationofthemeet-in-the- *
- Thefollowingpeople *
- ThefollowingtablegivesthelengthNofthestringthatmustbe *
- Thefrequencyandvolumeoftherequirementforrandomquantities *
- Thegoodnewsisthatthedistributionneednotbeuniform.Allthat *
- Thelackofgenerallyavailablefacilitiesforgeneratingsuchrandom *
- Thelastentryshowsthatevenifthedistributionisskewed99 *
- ThelasttableinSection5.1showsthatmixingarandombitwitha *
- Themeet-in-the-middleattackassumesthatthecryptographic *
- Then *
- Theory *
- TheparitytechniquegiveninSection4.1reducesthistoonebit ,
- Thepasswordcanthenbecalculatedfromthe64bit *
- Thepseudo-randomnumbergeneratorsdescribedinthefollowingthree *
- Thequalityoftraditionalpseudo-randomnumbergeneratoralgorithms *
- ThequantitiesXthusproducedarethepseudo-randomsequenceof *
- ThereareevenTCP *
- Therearetwouser-exportedinterfaces. *
- Therefore ,theshortersequencesmustbede
- Thermalnoise *
- Thesameargumentappliestoselectingsequencesfromthedataona *
- Thesenumbersaretrivialtoachieve.Itcouldbeachievedbya *
- Thesequestionsareconsideredindetailin *
- Thesesequencesmaybeadequateinsimulations *
- Thesesumscanbecomputedeasilyas *
- Thesesystemsprovidesubstantialprotectionagainstsnoopingand *
- Thesubsectionsbelowdescribeanumberofideasthatmightseem *
- Theuseofmultiplerandominputswithastrongmixingfunctionis *
- ThisBestCurrentPracticedocumentdescribestechniquesfor *
- Thisamountofrandomnessiswellbeyondthelimitofthatinthe *
- Thisdocumentandtheinformationcontainedhereinareprovidedonan *
- Thisdocumentissubjecttotherights ,licensesandrestrictions
- ThisdocumentspecifiesanInternetBestCurrentPracticesforthe *
- Thisisadegeneratecaseinwhichtheoneoutputbitalwayschanges *
- Thismeansthatinapplicationswheremanykeysaregeneratedinthis *
- Thissectiontalksabouttraditionalsourcesofdeterministicor *
- Thissharedsecretisamixtureofinitialquantitiesgeneratedby *
- Thisstrategymaymakepracticalportablecodeforproducinggood *
- Thistechniqueassumesthatthebitsarefromastreamwhereeachbit *
- Thistechniquewillcompletelyeliminateanybiasbutrequiresan *
- Threestandardsaredescribedbelow.Thetwoolderstandardsuse *
- Thus ,verystrongorcomplexmanipulationofdatawillnothelpif
- Today ,acommonlyencounteredrandomnessrequirementistopicka
- Todecreasetheprobabilityby1 ,000requiresincreasingtheuniverse
- Toensureareasonablyrandompooluponsystemstartup ,thestandard
- Tohaveaone-in-a-thousandchanceofguessingthepasswordin *
- ToobtainrandomnumbersunderLinux ,Solaris,orotherUNIXsystems
- Topredictvaluesofasequencefromotherswhenthesequencewas *
- TransactionsonInformationTheory.46 *
- UNIX-stylecommandline *
- UNIXsystems ,andsection7.1.3onrandomnumbergeneration
- UnbiasedBitsfromaBiasedSource *
- Unfortunately ,forservermachineswithouthumanoperators,thefirst
- UnpredictablePseudo-RandomNumberGenerator *
- Useaninitializationvectordeterminedfrom *
- Useofahardwareserialnumber *
- UsersofWindows *
- UsingtheFouriertransformofthedataoritsoptimizedvariant ,the
- VV *
- Verland ,1991.
- Visabitstringofsizehash_lengthandispartofthestateof *
- WARRANTIESOFMERCHANTABILITYORFITNESSFORAPARTICULARPURPOSE. *
- Whatisthebestoverallstrategyforobtainingunguessablerandom *
- Whenaneventoccurs ,suchasadiskdriveinterrupt,thetimeofthe
- Whenaseedhassufficiententropy ,frominputasdescribedin
- Whenoutputiscalledfor ,simplyset
- Whenrandombytesarerequired ,thepoolishashedwithSHA
- Whenreal-worlddataconsistsofstronglycorrelatedbits ,itmay
- Whereinputlengthsareunpredictable ,hashalgorithmsaremore
- Whiletheaboveanalysisiscorrectonaverage ,itcanbemisleading
- Whilethishasbeenthecauseofmuchspeculationanddoubt ,
- Widely-availablecomputationaltechniquescanprocesslow-quality *
- Wiley *
- XKEY =
- XKEY =initialseed
- XORoperation.Thisiscommonlyreferredtoasasimplestream *
- XVAL =
- a50 *
- a512bitvalue. *
- about2 *
- absolutelyimpossibletogetmorebitsof *
- access ,suchassystembuffersonanactivemulti
- accesses. *
- accesstoone *
- accumulatorthatestimatesthetotaloverallentropyofthepool. *
- actuallyprovide ,say,microsecondresolutioninaclock,whilea
- addedsoftwarecomplexity. *
- addresses. *
- addressesandtiming ,anduserinput.Unfortunately,eachofthese
- adeepknowledgeofalgorithm-breakingtechniquesandofthestrength *
- adequatedataisprocessedandifremainingcorrelationsdecay ,
- adequatesourceofrandomness *
- adoublingevery18monthsandhasremainedthere *
- adversariesshouldnotbeabletopredictothervaluesfromtheones *
- adversary ,simplybytryingthevaluezero,canbreakthesecurityof
- adversarycanobservecommunicationsandknowsthealgorithmbeing *
- adversarycouldbreakthekeyin2weeks *
- adversaryissurprisinglydifficult.Thisdocumentpointsoutmany *
- adversarymaylearnsomevaluesinthesequence.Ingeneral ,
- adversarywithaccesstothesameUsenetdatabase ,theunguessability
- adversarywouldneedtocheckcouldbequitesmall. *
- againstapossibleincreaseinthechanceofoverallfailuredueto *
- algorithm.Thereisaexcellentexampleofthisfallacynearthe *
- algorithmcanbedecomposedinthisway.Hopefullynomodern *
- algorithmcouldallowmanykeysorevengroupsofkeystobetested *
- algorithmhasthisweakness ,buttheremaybecaseswherewearenot
- algorithmsareplatformindependentandcanoperateinthesame *
- algorithmshaveused.Tolearnwhatworks ,skipSection6.1andjust
- algorithmtoaccommodateinputsthatarenotanevenmultipleofthe *
- algorithmtwice *
- algorithmweremisreadslightlysothatoverlappingsuccessivebits *
- allhavesourcecodeavailable .Somesignsof
- allofthe5 *
- alsohasexcellentstatisticalrandomnesspropertiesbutis *
- alsoprovidefewerbitsofuniquenessthanonewouldguess.Such *
- alwayssafetouseonlythelowest-orderbit.Ifoneusesnomore *
- alwaysthemostconservativemeasureofentropyandusuallythebest *
- amatchisfound ,thefullkeycanbeassembledfromthehalvesand
- amateurs.Section6.1belowlistsanumberofbadideasthatfailed *
- amoremodernandstrongerstandardbasedonSHA-1 .Lastly,
- amountoftime. *
- amountsofinput ,AESandotherencryptionfunctionscanalsobeused
- anadversary .Seegeneralreferences
- anadversarycanknowtobeimpossibleoroflowprobabilitycanbe *
- anadversarysearchingthroughanembarrassinglysmallspaceof *
- analogsource ,suchassoundfromamicrophoneorvideoinputfroma
- analysis. *
- analysisgivenwouldbethesame.However ,insteadofprovidingan
- anattempttoproduceastrongeralgorithmbyapplyingthebasic *
- and *
- and5 ,onecanalgorithmicallyextendthatseedtoproducealarge
- andCommunicationsSecurity ,1998.
- andOctober ,1948.
- andSHA *
- andanindicationofhowmanyoctetsofrandomnessaredesired. *
- andmultipledatablocksandaCBC-MACcouldbecalculated .
- andnottorevealthecompletestateofthegeneratorinthesequence *
- andpseudo-randomnumbergenerators.Itincludesanumberof *
- andreadthisfileatsystemstartup. *
- andthirdarenotavailable ,andentropymaybeaddedslowlyinthat
- anduseful. *
- andusetheleadingbitsfromV.Ifmorebitsareneededthanthe *
- anyparticularbitposition ,exactlyhalftheoutputsaredifferent.
- appearfromtheirspecifications. *
- appeartobethecase.Only8bitsof *
- application.Thesizeofthespacetheadversarymustsearchis *
- applications ,youcouldusetheentirehashoutputtoretainalmost
- applications ,itisbesttoassumealowvalueofeffort.Evenifit
- applicationstowait200secondsoccasionally. *
- apracticallyunlimitedamountofinputandproducearelatively *
- areaddedtothepool.Thisineffectaddsentropyfromthehuman *
- arealsocaseswherefrequentlyreadingaclockcanproduce *
- areasonablystrongalgorithmhasbeenchosenforourhypothetical *
- aredescribed. *
- aremainderof3whendividedby4.Letn =p
- areneeded ,implyingafive
- areneededandonewantstoemployAES *
- arenowknownforbreakingallpolynomialcongruentgenerators *
- arethen *
- areunknowntoandunguessablebyanadversary. *
- areusable .Furthermore,anysystemwithaspinningdiskor
- argumentasifitwerea512-bitdatablock.Thevaluesofthe *
- artificialsequentialvalues ,becauseofextracodethatchecksfor
- asatrivialmixingfunction ,immediatelybelow.Useofstronger
- asclocks.Sometimessuchpseudo-randomquantitiescanbeguessedby *
- asfollows *
- asisavailable *
- asplaintext ,useanexternalrandomlygenerated64
- asreceivedtodecryptit ,duetothereversiblepropertiesofthe
- assembleasimilarconfiguration.Thiscouldgivetheadversary *
- asslowlyasonepersecondanditisnotpossibletooverlapthe *
- assurancesoflicensestobemadeavailable ,ortheresultofan
- astheinitialxissecret ,ncanbemadepublicifdesired.
- astrongmixingfunctionformultiplebitquantities.Ittakesupto *
- atoneendofashiftregisterastheExclusiveOr *
- attack ,buttheyareprobablywithintherangeofthenational
- attack ,theadversaryknowsallorpart
- attack. *
- attackit.Adversariesarealsobeassumedtobeaidedbya *
- attemptmadetoobtainagenerallicenseorpermissionfortheuseof *
- attentioninthedesigntoisolationoftheringsfromeachotherand *
- authenticationmustallknowthesamesecretkey.Inothercases ,
- available ,a
- availableallovertheworldincludingopensourcecode.TheSHA *
- availabletoproducecryptographically-strongsequencesof *
- availablevia *
- average ,berequiredbyanadversary.Inparticular,anyvaluesthat
- average ,halfofthevalues,or2
- basedonmultipleapplicationsoftheDESencryptionfunction .
- basedonsuchsystemclocksisparticularlychallengingbecausethe *
- beadjustedforparityforthatuse ,buttheentire64bitunmodified
- beatleastanorderofmagnitudeimprovement.Thus ,itis
- becauseofthosecaveatsanditscomputationallyintensivenature ,
- becomingapartofthenetworklandscape *
- bedeterminedfromshortsequences. *
- beginningofChapter3in ,wheretheauthordescribesa
- beginningofthecompressedsequenceshouldbeskippedandonlylater *
- below. *
- beofhelp. *
- best ,thistypeofattackcanhalvetheexponentoftheworkrequired
- bits *
- bits ,suchas128
- bitsaregenerated. *
- bitsofrandomnesseach *
- bitsrequiredforsampleapplications. *
- bitsshouldusedforapplicationsrequiringroughly-randombits. *
- bitsworthofunguessability.Evenifmuchofthedataishuman *
- bitsworthofunpredictability *
- blocksize. *
- breakinghardwareandhavinganadequatesafetymargin. *
- brokenifallofeachgeneratedvaluewererevealed. *
- buildakeyorpasswordgenerationprocedurethatrunsonawide *
- butitcanbeascloseasdesired.Onemappingthatservesthe *
- butthecleveradversary *
- byGordonMoorein1964asadoublingeveryyear *
- byaconstantstoredrandomsequence ,suchasthe
- byanAdHocGroupofCryptographersandComputerScientists *
- byanadversaryandthelackofhistoryatsystemstart-upmustbe *
- byte ,itdoesn
- bytheadversarywhileaddingaverylargebutroughlyconstant *
- cachehits ,aresimplyignored.
- calculatingtheparityofthestring.Alternatively ,forsome
- camera.The *
- canbeproducedbyreversingtheorderofthekeysgivenabove.The *
- canbeusedformixing .
- canbringthemarbitrarilycloseto0.5.Ifwewantthe *
- caneasilybreakallsecurity ,futureandpast,basedonthesequence
- canobserveallthemessagesbetweenthetwocommunicatingparties. *
- care ,beusedtogeneratetrulyrandomquantities.
- carefullyconsidered.Ifthisinputissubjecttomanipulation ,it
- case. *
- cat *
- chancetouseaguessedvalue.Inguessingpasswordsorattempting *
- changewhenanyparticularinputbitischanged. *
- characterscouldbefurthercombinedwithclockvaluesandother *
- chosenplaintextattack ,theadversarycanforcesomechosenplain
- cipher. *
- circumstances. *
- clock. *
- codeprovidesafewbitsofrandomness ,butonlywhenthecodeis
- combinepartoftheoutputfeedbackwithpartoftheoldinput.This *
- commentsandtoPeterGutmann ,whohaspermittedtheincorporationof
- comparedtothosedescribedinSection5.2.Ataminimum ,the
- complexalgorithm.Itwasintendedthatthemachinelanguageprogram *
- compromise. *
- computationally-unpredictablequantitiesfromthisseedmaterial. *
- computer. *
- computersandEthernetadapterswill ,atleastinternally,useits
- computersystem *
- concentratinglimitedentropyfromtheinputsintotheoutput. *
- concludedthatareasonablekeylengthin1995forveryhighsecurity *
- confidentialitysystem.Iftwopartiesusethesamesequence *
- congruencepseudo-randomnumbergenerator.Thistechniqueuses *
- connectionwithrandomdigits *
- consideringthemtomixalloftheirkeyanddatainputbits. *
- constantbitwithExclusiveOrwillproducearandombit.Whilethis *
- containedinBCP78 ,andexceptassetforththerein,theauthors
- controversialanddependonvariousassumptionsaboutthe *
- convenienttousethanblockencryptionalgorithmssincetheyare *
- copyrights ,patentsorpatentapplications,orotherproprietary
- correlatedsources ,forexample,theaboveanalysisbreaksdown.
- correspondingtothealgorithmwouldbesocomplicatedthataperson *
- correspondstotheworseofthetwoinputs.Becauseofthisandthe *
- couldthendiscardany00or11pairsfound ,interpret01asa0and
- counter *
- coupleofhundredbits *
- cryptographicalgorithmsinuse.Insomecases ,aprofessionalwith
- cryptographically .Insuchgenerators,bitsareintroduced
- cryptographicallystrongmaterialasdescribedinSections6and7. *
- cryptographicallystrongsequence ,asexplainedinSection6.2.A
- cryptographicallystrongstepsfromthatseed ,
- cryptographickey. *
- cryptographickeys ,andsimilarquantities.Theuseofpseudo
- cryptographickeys ,initializationvectors,sequencenumbers,and
- cryptographicsecurityspecificationintheIETFwasthePrivacy *
- cryptographicsoftware.Forthesoftwaredeveloperwhowantsto *
- cryptographicsystemsisthegenerationofsecret ,unguessable
- cryptosystemortoinvertingthe *
- cyclesthanAESbutthereisnoreasontobelievetheyareflawed. *
- database.Iftheadversaryhasaccesstothesamedatabase ,this
- dataisessentiallyrandomnoise ,althoughitshouldnotbetrusted
- dateandtime *
- de-emphasized. *
- definitionofreversiblecompressionandtheformulainSection2for *
- densityofsiliconcircuits.Originallyformulated *
- dependingontheparticulardesign.Inanycase ,thesecanbegood
- describedabove ,beforereturningyoumustalsoperformtwomore
- describedinsection5.2below. *
- designedtobenon-invertible ,thisisareasonablerisk.
- details.Thismakesithardtousethistechniquetobuildstandard *
- devisedbytheUSNationalInstituteofStandardsandTechnology *
- devotedtoentropysources.SeePart2of .
- differentconfigurationofthe *
- differentkeyswillgainlessaddedsecuritythanwouldbeexpected. *
- differentsecretvaluespossibleandtheprobabilityofeachvalue ,
- differsgreatlyfordifferentcryptographicsystems.WithpureRSA ,
- digits ,sixcharacterswouldsuffice
- discardedis0.5 *
- diskrotationtimingsmustbe *
- distributedrandomnesscanbeproduced .
- distributedthanweretheprobabilitiesofthelongersequences. *
- documentedandimplementedwithhardwareandsoftwareimplementations *
- doesnotvarymuchwiththekeysize ,itrecommends90bits.To
- draftversionofthisgeneratorisdescribedbelow ,omittinganumber
- duetochaoticairturbulence .Theadditionof
- duplicatedapreviousvaluewouldbeassumedtoprovidenoadditional *
- eachmightappearrandomifsampledatrandomintervalsmuchlonger *
- eachoftheparties .
- eachpairisshowninthefollowingtable *
- easiertoaccessthantimings ,buttheymayyieldless
- eccentricityasfollows *
- effectivelengthsof112-bitswithtriple-DES. *
- effectivelyindexedandrecoveredfromthatsmallindexandthe *
- effectonthistechniqueifveryshortseektimes ,whichrepresent
- either01or10.Sincethereareonlytwopossiblevalues ,thereis
- elements.Ifeachvalueinthesequencecanbecalculatedinafixed *
- encryptBwithCandthenAformoreoutputand ,ifnecessary,
- encryptCwithAandthenBforyetmoreoutput.Stillmoreoutput *
- encryptingafull64-bitquantitywillgiveanexpectedrepeatin *
- encryptingwithaone-timepad *
- encryption *
- encryptionalgorithmsgenerallyrequireanadditionalpadding *
- encryptiontechnique *
- enoughentropyinthestartingseedvalue.Theycanusuallyusethe *
- entriesaretheoutputeccentricity *
- entropy *
- entropy ,definedas
- entropy. *
- entropyandintowhichthegeneratedpseudo-randomnessisreturned ,
- entropyforournewhypotheticaldistribution ,asopposedto64bits
- entropyitcanactuallyprovide. *
- equippedwithcodeasdescribedabove ,allanapplicationhastodo
- equivalenttoadditionwithoutcarry ,asshowinthetablebelow.
- especiallyatstart-up ,itmightbepossibleforanadversaryto
- especiallyiftheadversaryhaseverbeenabletoobservethe *
- evennumberofbitsproducingoneoutputbitwithmaximumnon- *
- eventisXOR *
- eventscapturedbytheKernelduringnormalsystemoperation. *
- examineabitstreamasasequenceofnon-overlappingpairs.One *
- example ,ifeachvaluewereaconstantfunctionofthepreviously
- example.Ontheotherhand ,forfixedlengthkeysandthelike,one
- experiments *
- extractedthroughvarioustransforms ,themostpowerfulofwhichare
- extremelydependentonthehardwareimplementation. *
- fact ,today,itisincreasinglycommontousekeyslongerthan96
- factorofeffort.Thus ,ifthisattackcanbemounted,adoublingof
- factthatDiffie-Hellmaniscomputationallyintensive ,itsuseasa
- familyhavehadalittlelessstudyandtendtorequiremoreCPU *
- fashion ,itisnotnecessarytosavethemall.Eachkeycanbe
- fashiononanycomputer.Forthealgorithmstobesecure ,their
- fastenough ,itcantriviallybeusedasthebasisfora
- favorofones ,theparityofastringof308sampleswillbewithin
- feedbackmode *
- feedbacksignificantlyweakensanalgorithm ,comparedtofeedingall
- fewhundredrandombitsgeneratedatstart-uporonceadayisenough *
- foilpatternanalysisattempts.However ,thesecurityofthese
- followingmethodforgeneratingasequenceofkeys *
- forachangeineitherinputbit.But ,despiteitssimplicity,it
- forcryptographicus ,asadversariesmustbeassumedtohavecopies
- forflaws ,isreasonablyefficientinsoftware,andiswidely
- forgeneralinformation. *
- forgeneratingunguessable *
- forpasswordgeneration .ItsuggestsusingtheUSData
- forperformingDES. *
- forrandomnumbergenerationcoveringbothtruerandomnessgenerators *
- forthegeneratorandthemethodforcalculatingsubsequentvalues *
- forthenextiteration.Thisisaparticularexampleofoutput *
- forthispurpose.Itsuggestsmethodsforuseifsuchhardwareis *
- foruseasprivatekeysorthelike.Thishasbeenmodifiedby *
- forwhichblockingtoawaitmorerandombitsisnotacceptable.The *
- foundinBCP78andBCP79. *
- frequency *
- fromclockedcircuitstoavoidundesiredsynchronization ,etc.,and
- fromthepool.Thisisillustratedinthefigurebelow. *
- fromthepoolbutblockswhentheestimatedentropydropstozero. *
- fromthepublickey ,andknowledgeofthepublickeyisofnohelpto
- functionchosenmustgenerateNormorebitsofoutput ,andasource
- functioniscalleda *
- functionmustbeusedthroughoutaninstantiationofthisgenerator. *
- functionofalltheinputbits.Onaverage ,changinganyinputbit
- functionsproduceupto512bits. *
- future *
- futurevaluescanbedetermined.Thiswouldbethecase ,for
- generallydesignedtoacceptvariablelengthinputs.Block *
- generatedbyDESin64-bitOutputFeedbackMode.Asmanybitsasare *
- generatedbythesetechniquesisequivalenttobreakingthe *
- generatedfromastrongrandomseed *
- generatedinthismannerisprovablyashardasfactoringn.Aslong *
- generateidenticalsequences.Thesecould ,forexample,beXOR
- generateunpredictablequantitiesdifficultifthecodeistobe *
- generatinggeneral-purposepseudo-randomnumbers *
- generationorprovideaccesstoexistinghardwarethatcanbeused *
- generationprocess ,itshouldbetolerableinmosthigh
- generationprocessinthepast.Ahardware-basedrandomsourceis *
- generationtechniqueandstartwiththesameseedmaterial ,theywill
- generationtechniquesofthe *
- generator ,thesequencemaybedeterminablefromobservationofa
- generator. *
- generatorsincludedinmanyoperatingsystemlibraries. *
- generatorthatisseededwithan8-bitseed ,thenanadversaryneeds
- generatorwitheverypossibleseed *
- gisthesequenceofgenerated64-bitkeyquantities *
- givenbelow ,andstrongercryptographictechniquesaredescribedin
- grantedtotheworld.Theremay ,ofcourse,beessentialpatentsof
- gshouldbeusedincalculatingthenexts. *
- guessablebasedonapproximatedateofmanufactureorotherdata. *
- halfoftheuses ,albeitarandomhalf.Thus,forcryptographic
- hardware ,environmental,oruserinputsourcesdiscussedabove.It
- hardware ,anditcouldeasilybeincludedasastandardpartofa
- hasbeendefined ,specifiedbytheparameterr.Herer=1is
- hasbeenshownthatinsomecasesthismakesitimpossibletobreaka *
- hasgatheredsufficiententropy ,itcanbeusedastheseedto
- hash_lengthistheoutputsizeoftheunderlyinghashfunctionin *
- hasheduserenvironmentblock.ThisdataisallfedtoSHA-1 ,and
- hashingfunctionssuchastheUSGovernmentSecureHashStandards *
- hashingitwithSHA-1andtakingthebottom5bitsoftheresult *
- hasthesameprobabilityofbeinga0or1asanyotherbitinthe *
- havearelativelysmallnumberofseedvaluestotest ,astheywould
- havehardware ,suchasdiskdrivesoraudioinput,thatcouldbeused
- haveonlyaoneinamillionchanceofapasswordbeingguessedunder *
- headerortrailerfields *
- high-gradeattackonsmall ,single
- high-securitytask. *
- higher-qualitykeyingmaterial.Intheabsenceofhardwaresources *
- highestsecuritysystemisunlikelytorequirestrongkeyingmaterial *
- highlycorrelated ,sosignificantprocessingisneeded,asdescribed
- human-usablepasswords ,theonlyimportantcharacteristicisthat
- hundredsofrandombits ,butconservativeassumptionsneedtobe
- i0 *
- identicalindependentdistributions.Ifalternatebitsarefromtwo *
- ifabasicalgorithmisnotsubjecttoameet-in-the-middleattack ,
- ifaselectioncanbemadefromdatatowhichtheadversaryhasno *
- ifenoughrandombitsareinthepoolorareaddedinareasonable *
- ifsuchtechniquesareused.Eveniftherandombitsaregenerated *
- impliesaneedforaminimumof63bitsofrandomnessinkeys ,tobe
- importantdifferencethatthefeedbackisdeterminedbyacomplex *
- importantistheworkfactorforanadversary.Forexample ,assume
- improved ,exceptinthecaseinwhichatleastoneinputisatotally
- improvements.Distributionofthismemoisunlimited. *
- inJanuary1996 andto
- inSection5.2below.Nevertheless ,experimentationadecadeago
- inbyasystemadministrator. *
- incorporatemodulesknownasS-Boxes *
- incorporatesCSC-STD-002-85asoneofitsappendices. *
- increasetherateofentropybyXOR *
- indeterminatenumberofinputbitsforanyparticulardesirednumber *
- infeasibleforathirdpartytodeterminethissecretevenifthey *
- information-theoreticsense .Thisdependsonthenumberof
- informationequation ,thisisonlypossibleif,onaverage,the
- informationwithsufficientaccuracytobeuseful. *
- infrequentpurposes ,suchasgeneratingsessionkeys.
- initiallyignoredbytheadversary ,whowillsearchthroughthemore
- initialsandn. *
- inparallel.However ,weneedtoassumesomevalueandcanhopethat
- input *
- input. *
- input_entropyistheinputbitstringthatprovidesentropytothe *
- inputandinternalworkingsmustbeprotectedfromadversarial *
- inputfromasourceofentropy. *
- inputs. *
- inputs.Thus ,fourinputsof32bitseach,inwhichthereare12
- inputsare.Ifweassumean *
- inputsrecommendedbytheUSDoDforpasswordgenerationandcould *
- inputstothemixingprocessthatwerewell-enoughcorrelatedto *
- inputsusingtheExclusiveOr *
- insomecasesforcryptographicanalysiswherewhatisreally *
- integers ,orthelike,andthentomaskthevaluesobtainedsoasto
- intensivecomparedtothetraditionaltechniquesgiveninSection *
- intervalsuptothatpoint.Asimilarassumptionwouldbethatakey *
- inventors .Itisalsoverysimpleandisbasedonquadratic
- investigationofDESovertheyearshasindicatedthatNSA *
- involvementinmodificationstoitsdesign ,whichoriginatedwith
- ipr *
- isalsocommontosavethestateofthepoolonsystemshutdownand *
- isanessentialbutdifficulttask. *
- iscombinedwithanyrandomnessprovidedinthecallandwithvarious *
- iscomplexandnon-linear ,noparticularoutputbitisguaranteedto
- isenoughsmallerthanthemessagethatthecorrectkeycanbe *
- isintherangeof75to90bitsand ,sincethecostofcryptography
- isjustlog *
- islessthanone ,thelogwillbenegative,soeachterminthesum
- ismeasuredbystatisticaltestsonsuchsequences.Carefully-chosen *
- isneededtoboundperformanceisaconservativeestimateofhow *
- isopeneither *
- isprobablybesttoassumenomorethanacoupleofhundredcycles *
- issimplyanothercasewhereastrongmixingfunctionisdesired ,to
- issimplytheresultofsuccessivelyXORingthem.Thisisexamined *
- issmallinthatpastoutputmaybecomputablefromcurrentoutput ,
- isstirredbackintothepoolandanewhashisperformedtoobtain *
- istheoutputofanoisydiode. *
- istrue ,itdoesnotprovideawayto
- iteration ,theharderitwillbeforanadversarytopredictthe
- iterations *
- keys ,asinthepreviousparagraph,butthatitgenerateszerohalf
- keyscomeinpairs.Onekeyofthepairisprivateandmustbekept *
- keystrokes ,andsimilaruserevents.Thisisareasonablesourceof
- keystroketimingmayhavesufficientvariationandunpredictability ,
- kisarandomkeyreservedforgeneratingthiskeysequence. *
- knowlikelyvaluesofthesystemclock.Largenumbersofpseudo- *
- knowsthemodulusbeingusedneedonlysearchthroughthespaceof *
- languagethatcontainsnomorethan2or3bitsofinformationper *
- lengthofV ,set
- lengths ,canalsobeused,butonlywithgreatcare.Inparticular,
- lengthsofKandVwillbeintegralnumbersofbytes. *
- letters *
- library ,apointertoabufferbywhichthecallercanprovide
- likelytrueentropytheinputcontains.Thepoolitselfcontainsa *
- limiteddatasuchasthecomputersystemclockvalueastheseed. *
- limitednumberofresultsstemmingfromalimitednumberofseed *
- limittheamountofgeneratorstateavailabletotheadversary. *
- linearity *
- linkingvariableafterthosestepsarethenconcatenatedtoproduce *
- littleoveracoupleofdozenbitsofunguessability. *
- log *
- longwaytogountilitbecomespervasive.SystemssuchasSSH ,
- lookoutforpatternsthatcouldbeexploitedbyanadversary.Ifthe *
- looselyontherandomnumbergeneratorinPGP2.XandPGP3.0 *
- low-leveldiskseek-timeinstrumentationproducesaseriesof *
- low-orderbits ,thenpredictinganyadditionalbitsfromasequence
- low-qualityinputfromonesource ,toproduceasmallerquantityof
- lowprobabilityofguessingordetermining.Thiscaneasilyfailif *
- made.Forexample ,onereasonablyconservativeassumptionwouldbe
- madeanyindependentefforttoidentifyanysuchrights.Information *
- making ,andgames.Noneofthesehavethesamecharacteristicsas
- materialfromhispaper *
- maximumskewandthatitistrivialtoimplementinhardware. *
- maybeadequateforsessionkeysorforotherkeygenerationtasks *
- measurementsthatcontainthisrandomness.Suchdataisusually *
- measures ,includingstatisticalandspectral.Thesetestscheck
- measurethetimingorvalueofanexternalsensor ,themorerapidly
- meetingallthetestssuggestedbyKnuth ,thatsequenceisunsuitable
- megabytesofinformationperday .Assumethata
- messagedigestfunction. *
- messagestobeprocessed.Seegeneralreferences *
- methodofproducingasequenceofpseudo-random160bitquantities *
- middleattack *
- mightormightnotbeavailable *
- minimumassumptiontoday.Lookingforwardafewyears ,thereshould
- minutesfrommidnightontwoclocksaccuratetoafewseconds ,then
- mixingfunctionisnotrecommended. *
- mixingfunctionstoextractmoreoftherandomnessinastreamof *
- mixtheinputbitsandproduceasmallernumberofoutputbits.The *
- mixthemwithastrongmixingfunction.Suchafunctionwill *
- modulararithmetic ,wherethevaluenumberedN
- morerandomnessthanthesizeofthesharedsecretgenerated. *
- morethanone.If ,forexample,arandombitismixedwitha0and
- moretypicalrateofrandombitproductionwouldbeinexcessof *
- muchthisdataissubjecttoadversarialmanipulationandtohowmuch *
- mustnotbetrustedasasourceofentropy. *
- neededcanbetakenfromthese64bitsandexpandedintoa *
- neededforsecurity.Thefirstisformoderatesecuritypasswords ,
- neededisthecommonperceptionamongcomputervendorsthatthis *
- needforrandomness.ThepublickeyDigitalSignatureAlgorithm *
- needtobehigh ,andexistingcomputerhardware,suchasaudioinput
- networkofworkstations ,10
- nn *
- noaccesstothequantitiesbeingmeasured.Forexample ,these
- non-linearfunctionofallbitsratherthanbyasimplelinearor *
- non-linearfunctionofallinputbits.Otherencryptionfunctions *
- non-uniformitis.Simpletechniquestode-skewabitstreamare *
- normallywantsquantitiesthatappeartobetrulyrandom ,thatis,
- notCryptographicallySecure *
- notavailable ,anditgivessomeestimatesofthenumberofrandom
- notcorrelated.Iftheinputswere ,say,theparityofthenumberof
- numbergenerationcallwiththeCryptAPIcryptographicservice *
- numbergenerationtechniquesforgeneratingsuchquantities.It *
- numberofbytes. *
- numberofcryptographically-strongrandomquantities.Such *
- numbers ,whentherehasbeennotheorybehindoranalysisofthe
- numbers *
- numbersintheabsenceofastrong ,reliablehardwareentropysource
- observation. *
- oddnumberofgatescanbeconnectedinseriestoproduceafree- *
- ofASCIIcharacters ,sothetopbitofeverybyteiszero,for
- ofaconcealedorspecialweaknessbeingfoundinDES.Itislikely *
- ofallcommonlypublished *
- ofastringof308bits ,eachofwhichisbiased99
- ofatleastNbitsofinputentropywillberequired.Thesamehash *
- ofclassicalShannonentropy. *
- ofentropyiscorrespondinglydecremented. *
- ofinformationarepresentandanadversarywouldhavetotry ,onthe
- ofkeyvaluestobetestedwithmuchlesseffortperkey.Thus ,it
- ofmuchover200bits.Ifaseriesofkeysisneeded ,theycanbe
- ofoptionalfeatures .
- ofoutputbits.Theprobabilityofanyparticularpairbeing *
- ofpasswordsbythesamefactor ,whichaddsabout10bits.Thus,to
- ofrandomness ,avarietyofuserandsoftwaresourcescanfrequently,
- ofsection7oftheNISTSHA-1specificationarerunoverthesecond *
- ofthealgorithminusecouldbesatisfiedwithlessthanhalfofthe *
- oftheencryptionalgorithmallowsit. *
- oftheirown.Theyshouldbeconsideredonlyroughtechniques *
- oftheoutputvaluefromencryptionintothevaluetobeencrypted *
- ofthepseudo-randomvaluestobegeneratedistobeNbits ,theSHA
- ofthespacebeingexplored.Eventhere ,subtlepatternsmaycause
- ofthetimeandarandomselectionfromtheremaining2 *
- onecangenerateahugeamountofmedium-qualityrandomdatawiththe *
- onecangeneratebits. *
- oneendwithdatabeingsenttoencryptit ,andXOR
- onlyalimitedrangeofpossiblevalues ,orvaluesmaybeeasily
- onlyhalfthekeys. *
- onlyonebitofthepseudo-randomvaluesarereleased ,theseedcan
- onsomeofthetargetsystems.However ,itmaystillfailagainsta
- ontheprocedureswithrespecttorightsinRFCdocumentscanbe *
- operateinparallelonanumberofbitsandapoorencryption *
- operatingsystemisgenerallytousetheCryptGenRandompseudo-random *
- operatorbymeasuringinter-keystrokearrivaltimes. *
- orabout2 *
- oraradioactivedecaysourceandafast ,free
- ordiskdrives ,canbeused.
- orfromacamerawiththelenscaponisessentiallythermalnoise. *
- ormixedasnecessary ,asdescribedinSections4and5.
- ormoreofexcellentrandomdata. *
- orotherrelevantpatentsissuedortobeissued. *
- orstrongermixingfunctioncouldbesubstituted .Thethirdis
- ortemperaturesensinginappropriatelyequippedcomputers ,canbe
- oscillator *
- othernations *
- otherpossibilities.Theseincludesystemclocks ,systemor
- othersourcesofrandomness. *
- output. *
- outputaregenerated. *
- outputinput1input2 *
- outputinwhicheachoutputbitisadifferentcomplexnon-linear *
- ownadapters ,whichsignificantlylimitstherangeofbuilt
- pairswereusedinsteadofnon-overlappingpairs ,thestatistical
- parityfunctionofNbitsamples.Therespectiveprobabilitiesthat *
- partialinformationavailable.Thelessinformationrevealedineach *
- particularaccountbelessthanoneinathousand.Furtherassume *
- password. *
- password.Thenthecrucialquestionishowoftenanadversarycan *
- password.Thismaymakeitadvisabletousepronounceablecharacter *
- passwordbeveryhardtoguess. *
- passwordgeneration ,asithas8inputsthatprobablyaverageover5
- passwordsandmakeithardertotrymorepasswords. *
- passwordthatcanbeguesseddoesnotprovidesecurity.Forre- *
- patentsforwhichanirrevocableroyaltyfreelicensehasbeen *
- perform *
- perhapsunlimited ,chancesatguessingthecorrectvalue.Sometimes
- periodicallyintheiroutputorotherwiseintroducesubtlepatterns *
- perkey. *
- personrepeatedlytossingacoin ,andalmostanyhardwarebased
- personwilllikelyhaveahard-to-predictpatternofdisk *
- pertaintotheimplementationoruseofthetechnologydescribedin *
- pitfallsinusingpoorentropysourcesortraditionalpseudo-random *
- placeforthegenerationofkeysorothercryptographicallyrandom *
- plaintextwithallpossiblefirsthalf-keys ,sorttheoutput,and
- plausiblebeforetheattackisnoticedandstepsaretakentochange *
- polynomial *
- polynomialcombinationofoutputfromafewbitpositiontaps. *
- portedacrossavarietyofcomputerplatformsandsystems. *
- possibilities *
- possibilities. *
- predictable.Ontheotherhand ,takingsuccessiverollsofasix
- prefacetotheiroutputstreamandmayinsertasimilarsequence *
- prefixesand *
- preservetheentropypresentinanyofthesources ,evenifother
- primitivepolynomialofdegree128.Thepoolitselfistreatedasa *
- printedintheCRCStandardMathematicalTables .Despite
- privately ,anadversarywhocanobserveeitherofthepublickeysand
- probabilitiesofthedifferentshortersequencesaremoreuniformly *
- probabilitiestobewithinsomedeltadof0.5 ,e.g.,then
- probabilityofa0is0.5-E ,whereEistheeccentricityofthe
- probabilityofaone ,andq=0.5
- probablevaluesfirst. *
- probablybeachievedbyusingtheUSDoD-recommendedinputsfor *
- problemisthatnostandardmethodexistsforsamplingtiming *
- problems.However ,suchsequencesareclearlybadforusein
- processestogeneratesecretquantitiescanresultinpseudo- *
- processislikelytobemuchfaster. *
- produceXoutputbitsisX *
- produceasmallernumberofoutputsfromalargernumberofinputs *
- produceidenticalvaluesevenifenoughtimehaspassedthatthe *
- produces128bitsofoutput ,SHA
- produces128bitsofoutput ,eachofwhichisdependentonacomplex
- producesa160-bitvalueandtakestwoarguments ,a160
- producetherequiredamountofcryptographicallystrongpseudo- *
- producingrandomquantitiesthatwillberesistanttoattack.It *
- programwasdoing.Unfortunately ,actualuseofthisalgorithm
- pronounceableword ,phrase,orotherformatifahumanbeingneedsto
- properties *
- providedthatanattackercanreverseSHA-1.GiventhatSHA-1is *
- providedtothem.Theythengenerateastrongsequence *
- provider.Thistakesahandletoacryptographicserviceprovider *
- providereasonablyhighqualityrandombits.Thismethodis *
- providesausefulillustration. *
- providesignificantlyfewerrealbitsofunpredictabilitythanmight *
- pseudo-randomdataisusedthatmeetsonlytraditionalstatistical *
- pseudo-randomnumbergenerationalgorithmwillproducestrongrandom *
- pseudo-randomnumbergeneratorsbasedonhashfunctions ,oneofwhich
- publicDiffie-Hellmantoproduceaquantitywhoseguessability *
- publickeylengthsthatshouldbeusedforexchangingsymmetrickeys. *
- publiclyavailableCD *
- purposeistotaketheparityofthestring.Thishastheadvantages *
- purposes ,itisalsousefultolookatothermeasures,suchasmin
- putin *
- quantities ,A,B,andC.OnemayuseAEStoencryptAwithBand
- quantities.Some ,insection7.1,includeanentropysource.
- quantitiesareusuallyheavilystructured ,andsubfieldsmayhave
- quantitiesbeingcombinedhappentobefixedoreasilyguessable *
- quantitiesgatheredfortheentropytoproducetherandomnumbers *
- quantitiesneedtobeforsomeapplications. *
- quantitieswhosebitswillpassstatisticalrandomnesstests. *
- quantity.Iftheprobabilityofdifferentvaluesisunequal ,then
- quantityandusesimplenumericorlogicaloperationstoproducea *
- quantitysuchastheASCIIbytesfor8characterstyped *
- radioactivedecay.However ,ifnoneoftheseisavailable,thereare
- random *
- randombitscouldbegenerated ,butthesearchspacethatan
- randombitsrequested.Usetherequestednumberofleadingbitsfrom *
- randomkeyandseedvaluetoencryptsuccessiveintegers ,asin
- randomness ,butonlywhentheintervalisuniqueinthesequenceof
- randomness ,asdescribedinSections6and7,afterbeingde
- randomness.However ,onasmallsingle
- randomness.Theresultsofmixingthesetimingswithtyped *
- randomnumber ,x,thatisrelativelyprimeton.Theinitialseed
- randomnumbersforsecurity ,evenifsomeoftheinputsareveryweak
- randompoolof512bytesrepresentedas128wordsof4byteseach. *
- randomquantitiesarerequiredonlywhenanewkeypairisgenerated *
- randomquantitiesfrommultiplesources ,oralargerquantityofsuch
- randomquantitywasselectedbyfetching32bytesofdatafroma *
- randomstartingpointinthisdata.Thisdoesnotyield32 *
- rangeofhardware ,thisisaveryrealproblem.
- rangeofseeds ,butblindly
- readtheremainderofthissectionandSection7 ,whichdescribesand
- reasonablebutthatleadtoinsecurepseudo-randomnumbergeneration. *
- reasonabletoassumethat10 *
- recommendagainstitsuse. *
- recommendedandcanovercomeweaknessinanyparticularinput.The *
- recommendedthatanoddnumberofringsbeusedsothat ,evenifthe
- recommendsthatfuturesystemsincludehardwarerandomnumber *
- recommendstheuseoftrulyrandomhardwaretechniquesandshowsthat *
- referencessomestandardpseudorandomnumbergenerationalgorithms. *
- referencestothe book.
- referenceupdates. *
- registerpseudo-randomnumbergenerators ,whicharewellunderstood
- registertechniquedescribedinSection6.1.3 ,butwiththeall
- relatedtotheamountofkey *
- relativelysimple.Inparticular ,thevolumeandqualitywouldnot
- rememberthepassword. *
- requiredthantheoutputofSHA-1 *
- requirementintermsof ,say,numberofrandombitspersecond
- requireuser-typingtiming ,hardwarerandomnumbergeneration,or
- residentrandomnumbergenerator.Someofthesegeneratorsuse *
- residues.Itsonlydisadvantageisthatitiscomputationally *
- resolution.Thismeansthatsuccessivereadsoftheclockmay *
- restsonlyonthestartingpointoftheselection.Thatisperhapsa *
- resultingsmallsetofpossibilitiesthantolocatethequantitiesin *
- retainalltheirrights. *
- reversible ,thesameamountofinformationmustbepresentinthe
- rightsthatmaycovertechnologythatmayberequiredtoimplement *
- ringbuffer ,withnewdatabeingXOR
- ringoscillatorandastable *
- ringoscillatorswithrelativelyprimelengths.Itissometimes *
- ringssomehowbecomesynchronouslylockedtoeachother ,therewill
- riskofcontinuingtotakedataevenwhenthepool *
- runningringoscillator.Bysamplingapointintheringatafixed *
- sameastheunpredictabilityrequiredforsecurityuse. *
- samecanbedonewiththehashfunctions ,hashingvarioussubsetsof
- samelowerbitsandonlycountintheupperbitsatmuchlower *
- sameorfeweroutputbitsthanitsinputs ,mixingbitscannot
- sampledforvariousdegreesofskewinordertocomewithin0.001of *
- sampling ,numericalanalysis,testingcomputerprograms,decision
- secret .So,conservatively,itwouldbebesttoconsider
- secretbyoneparty *
- sectionsallassumethataseedvaluewithsufficiententropyis *
- security.Asophisticatedattackermayfinditeasiertoreproduce *
- securityapplications.Theyarefullypredictableiftheinitial *
- securityservicesofamajornation.Essentiallyallnationsspyon *
- seedafterthefact.Inallcases ,themoreaccuratelyonecan
- seeks ,increasestherateofrandombitgenerationpossiblewiththis
- selectedinanparticularuse.Generallyspeaking ,ifthestrength
- sentbytheadversaryoveranencryptedchannelbecausethetextis *
- sequence.Thusitisbesttouseonlyonebitfromeachvalue.It *
- sequencenumbers .
- sequenceofvalues.Notethatnoneofthetechniquesdiscussedin *
- sequenceordistributionofitsvalues.Butthesetestscouldbemet *
- services ,includingconfidentialityandauthentication.Such
- servicesarebasedonquantities ,traditionallycalled
- sharedsecretbetweentwoparties.Itcanbecomputationally *
- sharedsecretcombinestheirentropybut ,ofcourse,cannotproduce
- shift *
- shiftregistertapintheabovesimpleprocesscanproduceexcellent *
- shorteroutputaswaspresentinthelongerinput.BytheShannon *
- shorterstreamwhichismorerandom ,asdiscussedinSection4.This
- shortfixed-lengthoutputmixingalltheinputbits.TheMD *
- shortportionofthesequence .Forexample,with
- showedthat ,withsuchprocessing,evenslowdiskdrivesonthe
- showedthatitalmostimmediatelyconvergedtoasinglerepeated *
- shownthatthistechniquewilldiscardstrongcorrelations.If *
- sideddieandencodingtheresultingvaluesinASCIIwouldproduce *
- similarlystrengthenedthesealgorithms ,possiblyagainstthreatsnot
- similarsecurityapplications. *
- simplestatisticalanalysiscanmisleadifoneisnotalwaysonthe *
- sistheinitial64bitseed. *
- sixseconds.That *
- skewedbitsisexaminedinSection5.2.Seealso .
- skewedconstant.Thisisillustratedinthefollowingtable ,where
- skewingaskewedbitstream.Thisfollowsdirectlyfromthe *
- slowercomputersofthatdaycouldeasilyproduce100bitsaminute *
- smalladditionalhardwareandthesoftwaretoaccessitisnecessary *
- softwareintendedfordistributiontoalargerangeofmachines. *
- sointeresting. *
- solutionisnotavailable ,anditgivesexamplesofhowlargesuch
- source ,ashardwarecanalsofail.However,thisshouldbeweighed
- sourceasdescribedintheprevioussection.Thentheprobabilityof *
- sourcescanproduceverylimitedorpredictablevaluesundersome *
- sourcesuchasringoscillators ,diskdrivetiming,thermalnoise,or
- sourceswhosecostisatrivialamountofhardwarebymodern *
- specificationcanbeobtainedfromtheIETFon-lineIPRrepositoryat *
- specifications *
- spectrallinesthatapproachstatisticalindependenceandnormally *
- spoofing.However ,thereisapotentialflaw.Attheheartofall
- standards. *
- startingin1962 ,inthelate1970stheratefellto
- startupandshutdownscriptssavethepooltoadiskfileatshutdown *
- stateisknown.Dependingontheformofthepseudo-randomnumber *
- statevariablewitheveryuser.WhenCryptGenRandomiscalled ,this
- statisticallypooroutputwithasubstantialunpredictablecomponent. *
- statistics. *
- stillbesampledbittransitions.Anotherpossiblesourcetosample *
- stillcontainusefulamountsofentropy.Thisentropycanbe *
- stillonlytheonebitoforiginalrandomness. *
- stillpreferable. *
- stoppingassoonastempisequaltoorlongerthanthenumberof *
- streamandthatbitsareuncorrelated ,i.e.,thatthebitscomefrom
- strengthentherandomnessoftheoutput. *
- strengthiscalledtheBlumBlumShubgenerator ,namedafterits
- stringsorphrasescomposedofordinarywords.Butthisaffectsonly *
- strong-sequencegeneratorbutassumetheinputofarandomseedor *
- strongseed.Thiscanthenbeusedtoproducelargequantitiesof *
- subiistheprobabilityofthevaluenumberedi. *
- substantiallytothisdocument *
- successiveintegerssuchas1 ,2,3,...willproduceoutputthat
- successivelyencryptedbythe *
- suchaskeystrokesisbuffered.Eventhoughtheuser *
- suchproprietaryrightsbyimplementersorusersofthis *
- sufficientlylongstringofbitsandmappingthestringto *
- suggestions. *
- supportparticularoutputusesdesired.See forsimilar
- sureofthatorevenofwhatalgorithmakeywillbeusedwith.Even *
- surethattheycannotbefoundinamonth.Eventhenitispossible *
- systemID ,
- systemanduserdatasuchastheprocessID ,threadID,systemclock,
- systemcounters *
- systemdesignerdoesnotalwaysknowthepropertiesofthesystem *
- systemevenwhenthecryptographicsystemisinvertibleandcouldbe *
- systeminterruptregisters ,
- systems ,whereeachuserofthesystemisinessenceasourceof
- systemsisdependentongeneratingsecretquantitiesforpasswords ,
- systemsothatanadversarycanmakeatmostonepasswordtryevery *
- systemstatusregisters ,and
- systemtime ,systemcounter,memorystatus,freediskclusters,and
- technique.Atthetimeofthispaperandwithmodernhardware ,a
- techniquegiveninSection4.1 ,usingtheparityofanumberofbits,
- techniquesgiveninFIPS186-2 *
- techniquesintheWindowsoperatingsystem. *
- techniqueswouldbepowerfulagainstofflineattackerswhohadno *
- temp =temp
- temp.Thedefinitionofthealgorithmprohibitsrequestingmorethan *
- termsinthebinomialexpansionof *
- testsforrandomness ,orthatisbasedonlimited
- texttobeencrypted ,possiblyby
- than0 *
- than160bits.UseofAEShasbeenemphasizedandtheuseofDES *
- thanaminute.YetiftheywerebothsampledandcombinedwithXOR ,
- thanthe *
- that ,afewyearsfromnow,ahighlydeterminedandresourceful
- thataninter-keystrokeintervalprovidesatmostafewbitsof *
- thatanylinearcombinationofthesefunctionsisalsoabent *
- thatbruteforcetrialofkeysisthebesttheadversarycando. *
- thatitisrobustacrossalldegreesofskewuptotheestimated *
- thatsendingapasswordtothesystemistheonlywaytotrya *
- thattheNSAmodificationstoMD4toproducetheSHAalgorithms *
- thattheirbehaviorcanvarywidelyandinunexpectedways.One *
- thattheprobabilitythatanadversarycouldguessthepasswordfora *
- thatthereisapseudo-randomnumbergeneratorgenerating128-bit *
- thattheyknow. *
- thatwasafour-wordphrasefroma1 ,000wordlist,oreight
- theInternetProtocol *
- theabovescenariowouldrequire39bitsofrandomnessandapassword *
- theadversarycanlearnwhatthemanipulationisandifthereisnot *
- theadversarycanstorethemessagetobebrokenandrepeatedly *
- theamountofinformationinasequence.Sincethecompressionis *
- theamountofrandomnessintheverystrongkeytoaminimumof192 *
- theclockbeingunchangedbetweentworeadsandincreasesitbyone *
- thedatabase.Forexample ,typicalUSENETserversprocessmany
- thedesignofsymmetricencryptionalgorithms ,isnotataskfor
- theentropyinagoodseed *
- theenvironmentthatproducedthesecretquantitiesandtosearchthe *
- theexistinghardwareonmanysystemscanbeusedforthispurpose. *
- thefirstargumentdividedintofifths.Thensteps *
- theformatofthepasswordinformation ,nottherequirementthatthe
- thegenerator.Itisupdatedeachtimehash_lengthbitsof *
- thegeneratorandisupdatedatleastonceeachtimerandom *
- thegeneratorsabove ,onecandetermineV
- theinputdataordifferentcopiesoftheinputdatawithdifferent *
- theinputscanbepackedintoa128-bitdataquantityandsuccessive *
- thelargerandhardertorememberpasswordsare ,themorelikely
- thenext20bytes.Asbytesareremovedfromthepool ,theestimate
- thenhalf-decrypttheencodedtextwithallthesecondhalf-keys.If *
- thenwithCaskeystoproducethefirstpartoftheoutput ,then
- thenwitha1 ,thisproducesatwobitsequencebutitwillalwaysbe
- theothersecretkeyinordertobeabletocalculatetheshared *
- theoutputbitsbackasinput.Inparticular ,forDES,repeatedly
- theoutputisusedtoseedanRC4keystream.Thatkeystreamis *
- theoutputofG .
- theoutputwillbeanevenbetter *
- theparitywillbeoneorzerowillbethesumoftheoddoreven *
- thepossibilityofmanipulationofsuchnetworktrafficmeasurements *
- thepredecessorofthisdocument *
- thequantitiesproducedbyconcatenatingtheseedwithsuccessive *
- therandomtablefromtheCRCStandardMathematicalTables ,isvery
- thereafter ,anynumberofmessagescanbesignedwithoutafurther
- thereare64bitsofinformationinoneofthesekeyvalues ,butan
- therearemuchstrongertechniquesthatextractmoreoftheavailable *
- thereislessinformationpresent ,andfewerguesseswill,on
- theremightnotbeaneasywaytoaccessthatvariation.Another *
- theresultwouldbezeromostofthetime. *
- thesenseofaninequality. *
- thesortsofsecurityuseswearetalkingabout.Onlyinthelast *
- thesourceandpredictfuturevalues. *
- thesystemclock ,
- thetopandleftsidevaluesarethetwoinputeccentricitiesandthe *
- thevaluenumberedNby *
- thewholeofthepotentialnumberspace. *
- thewidelydeployedmodernUNIXandWindowsrandomnumbergenerators *
- theybeunguessable.Itisnotimportantthattheymaybecomposed *
- thingslikeautocorrelationbetweendifferentpartsofa *
- thisdocument wasissuedin1994,theonlyInternet
- thisdocumentortheextenttowhichanylicenseundersuchrights *
- thismustbemadeacceptablylow ,dependingontheparticular
- thissectionissuitableforcryptographicuse.Theyarepresented *
- thisstandard.PleaseaddresstheinformationtotheIETFatietf- *
- thosegiveninX9.82 ,section7.1.2ontherandomnumber
- thoseusedoriginallytomakeexhaustivesearchpractical. *
- thousandsofbitsby ,forexample,mixingwithsuccessiveintegers,
- threeroundsandthereareseveralindependentbreaksofthefirst *
- throughacomplexnon-linearmixingfunctionthathastheeffectof *
- throughthedateofthisdocument.See *
- timepadsoranalgorithmliketheUSAdvancedEncryptionStandard *
- timingandcontentofrequested *
- tisthetimeatwhichakeyisgenerated ,toasfinearesolution
- toasHMACbut ,ofcourse,aparticularstandardSHAfunctionmustbe
- toassumethatitsstrengthisrelatedtothetotalnumberofbitsin *
- tobede-skewed. *
- tobreakanencryptionscheme ,theadversarynormallyhasmany,
- tocombineanynumberofinputs.If128bitsofoutputisadequate ,
- toone. *
- toproducehigh-qualityrandomness. *
- torestoreitonre-starting ,whenstablestorageisavailable.
- tosearchthroughonly256keys *
- totallypredictablesequenceofexactlyalternating1sand0s. *
- tothebasicAES ,DES,SHA
- touseforcryptographicevaluation .
- towards0or1orwhichhasasomewhatpredictablepatterntoa *
- toyieldthereturnedbytesofrandomness.Ifmorebytesare *
- traditionalpseudo-randomnumbergeneratorwithgoodstatistical *
- tryasinglekey ,theremaybesomepatternthatenableshugeblocks
- tryingtoreadthecodewithoutcommentswouldn *
- trykeyvaluesinhopesoffindingtheoneinuse.Assumefurther *
- trypossibilities.Assumethatdelayshavebeenintroducedintoa *
- twocouldtherebeanadversarytryingtofindtherandomquantity. *
- twoorlasttworounds.AndsomecollisionshavebeenfoundinMD5 *
- typeofpartialfeedbackshouldbeavoidedforreasonsdescribed *
- typesofrandomquantitiesthatmaybewanted.Inthecaseof *
- unbiased ,uncorrelatedseriesofrandom1sand0s,itwouldproducea
- unguessabledata ,withsomequalifications.Onsomemachines,input
- uniqueinthesequence.Thus ,anintervalorkeycodethat
- uniquelyidentified.Theprobabilityofanadversarysucceedingat *
- unlikelythatsomeonecouldactuallytrycontinuouslyforayear. *
- unpredictabilitybecausetheusermayprovidehighlyrepetitive *
- unpredictabilityistorandomlyselectaquantityfromadatabaseand *
- unpredictabilityistotakeaverycomplexalgorithm *
- unpredictablenumbers. *
- unpredictableoutput.Theoutputcanbeexpandedtohundredsor *
- unpredictablesources *
- updatetheserecommendations ,justadd2
- usablepasswords ,itisdesirablethatusersbeabletorememberthe
- use. *
- useakeydeterminedfrom *
- used.Butineachcase ,carefulconsiderationmustbegiventohow
- used.Withinthefieldofrandompossibilities ,theadversarycan
- usedtodecryptotherpartsofthemessageorothermessages.Atits *
- usedtoproducethepseudo-randomdatarequestedandtoupdatethe *
- usedvalues ,evenifthefunctionwereaverystrong,non
- user *
- userID ,and
- userpassword ,usuallyasimplecharacterstring.Obviously,a
- userswillbedtowritethemdown ,resultinginanadditionalriskof
- value *
- valueinonecaseandasmallcycleofvaluesinanothercase. *
- values *
- valuesa ,b,c,andinitialVorcarefully
- valuescanbedirectlycalculated.Inparticular ,
- valuestherestofthetime.TheShannonequationabovesaysthat *
- valuestodefeatsecurity. *
- variables ,denotedHwithsubscriptsintheSHA
- variationsinthefree-runningoscillatortiming.Itispossibleto *
- versionofanoperatingsystemrunningononesetofhardwaremay *
- wayfromthepreviousvalue ,thenwhenanyvalueiscompromised,all
- weakagainstanadversary.Anadversarywholearnsoforguessesit *
- weaknesshavebeenfoundinMD4andMD5.Inparticular ,MD4hasonly
- whentheentropyestimatefortherandompooldropstozero.This *
- whereasymmetricor *
- whereicountsfrom1tothenumberofpossiblesecretvaluesandp *
- whereiisasabove.Usingthisequation ,weget1bitofmin
- whethersomethingisunpredictableorpredictable. *
- whichtheauthorsareunawareorpatentsonimplementationsoruses *
- whilethesecondassumesaneedforaveryhigh-security *
- willbenon-negative. *
- willchangeabouthalftheoutputbits.Butbecausetherelationship *
- willprobablybebasedonHMACSHAhashconstructs .The
- withcare ,beusedinstead.However,mostmodernsystemsalready
- withextensivepostprocessing .
- withonlya1 *
- withoutcarry *
- withoutsomechecking ,incaseofhardwarefailure,anditwillhave
- withsomerandomnessintothepoolandextractingpseudo-randombits *
- withthemicrophonereceivingonlylowlevelbackgroundnoise.Such *
- withthischaracteristic ,suchas
- withwhichdiskmotioncanbetimedorincreasestherateofdisk *
- words ,thepasswordcouldbeexpressedasathree
- world.Itiscomputationallyinfeasibletodeterminetheprivatekey *
- wouldbeneededtodeterminetheamountofentropybeingproduced *
- wouldclearlytaketensofthousandsofcomputercyclesormoreto *
- woulddothetrickdirectly .Thisisatrivialamountof
- wouldyield5unbiasedrandombitsandnotthesinglebitgivenby *
- yetknowninthepubliccryptographiccommunity. *