# Randomness Requirements for Security

Pages: 48
Best Current Practice: 106
Errata
Obsoletes:  1750
Part 2 of 2 – Pages 21 to 48

```6.  Pseudo-random Number Generators

When a seed has sufficient entropy, from input as described in
Section 3 and possibly de-skewed and mixed as described in Sections 4
and 5, one can algorithmically extend that seed to produce a large
number of cryptographically-strong random quantities.  Such
algorithms are platform independent and can operate in the same
fashion on any computer.  For the algorithms to be secure, their
input and internal workings must be protected from adversarial
observation.

The design of such pseudo-random number generation algorithms, like
the design of symmetric encryption algorithms, is not a task for
amateurs.  Section 6.1 below lists a number of bad ideas that failed
algorithms have used.  To learn what works, skip Section 6.1 and just
read the remainder of this section and Section 7, which describes and
references some standard pseudo random number generation algorithms.
See Section 7 and Part 3 of [X9.82].

6.1.  Some Bad Ideas

The subsections below describe a number of ideas that might seem
reasonable but that lead to insecure pseudo-random number generation.

6.1.1.  The Fallacy of Complex Manipulation

One approach that may give a misleading appearance of
unpredictability is to take a very complex algorithm (or an excellent
traditional pseudo-random number generator with good statistical
properties) and to calculate a cryptographic key by starting with
limited data such as the computer system clock value as the seed.
Adversaries who knew roughly when the generator was started would
have a relatively small number of seed values to test, as they would
know likely values of the system clock.  Large numbers of pseudo-
```
```   random bits could be generated, but the search space that an
adversary would need to check could be quite small.

Thus, very strong or complex manipulation of data will not help if
the adversary can learn what the manipulation is and if there is not
enough entropy in the starting seed value.  They can usually use the
limited number of results stemming from a limited number of seed
values to defeat security.

Another serious strategic error is to assume that a very complex
pseudo-random number generation algorithm will produce strong random
numbers, when there has been no theory behind or analysis of the
algorithm.  There is a excellent example of this fallacy near the
beginning of Chapter 3 in [KNUTH], where the author describes a
complex algorithm.  It was intended that the machine language program
corresponding to the algorithm would be so complicated that a person
trying to read the code without comments wouldn't know what the
program was doing.  Unfortunately, actual use of this algorithm
showed that it almost immediately converged to a single repeated
value in one case and a small cycle of values in another case.

Not only does complex manipulation not help you if you have a limited
range of seeds, but blindly-chosen complex manipulation can destroy
the entropy in a good seed!

6.1.2.  The Fallacy of Selection from a Large Database

Another approach that can give a misleading appearance of
unpredictability is to randomly select a quantity from a database and
to assume that its strength is related to the total number of bits in
the database.  For example, typical USENET servers process many
megabytes of information per day [USENET_1, USENET_2].  Assume that a
random quantity was selected by fetching 32 bytes of data from a
random starting point in this data.  This does not yield 32*8 = 256
bits worth of unguessability.  Even if much of the data is human
language that contains no more than 2 or 3 bits of information per
byte, it doesn't yield 32*2 = 64 bits of unguessability.  For an
adversary with access to the same Usenet database, the unguessability
rests only on the starting point of the selection.  That is perhaps a
little over a couple of dozen bits of unguessability.

The same argument applies to selecting sequences from the data on a
publicly available CD/DVD recording or any other large public
database.  If the adversary has access to the same database, this
"selection from a large volume of data" step buys little.  However,
if a selection can be made from data to which the adversary has no
access, such as system buffers on an active multi-user system, it may
be of help.
```
```6.1.3.  Traditional Pseudo-random Sequences

This section talks about traditional sources of deterministic or
"pseudo-random" numbers.  These typically start with a "seed"
quantity and use simple numeric or logical operations to produce a
sequence of values.  Note that none of the techniques discussed in
this section is suitable for cryptographic use.  They are presented
for general information.

[KNUTH] has a classic exposition on pseudo-random numbers.
Applications he mentions are simulations of natural phenomena,
sampling, numerical analysis, testing computer programs, decision
making, and games.  None of these have the same characteristics as
the sorts of security uses we are talking about.  Only in the last
two could there be an adversary trying to find the random quantity.
However, in these cases, the adversary normally has only a single
chance to use a guessed value.  In guessing passwords or attempting
to break an encryption scheme, the adversary normally has many,
perhaps unlimited, chances at guessing the correct value.  Sometimes
the adversary can store the message to be broken and repeatedly
attack it.  Adversaries are also be assumed to be aided by a
computer.

For testing the "randomness" of numbers, Knuth suggests a variety of
measures, including statistical and spectral.  These tests check
things like autocorrelation between different parts of a "random"
sequence or distribution of its values.  But these tests could be met
by a constant stored random sequence, such as the "random" sequence
printed in the CRC Standard Mathematical Tables [CRC].  Despite
meeting all the tests suggested by Knuth, that sequence is unsuitable
for cryptographic us, as adversaries must be assumed to have copies
of all commonly published "random" sequences and to be able to spot
the source and predict future values.

A typical pseudo-random number generation technique is the linear
congruence pseudo-random number generator.  This technique uses
modular arithmetic, where the value numbered N+1 is calculated from
the value numbered N by

V    = ( V  * a + b )(Mod c)
N+1      N

The above technique has a strong relationship to linear shift
register pseudo-random number generators, which are well understood
cryptographically [SHIFT*].  In such generators, bits are introduced
at one end of a shift register as the Exclusive Or (binary sum
without carry) of bits from selected fixed taps into the register.
For example, consider the following:
```
```      +----+     +----+     +----+                      +----+
| B  | <-- | B  | <-- | B  | <--  . . . . . . <-- | B  | <-+
|  0 |     |  1 |     |  2 |                      |  n |   |
+----+     +----+     +----+                      +----+   |
|                     |            |                     |
|                     |            V                  +-----+
|                     V            +----------------> |     |
V                     +-----------------------------> | XOR |
+---------------------------------------------------> |     |
+-----+

V    = ( ( V  * 2 ) + B  XOR  B ... )(Mod 2^n)
N+1         N         0       2

The quality of traditional pseudo-random number generator algorithms
is measured by statistical tests on such sequences.  Carefully-chosen
values a, b, c, and initial V or carefully-chosen placement of the
shift register tap in the above simple process can produce excellent
statistics.

These sequences may be adequate in simulations (Monte Carlo
experiments) as long as the sequence is orthogonal to the structure
of the space being explored.  Even there, subtle patterns may cause
problems.  However, such sequences are clearly bad for use in
security applications.  They are fully predictable if the initial
state is known.  Depending on the form of the pseudo-random number
generator, the sequence may be determinable from observation of a
short portion of the sequence [SCHNEIER, STERN].  For example, with
the generators above, one can determine V(n+1) given knowledge of
V(n).  In fact, it has been shown that with these techniques, even if
only one bit of the pseudo-random values are released, the seed can
be determined from short sequences.

Not only have linear congruent generators been broken, but techniques
are now known for breaking all polynomial congruent generators
[KRAWCZYK].

6.2.  Cryptographically Strong Sequences

In cases where a series of random quantities must be generated, an
adversary may learn some values in the sequence.  In general,
adversaries should not be able to predict other values from the ones
that they know.

The correct technique is to start with a strong random seed, to take
cryptographically strong steps from that seed [FERGUSON, SCHNEIER],
and not to reveal the complete state of the generator in the sequence
elements.  If each value in the sequence can be calculated in a fixed
```
```   way from the previous value, then when any value is compromised, all
future values can be determined.  This would be the case, for
example, if each value were a constant function of the previously
used values, even if the function were a very strong, non-invertible
message digest function.

(Note that if a technique for generating a sequence of key values is
fast enough, it can trivially be used as the basis for a
confidentiality system.  If two parties use the same sequence
generation technique and start with the same seed material, they will
generate identical sequences.  These could, for example, be XOR'ed at
one end with data being sent to encrypt it, and XOR'ed with this data
as received to decrypt it, due to the reversible properties of the
XOR operation.  This is commonly referred to as a simple stream
cipher.)

6.2.1.  OFB and CTR Sequences

One way to produce a strong sequence is to take a seed value and hash
the quantities produced by concatenating the seed with successive
integers, or the like, and then to mask the values obtained so as to
limit the amount of generator state available to the adversary.

It may also be possible to use an "encryption" algorithm with a
random key and seed value to encrypt successive integers, as in
counter (CTR) mode encryption.  Alternatively, one can feedback all
of the output value from encryption into the value to be encrypted
for the next iteration.  This is a particular example of output
feedback mode (OFB) [MODES].

An example is shown below in which shifting and masking are used to
combine part of the output feedback with part of the old input.  This
type of partial feedback should be avoided for reasons described
below.
```
```            +---------------+
|       V       |
|  |     n      |--+
+--+------------+  |
|            |     +---------+
shift|            +---> |         |      +-----+
+--+                  | Encrypt | <--- | Key |
|           +-------- |         |      +-----+
|           |         +---------+
V           V
+------------+--+
|      V     |  |
|       n+1     |
+---------------+

Note that if a shift of one is used, this is the same as the shift
register technique described in Section 6.1.3, but with the all-
important difference that the feedback is determined by a complex
non-linear function of all bits rather than by a simple linear or
polynomial combination of output from a few bit position taps.

Donald W. Davies showed that this sort of shifted partial output
feedback significantly weakens an algorithm, compared to feeding all
the output bits back as input.  In particular, for DES, repeatedly
encrypting a full 64-bit quantity will give an expected repeat in
about 2^63 iterations.  Feeding back anything less than 64 (and more
than 0) bits will give an expected repeat in between 2^31 and 2^32
iterations!

To predict values of a sequence from others when the sequence was
generated by these techniques is equivalent to breaking the
cryptosystem or to inverting the "non-invertible" hashing with only
partial information available.  The less information revealed in each
iteration, the harder it will be for an adversary to predict the
sequence.  Thus it is best to use only one bit from each value.  It
has been shown that in some cases this makes it impossible to break a
system even when the cryptographic system is invertible and could be
broken if all of each generated value were revealed.

6.2.2.  The Blum Blum Shub Sequence Generator

Currently the generator which has the strongest public proof of
strength is called the Blum Blum Shub generator, named after its
inventors [BBS].  It is also very simple and is based on quadratic
residues.  Its only disadvantage is that it is computationally
intensive compared to the traditional techniques given in Section
6.1.3.  This is not a major drawback if it is used for moderately-
infrequent purposes, such as generating session keys.
```
```   Simply choose two large prime numbers (say, p and q) that each gives
a remainder of 3 when divided by 4.  Let n = p * q.  Then choose a
random number, x, that is relatively prime to n.  The initial seed
for the generator and the method for calculating subsequent values
are then:

2
s    =  ( x  )(Mod n)
0
2
s    = ( s   )(Mod n)
i+1      i

Be careful to use only a few bits from the bottom of each s.  It is
always safe to use only the lowest-order bit.  If one uses no more
than the:

log  ( log  ( s  ) )
2      2    i

low-order bits, then predicting any additional bits from a sequence
generated in this manner is provably as hard as factoring n.  As long
as the initial x is secret, n can be made public if desired.

An interesting characteristic of this generator is that any of the s
values can be directly calculated.  In particular,

( (2^i) (Mod ((p-1)*(q-1)) ) )
s  = ( s                                )(Mod n)
i      0

This means that in applications where many keys are generated in this
fashion, it is not necessary to save them all.  Each key can be
effectively indexed and recovered from that small index and the
initial s and n.

6.3.  Entropy Pool Techniques

Many modern pseudo-random number sources, such as those described in
Sections 7.1.2 and 7.1.3 utilize the technique of maintaining a
"pool" of bits and providing operations for strongly mixing input
with some randomness into the pool and extracting pseudo-random bits
from the pool.  This is illustrated in the figure below.
```
```             +--------+    +------+    +---------+
--->| Mix In |--->| POOL |--->| Extract |--->
|  Bits  |    |      |    |   Bits  |
+--------+    +------+    +---------+
^           V
|           |
+-----------+

Bits to be fed into the pool can come from any of the various
hardware, environmental, or user input sources discussed above.  It
is also common to save the state of the pool on system shutdown and
to restore it on re-starting, when stable storage is available.

Care must be taken that enough entropy has been added to the pool to
support particular output uses desired.  See [RSA_BULL1] for similar
suggestions.

7.  Randomness Generation Examples and Standards

Several public standards and widely deployed examples are now in
place for the generation of keys or other cryptographically random
quantities.  Some, in section 7.1, include an entropy source.
Others, described in section 7.2, provide the pseudo-random number
strong-sequence generator but assume the input of a random seed or
input from a source of entropy.

7.1.  Complete Randomness Generators

Three standards are described below.  The two older standards use
DES, with its 64-bit block and key size limit, but any equally strong
or stronger mixing function could be substituted [DES].  The third is
a more modern and stronger standard based on SHA-1 [SHA*].  Lastly,
the widely deployed modern UNIX and Windows random number generators
are described.

7.1.1.  US DoD Recommendations for Password Generation

The United States Department of Defense has specific recommendations
for password generation [DoD].  It suggests using the US Data
Encryption Standard [DES] in Output Feedback Mode [MODES] as follows:
```
```         Use an initialization vector determined from
the system clock,
system ID,
user ID, and
date and time;
use a key determined from
system interrupt registers,
system status registers, and
system counters; and,
as plain text, use an external randomly generated 64-bit
quantity such as the ASCII bytes for 8 characters typed
in by a system administrator.

The password can then be calculated from the 64 bit "cipher text"
generated by DES in 64-bit Output Feedback Mode.  As many bits as are
needed can be taken from these 64 bits and expanded into a
pronounceable word, phrase, or other format if a human being needs to

7.1.2.  The /dev/random Device

Several versions of the UNIX operating system provide a kernel-
resident random number generator.  Some of these generators use
events captured by the Kernel during normal system operation.

For example, on some versions of Linux, the generator consists of a
random pool of 512 bytes represented as 128 words of 4 bytes each.
When an event occurs, such as a disk drive interrupt, the time of the
event is XOR'ed into the pool, and the pool is stirred via a
primitive polynomial of degree 128.  The pool itself is treated as a
ring buffer, with new data being XOR'ed (after stirring with the
polynomial) across the entire pool.

Each call that adds entropy to the pool estimates the amount of
likely true entropy the input contains.  The pool itself contains a
accumulator that estimates the total over all entropy of the pool.

Input events come from several sources, as listed below.
Unfortunately, for server machines without human operators, the first
and third are not available, and entropy may be added slowly in that
case.

1. Keyboard interrupts.  The time of the interrupt and the scan code
are added to the pool.  This in effect adds entropy from the human
operator by measuring inter-keystroke arrival times.

2. Disk completion and other interrupts.  A system being used by a
person will likely have a hard-to-predict pattern of disk
```
```      accesses.  (But not all disk drivers support capturing this timing
information with sufficient accuracy to be useful.)

3. Mouse motion.  The timing and mouse position are added in.

When random bytes are required, the pool is hashed with SHA-1 [SHA*]
to yield the returned bytes of randomness.  If more bytes are
required than the output of SHA-1 (20 bytes), then the hashed output
is stirred back into the pool and a new hash is performed to obtain
the next 20 bytes.  As bytes are removed from the pool, the estimate
of entropy is correspondingly decremented.

To ensure a reasonably random pool upon system startup, the standard
startup and shutdown scripts save the pool to a disk file at shutdown
and read this file at system startup.

There are two user-exported interfaces. /dev/random returns bytes
from the pool but blocks when the estimated entropy drops to zero.
As entropy is added to the pool from events, more data becomes
available via /dev/random.  Random data obtained from such a
/dev/random device is suitable for key generation for long term keys,
if enough random bits are in the pool or are added in a reasonable
amount of time.

/dev/urandom works like /dev/random; however, it provides data even
when the entropy estimate for the random pool drops to zero.  This
may be adequate for session keys or for other key generation tasks
for which blocking to await more random bits is not acceptable.  The
risk of continuing to take data even when the pool's entropy estimate
is small in that past output may be computable from current output,
provided that an attacker can reverse SHA-1.  Given that SHA-1 is
designed to be non-invertible, this is a reasonable risk.

To obtain random numbers under Linux, Solaris, or other UNIX systems
equipped with code as described above, all an application has to do
is open either /dev/random or /dev/urandom and read the desired
number of bytes.

(The Linux Random device was written by Theodore Ts'o.  It was based
loosely on the random number generator in PGP 2.X and PGP 3.0 (aka
PGP 5.0).)

7.1.3.  Windows CryptGenRandom

Microsoft's recommendation to users of the widely deployed Windows
operating system is generally to use the CryptGenRandom pseudo-random
number generation call with the CryptAPI cryptographic service
provider.  This takes a handle to a cryptographic service provider
```
```   library, a pointer to a buffer by which the caller can provide
entropy and into which the generated pseudo-randomness is returned,
and an indication of how many octets of randomness are desired.

The Windows CryptAPI cryptographic service provider stores a seed
state variable with every user.  When CryptGenRandom is called, this
is combined with any randomness provided in the call and with various
system and user data such as the process ID, thread ID, system clock,
system time, system counter, memory status, free disk clusters, and
hashed user environment block.  This data is all fed to SHA-1, and
the output is used to seed an RC4 key stream.  That key stream is
used to produce the pseudo-random data requested and to update the
user's seed state variable.

Users of Windows ".NET" will probably find it easier to use the
RNGCryptoServiceProvider.GetBytes method interface.

For further information, see [WSC].

7.2.  Generators Assuming a Source of Entropy

The pseudo-random number generators described in the following three
sections all assume that a seed value with sufficient entropy is
provided to them.  They then generate a strong sequence (see Section
6.2) from that seed.

7.2.1.  X9.82 Pseudo-Random Number Generation

The ANSI X9F1 committee is in the final stages of creating a standard
for random number generation covering both true randomness generators
and pseudo-random number generators.  It includes a number of
pseudo-random number generators based on hash functions, one of which
will probably be based on HMAC SHA hash constructs [RFC2104].  The
draft version of this generator is described below, omitting a number
of optional features [X9.82].

In the subsections below, the HMAC hash construct is simply referred
to as HMAC but, of course, a particular standard SHA function must be
selected in an particular use.  Generally speaking, if the strength
of the pseudo-random values to be generated is to be N bits, the SHA
function chosen must generate N or more bits of output, and a source
of at least N bits of input entropy will be required.  The same hash
function must be used throughout an instantiation of this generator.
```
```7.2.1.1.  Notation

In the following sections, the notation give below is used:

hash_length is the output size of the underlying hash function in
use.

input_entropy is the input bit string that provides entropy to the
generator.

K is a bit string of size hash_length that is part of the state of
the generator and is updated at least once each time random
bits are generated.

V is a bit string of size hash_length and is part of the state of
the generator.  It is updated each time hash_length bits of
output are generated.

"|" represents concatenation.

7.2.1.2.  Initializing the Generator

Set V to all zero bytes, except the low-order bit of each byte is set
to one.

Set K to all zero bytes, then set:

K = HMAC ( K, V | 0x00 | input_entropy )

V = HMAC ( K, V )

K = HMAC ( K, V | 0x01 | input_entropy )

V = HMAC ( K, V )

Note: All SHA algorithms produce an integral number of bytes, so the
lengths of K and V will be integral numbers of bytes.

7.2.1.3.  Generating Random Bits

When output is called for, simply set:

V = HMAC ( K, V )

and use the leading bits from V.  If more bits are needed than the
length of V, set "temp" to a null bit string and then repeatedly
perform:
```
```         V = HMAC ( K, V )
temp = temp | V

stopping as soon as temp is equal to or longer than the number of
random bits requested.  Use the requested number of leading bits from
temp.  The definition of the algorithm prohibits requesting more than
2^35 bits.

After extracting and saving the pseudo-random output bits as
described above, before returning you must also perform two more
HMACs as follows:

K = HMAC ( K, V | 0x00 )
V = HMAC ( K, V )

7.2.2.  X9.17 Key Generation

The American National Standards Institute has specified the
following method for generating a sequence of keys [X9.17]:

s  is the initial 64 bit seed.
0

g  is the sequence of generated 64-bit key quantities
n

k is a random key reserved for generating this key sequence.

t is the time at which a key is generated, to as fine a resolution
as is available (up to 64 bits).

DES ( K, Q ) is the DES encryption of quantity Q with key K.

Then:

g    = DES ( k, DES ( k, t ) XOR s  )
n                                n

s    = DES ( k, DES ( k, t ) XOR  g  )
n+1                               n

If g sub n is to be used as a DES key, then every eighth bit should
be adjusted for parity for that use, but the entire 64 bit unmodified
g should be used in calculating the next s.
```
```7.2.3.  DSS Pseudo-random Number Generation

Appendix 3 of the NIST Digital Signature Standard [DSS] provides a
method of producing a sequence of pseudo-random 160 bit quantities
for use as private keys or the like.  This has been modified by
Change Notice 1 [DSS_CN1] to produce the following algorithm for
generating general-purpose pseudo-random numbers:

t = 0x 67452301 EFCDAB89 98BADCFE 10325476 C3D2E1F0

XKEY  = initial seed
0

For j = 0 to ...

XVAL = ( XKEY  + optional user input ) (Mod 2^512)
j

X  = G( t, XVAL )
j

XKEY   = ( 1 + XKEY  + X  ) (Mod 2^512)
j+1            j    j

The quantities X thus produced are the pseudo-random sequence of
160-bit values.  Two functions can be used for "G" above.  Each
produces a 160-bit value and takes two arguments, a 160-bit value and
a 512 bit value.

The first is based on SHA-1 and works by setting the 5 linking
variables, denoted H with subscripts in the SHA-1 specification, to
the first argument divided into fifths.  Then steps (a) through (e)
of section 7 of the NIST SHA-1 specification are run over the second
argument as if it were a 512-bit data block.  The values of the
linking variable after those steps are then concatenated to produce
the output of G [SHA*].

As an alternative method, NIST also defined an alternate G function
based on multiple applications of the DES encryption function [DSS].

8.  Examples of Randomness Required

Below are two examples showing rough calculations of randomness
needed for security.  The first is for moderate security passwords,
while the second assumes a need for a very high-security
cryptographic key.
```
```   In addition, [ORMAN] and [RSA_BULL13] provide information on the
public key lengths that should be used for exchanging symmetric keys.

Assume that user passwords change once a year and that it is desired
that the probability that an adversary could guess the password for a
particular account be less than one in a thousand.  Further assume
that sending a password to the system is the only way to try a
password.  Then the crucial question is how often an adversary can
try possibilities.  Assume that delays have been introduced into a
system so that an adversary can make at most one password try every
six seconds.  That's 600 per hour, or about 15,000 per day, or about
5,000,000 tries in a year.  Assuming any sort of monitoring, it is
unlikely that someone could actually try continuously for a year.
Even if log files are only checked monthly, 500,000 tries is more
plausible before the attack is noticed and steps are taken to change
passwords and make it harder to try more passwords.

To have a one-in-a-thousand chance of guessing the password in
500,000 tries implies a universe of at least 500,000,000 passwords,
or about 2^29.  Thus, 29 bits of randomness are needed.  This can
probably be achieved by using the US DoD-recommended inputs for
password generation, as it has 8 inputs that probably average over 5
bits of randomness each (see section 7.1).  Using a list of 1,000
words, the password could be expressed as a three-word phrase
(1,000,000,000 possibilities).  By using case-insensitive letters and
digits, six characters would suffice ((26+10)^6 = 2,176,782,336
possibilities).

For a higher-security password, the number of bits required goes up.
To decrease the probability by 1,000 requires increasing the universe
of passwords by the same factor, which adds about 10 bits.  Thus, to
have only a one in a million chance of a password being guessed under
the above scenario would require 39 bits of randomness and a password
that was a four-word phrase from a 1,000 word list, or eight
letters/digits.  To go to a one-in-10^9 chance, 49 bits of randomness
are needed, implying a five-word phrase or a ten-letter/digit

In a real system, of course, there are other factors.  For example,
the larger and harder to remember passwords are, the more likely
users will bed to write them down, resulting in an additional risk of
compromise.
```
```8.2.  A Very High Security Cryptographic Key

Assume that a very high security key is needed for symmetric
encryption/decryption between two parties.  Assume also that an
adversary can observe communications and knows the algorithm being
used.  Within the field of random possibilities, the adversary can
try key values in hopes of finding the one in use.  Assume further
that brute force trial of keys is the best the adversary can do.

8.2.1.  Effort per Key Trial

How much effort will it take to try each key?  For very high-security
applications, it is best to assume a low value of effort.  Even if it
would clearly take tens of thousands of computer cycles or more to
try a single key, there may be some pattern that enables huge blocks
of key values to be tested with much less effort per key.  Thus, it
is probably best to assume no more than a couple of hundred cycles
per key.  (There is no clear lower bound on this, as computers
operate in parallel on a number of bits and a poor encryption
algorithm could allow many keys or even groups of keys to be tested
in parallel.  However, we need to assume some value and can hope that
a reasonably strong algorithm has been chosen for our hypothetical

If the adversary can command a highly parallel processor or a large
network of work stations, 10^11 cycles per second is probably a
minimum assumption today.  Looking forward a few years, there should
be at least an order of magnitude improvement.  Thus, it is
reasonable to assume that 10^10 keys could be checked per second, or
3.6*10^12 per hour or 6*10^14 per week, or 2.4*10^15 per month.  This
implies a need for a minimum of 63 bits of randomness in keys, to be
sure that they cannot be found in a month.  Even then it is possible
that, a few years from now, a highly determined and resourceful
adversary could break the key in 2 weeks; on average, they need try
only half the keys.

These questions are considered in detail in "Minimal Key Lengths for
Symmetric Ciphers to Provide Adequate Commercial Security: A Report
by an Ad Hoc Group of Cryptographers and Computer Scientists"
[KeyStudy] that was sponsored by the Business Software Alliance.  It
concluded that a reasonable key length in 1995 for very high security
is in the range of 75 to 90 bits and, since the cost of cryptography
does not vary much with the key size, it recommends 90 bits.  To
update these recommendations, just add 2/3 of a bit per year for
Moore's law [MOORE].  This translates to a determination, in the year
2004, a reasonable key length is in the 81- to 96-bit range.  In
fact, today, it is increasingly common to use keys longer than 96
```
```   bits, such as 128-bit (or longer) keys with AES and keys with
effective lengths of 112-bits with triple-DES.

8.2.2.  Meet-in-the-Middle Attacks

If chosen or known plain text and the resulting encrypted text are
available, a "meet-in-the-middle" attack is possible if the structure
of the encryption algorithm allows it.  (In a known plain text
attack, the adversary knows all or part (possibly some standard
header or trailer fields) of the messages being encrypted.  In a
chosen plain text attack, the adversary can force some chosen plain
text to be encrypted, possibly by "leaking" an exciting text that is
sent by the adversary over an encrypted channel because the text is
so interesting.

The following is an oversimplified explanation of the meet-in-the-
middle attack:  the adversary can half-encrypt the known or chosen
plain text with all possible first half-keys, sort the output, and
then half-decrypt the encoded text with all the second half-keys.  If
a match is found, the full key can be assembled from the halves and
used to decrypt other parts of the message or other messages.  At its
best, this type of attack can halve the exponent of the work required
by the adversary while adding a very large but roughly constant
factor of effort.  Thus, if this attack can be mounted, a doubling of
the amount of randomness in the very strong key to a minimum of 192
bits (96*2) is required for the year 2004, based on the [KeyStudy]
analysis.

This amount of randomness is well beyond the limit of that in the
inputs recommended by the US DoD for password generation and could
require user-typing timing, hardware random number generation, or
other sources of randomness.

The meet-in-the-middle attack assumes that the cryptographic
algorithm can be decomposed in this way.  Hopefully no modern
algorithm has this weakness, but there may be cases where we are not
sure of that or even of what algorithm a key will be used with.  Even
if a basic algorithm is not subject to a meet-in-the-middle attack,
an attempt to produce a stronger algorithm by applying the basic
algorithm twice (or two different algorithms sequentially) with
different keys will gain less added security than would be expected.
Such a composite algorithm would be subject to a meet-in-the-middle
attack.

Enormous resources may be required to mount a meet-in-the-middle
attack, but they are probably within the range of the national
security services of a major nation.  Essentially all nations spy on
other nations' traffic.
```
```8.2.3.  Other Considerations

[KeyStudy] also considers the possibilities of special-purpose code-
breaking hardware and having an adequate safety margin.

Note that key length calculations such as those above are
controversial and depend on various assumptions about the
cryptographic algorithms in use.  In some cases, a professional with
a deep knowledge of algorithm-breaking techniques and of the strength
of the algorithm in use could be satisfied with less than half of the
192 bit key size derived above.

For further examples of conservative design principles, see
[FERGUSON].

9.  Conclusion

Generation of unguessable "random" secret quantities for security use
is an essential but difficult task.

Hardware techniques for producing the needed entropy would be
relatively simple.  In particular, the volume and quality would not
need to be high, and existing computer hardware, such as audio input
or disk drives, can be used.

Widely-available computational techniques can process low-quality
random quantities from multiple sources, or a larger quantity of such
low-quality input from one source, to produce a smaller quantity of
higher-quality keying material.  In the absence of hardware sources
of randomness, a variety of user and software sources can frequently,
with care, be used instead.  However, most modern systems already
have hardware, such as disk drives or audio input, that could be used
to produce high-quality randomness.

Once a sufficient quantity of high-quality seed key material (a
couple of hundred bits) is available, computational techniques are
available to produce cryptographically-strong sequences of
computationally-unpredictable quantities from this seed material.

10.  Security Considerations

The entirety of this document concerns techniques and recommendations
for generating unguessable "random" quantities for use as passwords,
cryptographic keys, initialization vectors, sequence numbers, and
similar security applications.
```
```11.  Acknowledgements

Special thanks to Paul Hoffman and John Kelsey for their extensive
comments and to Peter Gutmann, who has permitted the incorporation of
material from his paper "Software Generation of Practically Strong
Random Numbers".

The following people (in alphabetic order) have contributed
substantially to this document:

Steve Bellovin, Daniel Brown, Don Davis, Peter Gutmann, Tony
Hansen, Sandy Harris, Paul Hoffman, Scott Hollenback, Russ
Housley, Christian Huitema, John Kelsey, Mats Naslund, and Damir
Rajnovic.

The following people (in alphabetic order) contributed to RFC 1750,
the predecessor of this document:

David M.  Balenson, Don T.  Davis, Carl Ellison, Marc Horowitz,
Christian Huitema, Charlie Kaufman, Steve Kent, Hal Murray, Neil
Haller, Richard Pitkin, Tim Redmond, and Doug Tygar.
```
```Appendix A: Changes from RFC 1750

2. Insertion of section 5.3 on mixing with S-boxes.

3. Addition of section 3.3 on Ring Oscillator randomness sources.

4. Addition of AES and the members of the SHA series producing more
than 160 bits.  Use of AES has been emphasized and the use of DES
de-emphasized.

5. Addition of section 6.3 on entropy pool techniques.

6. Addition of section 7.2.3 on the pseudo-random number generation
techniques given in FIPS 186-2 (with Change Notice 1), 7.2.1 on
those given in X9.82, section 7.1.2 on the random number
generation techniques of the /dev/random device in Linux and other
UNIX systems, and section 7.1.3 on random number generation
techniques in the Windows operating system.

7. Addition of references to the "Minimal Key Lengths for Symmetric
Ciphers to Provide Adequate Commercial Security" study published
in January 1996 [KeyStudy] and to [RFC1948].

8. Added caveats to using Diffie-Hellman as a mixing function and,
because of those caveats and its computationally intensive nature,
recommend against its use.

9. Addition of references to the X9.82 effort and the [TURBID] and
[NASLUND] papers.

10. Addition of discussion of min-entropy and Renyi entropy and
references to the [LUBY] book.

11. Major restructuring, minor wording changes, and a variety of
```
```Informative References

[AES]          "Specification of the Advanced Encryption Standard
(AES)", United States of America, US National
Institute of Standards and Technology, FIPS 197,
November 2001.

[ASYMMETRIC]    Simmons, G., Ed., "Secure Communications and
Asymmetric Cryptosystems", AAAS Selected Symposium
69, ISBN 0-86531-338-5, Westview Press, 1982.

[BBS]           Blum, L., Blum, M., and M. Shub, "A Simple
Unpredictable Pseudo-Random Number Generator", SIAM
Journal on Computing, v. 15, n. 2, 1986.

[BRILLINGER]    Brillinger, D., "Time Series: Data Analysis and
Theory", Holden-Day, 1981.

[CRC]           "C.R.C. Standard Mathematical Tables", Chemical
Rubber Publishing Company.

[DAVIS]         Davis, D., Ihaka, R., and P. Fenstermacher,
"Cryptographic Randomness from Air Turbulence in Disk
Drives", Advances in Cryptology - Crypto '94,
Springer-Verlag Lecture Notes in Computer Science
#839, 1984.

[DES]           "Data Encryption Standard", US National Institute of
Standards and Technology, FIPS 46-3, October 1999.
Also, "Data Encryption Algorithm", American National
Standards Institute, ANSI X3.92-1981.  See also FIPS
112, "Password Usage", which includes FORTRAN code
for performing DES.

[D-H]           Rescorla, E., "Diffie-Hellman Key Agreement Method",
RFC 2631, June 1999.

[DNSSEC1]       Arends, R., Austein, R., Larson, M., Massey, D., and
S. Rose, "DNS Security Introduction and
Requirements", RFC 4033, March 2005.

[DNSSEC2]       Arends, R., Austein, R., Larson, M., Massey, D., and
S. Rose, "Resource Records for the DNS Security
Extensions", RFC 4034, March 2005.

[DNSSEC3]       Arends, R., Austein, R., Larson, M., Massey, D., and
S. Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, March 2005.
```
```   [DoD]           "Password Management Guideline", United States of
America, Department of Defense, Computer Security
Center, CSC-STD-002-85, April 1885.

incorporates CSC-STD-002-85 as one of its appendices.
FIPS 112 is currently available at:
http://www.idl.nist.gov/fipspubs/fip112.htm.)

[DSS]           "Digital Signature Standard (DSS)", US National
Institute of Standards and Technology, FIPS 186-2,
January 2000.

[DSS_CN1]       "Digital Signature Standard Change Notice 1", US
National Institute of Standards and Technology, FIPS
186-2 Change Notice 1, 5, October 2001.

[FERGUSON]      Ferguson, N. and B. Schneier, "Practical
Cryptography",  Wiley Publishing Inc., ISBN
047122894X, April 2003.

[GIFFORD]       Gifford, D., "Natural Random Number", MIT/LCS/TM-371,
September 1988.

[IEEE_802.11i]  "Amendment to Standard for Telecommunications and
Information Exchange Between Systems - LAN/MAN
Specific Requirements - Part 11: Wireless Medium
Access Control (MAC) and physical layer (PHY)
specifications: Medium Access Control (MAC) Security
Enhancements", IEEE, January 2004.

[IPSEC]         Kent, S. and R. Atkinson, "Security Architecture for
the Internet Protocol", RFC 2401, November 1998.

[Jakobsson]     Jakobsson, M., Shriver, E., Hillyer, B., and A.
Juels, "A practical secure random bit generator",
Proceedings of the Fifth ACM Conference on Computer
and Communications Security, 1998.

[KAUFMAN]       Kaufman, C., Perlman, R., and M. Speciner, "Network
Security:  Private Communication in a Public World",
Prentis Hall PTR, ISBN 0-13-046019-2, 2nd Edition
2002.
```
```   [KeyStudy]      Blaze, M., Diffie, W., Riverst, R., Schneier, B.
Shimomura, T., Thompson, E., and M.  Weiner, "Minimal
Key Lengths for Symmetric Ciphers to Provide Adequate
Commercial Security: A Report by an Ad Hoc Group of
Cryptographers and Computer Scientists", January
1996.  Currently available at:
http://www.crypto.com/papers/keylength.txt and
http://www.securitydocs.com/library/441.

[KNUTH]         Knuth, D., "The Art of Computer Programming", Volume
2:  Seminumerical Algorithms, Chapter 3: Random
Numbers, Addison-Wesley Publishing Company, 3rd
Edition, November 1997.

[KRAWCZYK]      Krawczyk, H., "How to Predict Congruential
Generators", Journal of Algorithms, V. 13, N. 4,
December 1992.

[LUBY]          Luby, M., "Pseudorandomness and Cryptographic
Applications", Princeton University Press, ISBN
0691025460, 8 January 1996.

[MAIL_PEM1]     Linn, J., "Privacy Enhancement for Internet
Electronic Mail: Part I: Message Encryption and
Authentication Procedures", RFC 1421, February 1993.

[MAIL_PEM2]     Kent, S., "Privacy Enhancement for Internet
Electronic Mail: Part II: Certificate-Based Key
Management", RFC 1422, February 1993.

[MAIL_PEM3]     Balenson, D., "Privacy Enhancement for Internet
Electronic Mail: Part III: Algorithms, Modes, and
Identifiers", RFC 1423, February 1993.

[MAIL_PEM4]     Kaliski, B., "Privacy Enhancement for Internet
Electronic Mail: Part IV: Key Certification and
Related Services", RFC 1424, February 1993.

[MAIL_PGP1]     Callas, J., Donnerhacke, L., Finney, H., and R.
Thayer, "OpenPGP Message Format", RFC 2440, November
1998.

[MAIL_PGP2]     Elkins, M., Del Torto, D., Levien, R., and T.
Roessler, "MIME Security with OpenPGP", RFC 3156,
August 2001.
```
```   [S/MIME]        RFCs 2632 through 2634:

Ramsdell, B., "S/MIME Version 3 Certificate
Handling", RFC 2632, June 1999.

Ramsdell, B., "S/MIME Version 3 Message
Specification", RFC 2633, June 1999.

Hoffman, P., "Enhanced Security Services for S/MIME",
RFC 2634, June 1999.

[MD4]           Rivest, R., "The MD4 Message-Digest Algorithm", RFC
1320, April 1992.

[MD5]           Rivest, R., "The MD5 Message-Digest Algorithm ", RFC
1321, April 1992.

[MODES]         "DES Modes of Operation", US National Institute of
Standards and Technology, FIPS 81, December 1980.
Also:  "Data Encryption Algorithm - Modes of
Operation", American National Standards Institute,
ANSI X3.106-1983.

[MOORE]         Moore's Law: the exponential increase in the logic
density of silicon circuits.  Originally formulated
by Gordon Moore in 1964 as a doubling every year
starting in 1962, in the late 1970s the rate fell to
a doubling every 18 months and has remained there
through the date of this document.  See "The New
Hacker's Dictionary", Third Edition, MIT Press, ISBN
0-262-18178-9, Eric S.  Raymond, 1996.

[NASLUND]       Naslund, M. and A. Russell, "Extraction of Optimally
Unbiased Bits from a Biased Source", IEEE
Transactions on Information Theory. 46(3), May 2000.

[ORMAN]         Orman, H. and P. Hoffman, "Determining Strengths For
Public Keys Used For Exchanging Symmetric Keys", BCP
86, RFC 3766, April 2004.

[RFC1750]       Eastlake 3rd, D., Crocker, S., and J. Schiller,
"Randomness Recommendations for Security", RFC 1750,
December 1994.

[RFC1948]       Bellovin, S., "Defending Against Sequence Number
Attacks", RFC 1948, May 1996.
```
```   [RFC2104]       Krawczyk, H., Bellare, M., and R. Canetti, "HMAC:
Keyed-Hashing for Message Authentication", RFC 2104,
February 1997.

[RSA_BULL1]     "Suggestions for Random Number Generation in
Software", RSA Laboratories Bulletin #1, January
1996.

[RSA_BULL13]    Silverman, R., "A Cost-Based Security Analysis of
Symmetric and Asymmetric Key Lengths", RSA
Laboratories Bulletin #13, April 2000 (revised
November 2001).

[SBOX1]         Mister, S. and C. Adams, "Practical S-box Design",
Selected Areas in Cryptography, 1996.

[SBOX2]         Nyberg, K., "Perfect Non-linear S-boxes", Advances in
Cryptography, Eurocrypt '91 Proceedings, Springer-
Verland, 1991.

[SCHNEIER]      Schneier, B., "Applied Cryptography: Protocols,
Algorithms, and Source Code in C", 2nd Edition, John
Wiley & Sons, 1996.

[SHANNON]       Shannon, C., "The Mathematical Theory of
Communication", University of Illinois Press, 1963.
Originally from:  Bell System Technical Journal, July
and October, 1948.

[SHIFT1]        Golub, S., "Shift Register Sequences", Aegean Park
Press, Revised Edition, 1982.

[SHIFT2]        Barker, W., "Cryptanalysis of Shift-Register
Generated Stream Cypher Systems", Aegean Park Press,
1984.

[SHA]           "Secure Hash Standard", US National Institute of
Science and Technology, FIPS 180-2, 1 August 2002.

[SHA_RFC]       Eastlake 3rd, D. and P. Jones, "US Secure Hash
Algorithm 1 (SHA1)", RFC 3174, September 2001.

[SSH]           Products of the SECSH Working Group, Works in
Progress, 2005.

[STERN]         Stern, J., "Secret Linear Congruential Generators are
not Cryptographically Secure", Proc. IEEE STOC, 1987.
```
```   [TLS]           Dierks, T. and C. Allen, "The TLS Protocol Version
1.0", RFC 2246, January 1999.

[TURBID]        Denker, J., "High Entropy Symbol Generator",
<http://www.av8n.com/turbid/paper/turbid.htm>, 2003.

[USENET_1]      Kantor, B. and P. Lapsley, "Network News Transfer
Protocol", RFC 977, February 1986.

[USENET_2]      Barber, S., "Common NNTP Extensions", RFC 2980,
October 2000.

[VON_NEUMANN]   Von Nuemann, J., "Various techniques used in
connection with random digits", Von Neumann's
Collected Works, Vol. 5, Pergamon Press, 1963.

[WSC]           Howard, M. and D. LeBlanc, "Writing Secure Code,
Second Edition", Microsoft Press, ISBN 0735617228,
December 2002.

[X9.17]         "American National Standard for Financial Institution
Key Management (Wholesale)", American Bankers
Association, 1985.

[X9.82]         "Random Number Generation", American National
Standards Institute, ANSI X9F1, Work in Progress.
Part 1 - Overview and General Principles.
Part 2 - Non-Deterministic Random Bit Generators
Part 3 - Deterministic Random Bit Generators
```
```Authors' Addresses

Donald E. Eastlake 3rd
Motorola Laboratories
155 Beaver Street
Milford, MA 01757 USA

Phone: +1 508-786-7554 (w)
+1 508-634-2066 (h)
EMail: Donald.Eastlake@motorola.com

Jeffrey I. Schiller
MIT, Room E40-311
77 Massachusetts Avenue
Cambridge, MA 02139-4307 USA

Phone: +1 617-253-0161
EMail: jis@mit.edu

Steve Crocker

EMail: steve@stevecrocker.com
```
```Full Copyright Statement

Copyright (C) The Internet Society (2005).

This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.

This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights.  Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.

Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard.  Please address the information to the IETF at ietf-
ipr@ietf.org.

Acknowledgement

Funding for the RFC Editor function is currently provided by the
Internet Society.
```