Randomness Requirements for Security
draft-eastlake-randomness3-00

Document Type Expired Internet-Draft (individual)
Last updated 2014-05-09 (latest revision 2013-11-05)
Stream (None)
Intended RFC status (None)
Formats
Expired & archived
plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at
https://www.ietf.org/archive/id/draft-eastlake-randomness3-00.txt

Abstract

Security systems are built on strong cryptographic algorithms that foil pattern analysis attempts. However, the security of these systems is dependent on generating secret quantities for passwords, cryptographic keys, and similar values. The use of pseudo-random processes to generate secret quantities can result in pseudo- security. For example, the sophisticated attacker of these security systems may find it easier to reproduce the environment that produced the secret quantities, searching a resulting small set of possibilities, than to locate the quantities in the whole of the potential number space. Choosing random quantities to foil a resourceful and motivated adversary can be surprisingly difficult. This document points out many pitfalls in using poor entropy sources or traditional pseudo- random number generation techniques for generating such quantities. It recommends the use of multiple sources with a strong mixing function, so that no single source need be fully trusted, and provides techniques for extending a random seed to a larger quantity of pseudo-random material in a cryptographically secure way. And it gives examples of how large such quantities need to be for some applications. This document obsoletes RFC 4086.

Authors

Donald Eastlake (d3e3e3@gmail.com)
Steve Crocker (steve@stevecrocker.com)
Charlie Kaufman (charliek@microsoft.com)
Jeffrey Schiller (jis@mit.edu)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)