Randomness Requirements for Security
RFC 4086

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: Internet Architecture Board <iab@iab.org>,
    RFC Editor <rfc-editor@rfc-editor.org>
Subject: Protocol Action: 'Randomness Requirements for Security' 
         to BCP 

The IESG has approved the following document:

- 'Randomness Requirements for Security '
   <draft-eastlake-randomness2-11.txt> as a BCP

This document has been reviewed in the IETF but is not the product of an
IETF Working Group. 

The IESG contact person is Russ Housley.

A URL of this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-eastlake-randomness2-11.txt

Technical Summary

  Security systems are built on strong cryptographic algorithms that
  foil pattern analysis attempts. However, the security of these systems
  is dependent on generating secret quantities for passwords,
  cryptographic keys, and similar quantities. The use of pseudo-random
  processes to generate secret quantities can result in pseudo-
  security.  The sophisticated attacker of these security systems may
  find it easier to reproduce the environment that produced the secret
  quantities, searching the resulting small set of possibilities, than
  to locate the quantities in the whole of the potential number space.

  Choosing random quantities to foil a resourceful and motivated
  adversary is surprisingly difficult. This document points out many
  pitfalls in using traditional pseudo-random number generation
  techniques for choosing such quantities. It recommends the use of
  truly random hardware techniques and shows that the existing hardware
  on many systems can be used for this purpose. It provides suggestions
  to ameliorate the problem when a hardware solution is not available.
  And it gives examples of how large such quantities need to be for some
  applications.

Working Group Summary

  This is an individual submission, and it is not the product of any
  IETF Working Group.

Protocol Quality

  This document was reviewed by Russell Housley for the IESG.