1. Start studying Security+ Chapter 5 review questions. Learn vocabulary, terms, and more with flashcards, games, and other study tools. Public key systems that generate random public keys that are different for each session are called. Public Key Exchange (PKE). Collisions should be rare.
2. Not all key generation methods are created equal, and you may want to explicitly choose e.g. The key generation method of a provider. This is especially of use for providers for security tokens. For AES though, the random number generator may be of more importance - you may for instance want to use a slower, more secure, FIPS certified random number generator instead of the default.
3. PRNGs work by keeping an internal state. Typically this is a seed and a key, which are kept secret. When a consumer requests random data, a cryptographic algorithm operates on the seed and the key to produce pseudo-random output. The internal state is then updated so that the next request does not produce the same data.
4. A random number generator is a device that generates a sequence of numbers or symbols that cannot be reasonably predicted better than by a random chance. Random number generators can be true hardware random-number generators, which generate genuinely random numbers, or pseudo-random number generators, which generate numbers that look random, but are actually deterministic, and can be reproduced if the state of the PRNG is known. Various applications of randomness have led to the development of s.

• What Is Random Key Generation Algorithm Mean
• What Is Random Key Generation Algorithm Download

Maze generation algorithms are automated methods for the creation of mazes.

Recommendation for Cryptographic Key Generation. 1 Introduction. Random Bit Generators and possibly other parameters,. Security functions (including cryptographic algorithms and key generation) and is contained within a cryptographic module boundary. See FIPS 140. Nov 04, 2014  The RSA Encryption Algorithm (2 of 2: Generating the Keys) Eddie Woo. Unsubscribe from Eddie Woo? Cancel Unsubscribe. Subscribe Subscribed Unsubscribe 888K.

Graph theory based methods[edit]

A maze can be generated by starting with a predetermined arrangement of cells (most commonly a rectangular grid but other arrangements are possible) with wall sites between them. This predetermined arrangement can be considered as a connected graph with the edges representing possible wall sites and the nodes representing cells. The purpose of the maze generation algorithm can then be considered to be making a subgraph in which it is challenging to find a route between two particular nodes.

If the subgraph is not connected, then there are regions of the graph that are wasted because they do not contribute to the search space. If the graph contains loops, then there may be multiple paths between the chosen nodes. Because of this, maze generation is often approached as generating a random spanning tree. Loops, which can confound naive maze solvers, may be introduced by adding random edges to the result during the course of the algorithm.

The animation shows the maze generation steps for a graph that is not on a rectangular grid.First, the computer creates a random planar graph Gshown in blue, and its dual Fshown in yellow. Second, computer traverses F using a chosenalgorithm, such as a depth-first search, coloring the path red.During the traversal, whenever a red edge crosses over a blue edge,the blue edge is removed.Finally, when all vertices of F have been visited, F is erasedand two edges from G, one for the entrance and one for the exit, are removed.

Depth-first search[edit]

This algorithm is a randomized version of the depth-first search algorithm. Frequently implemented with a stack, this approach is one of the simplest ways to generate a maze using a computer. Consider the space for a maze being a large grid of cells (like a large chess board), each cell starting with four walls. Starting from a random cell, the computer then selects a random neighbouring cell that has not yet been visited. The computer removes the wall between the two cells and marks the new cell as visited, and adds it to the stack to facilitate backtracking. The computer continues this process, with a cell that has no unvisited neighbours being considered a dead-end. When at a dead-end it backtracks through the path until it reaches a cell with an unvisited neighbour, continuing the path generation by visiting this new, unvisited cell (creating a new junction). This process continues until every cell has been visited, causing the computer to backtrack all the way back to the beginning cell. We can be sure every cell is visited.

As given above this algorithm involves deep recursion which may cause stack overflow issues on some computer architectures. The algorithm can be rearranged into a loop by storing backtracking information in the maze itself. This also provides a quick way to display a solution, by starting at any given point and backtracking to the beginning.

Mazes generated with a depth-first search have a low branching factor and contain many long corridors, because the algorithm explores as far as possible along each branch before backtracking.

Recursive backtracker[edit]

The depth-first search algorithm of maze generation is frequently implemented using backtracking. This can be described with a following recursive routine:

1. Given a current cell as a parameter,
2. Mark the current cell as visited
3. While the current cell has any unvisited neighbour cells
   1. Chose one of the unvisited neighbours
   2. Remove the wall between the current cell and the chosen cell
   3. Invoke the routine recursively for a chosen cell

which is invoked once for any initial cell in the area.

A disadvantage of this approach is a large depth of recursion – in the worst case, the routine may need to recur on every cell of the area being processed, which may exceed the maximum recursion stack depth in many environments. As a solution, the same bactracking method can be implemented with an explicit stack, which is usually allowed to grow much bigger with no harm.

1. Choose the initial cell, mark it as visited and push it to the stack
2. While the stack is not empty
   1. Pop a cell from the stack and make it a current cell
   2. If the current cell has any neighbours which have not been visited
      1. Push the current cell to the stack
      2. Choose one of the unvisited neighbours
      3. Remove the wall between the current cell and the chosen cell
      4. Mark the chosen cell as visited and push it to the stack

Randomized Kruskal's algorithm[edit]

This algorithm is a randomized version of Kruskal's algorithm.

1. Create a list of all walls, and create a set for each cell, each containing just that one cell.
2. For each wall, in some random order:
   1. If the cells divided by this wall belong to distinct sets:
      1. Remove the current wall.
      2. Join the sets of the formerly divided cells.

There are several data structures that can be used to model the sets of cells. An efficient implementation using a disjoint-set data structure can perform each union and find operation on two sets in nearly constant amortized time (specifically, ${\displaystyle O(\alpha (V))}$ time; for any plausible value of ${\displaystyle x}$), so the running time of this algorithm is essentially proportional to the number of walls available to the maze.

It matters little whether the list of walls is initially randomized or if a wall is randomly chosen from a nonrandom list, either way is just as easy to code.

Because the effect of this algorithm is to produce a minimal spanning tree from a graph with equally weighted edges, it tends to produce regular patterns which are fairly easy to solve.

Randomized Prim's algorithm[edit]

This algorithm is a randomized version of Prim's algorithm.

1. Start with a grid full of walls.
2. Pick a cell, mark it as part of the maze. Add the walls of the cell to the wall list.
3. While there are walls in the list:
   1. Pick a random wall from the list. If only one of the two cells that the wall divides is visited, then:
      1. Make the wall a passage and mark the unvisited cell as part of the maze.
      2. Add the neighboring walls of the cell to the wall list.
   2. Remove the wall from the list.

It will usually be relatively easy to find the way to the starting cell, but hard to find the way anywhere else.

Note that simply running classical Prim's on a graph with random edge weights would create mazes stylistically identical to Kruskal's, because they are both minimal spanning tree algorithms. Instead, this algorithm introduces stylistic variation because the edges closer to the starting point have a lower effective weight.

Modified version[edit]

Although the classical Prim's algorithm keeps a list of edges, for maze generation we could instead maintain a list of adjacent cells. If the randomly chosen cell has multiple edges that connect it to the existing maze, select one of these edges at random. This will tend to branch slightly more than the edge-based version above.

Wilson's algorithm[edit]

All the above algorithms have biases of various sorts: depth-first search is biased toward long corridors, while Kruskal's/Prim's algorithms are biased toward many short dead ends. Wilson's algorithm,^[1] on the other hand, generates an unbiased sample from the uniform distribution over all mazes, using loop-erased random walks.

We begin the algorithm by initializing the maze with one cell chosen arbitrarily. Then we start at a new cell chosen arbitrarily, and perform a random walk until we reach a cell already in the maze—however, if at any point the random walk reaches its own path, forming a loop, we erase the loop from the path before proceeding. When the path reaches the maze, we add it to the maze. Then we perform another loop-erased random walk from another arbitrary starting cell, repeating until all cells have been filled.

This procedure remains unbiased no matter which method we use to arbitrarily choose starting cells. So we could always choose the first unfilled cell in (say) left-to-right, top-to-bottom order for simplicity.

Recursive division method[edit]

Illustration of Recursive Division

original chamber	division by two walls	holes in walls	continue subdividing...	completed
step 1	step 2	step 3	step 4	step 5

Mazes can be created with recursive division, an algorithm which works as follows: Begin with the maze's space with no walls. Call this a chamber. Divide the chamber with a randomly positioned wall (or multiple walls) where each wall contains a randomly positioned passage opening within it. Then recursively repeat the process on the subchambers until all chambers are minimum sized. This method results in mazes with long straight walls crossing their space, making it easier to see which areas to avoid.

For example, in a rectangular maze, build at random points two walls that are perpendicular to each other. These two walls divide the large chamber into four smaller chambers separated by four walls. Choose three of the four walls at random, and open a one cell-wide hole at a random point in each of the three. Continue in this manner recursively, until every chamber has a width of one cell in either of the two directions.

Simple algorithms[edit]

Other algorithms exist that require only enough memory to store one line of a 2D maze or one plane of a 3D maze. Eller's algorithm prevents loops by storing which cells in the current line are connected through cells in the previous lines, and never removes walls between any two cells already connected.^[2] The Sidewinder algorithm starts with an open passage along the entire the top row, and subsequent rows consist of shorter horizontal passages with one connection to the passage above. The Sidewinder algorithm is trivial to solve from the bottom up because it has no upward dead ends.^[3] Given a starting width, both algorithm create perfect mazes of unlimited height.

Most maze generation algorithms require maintaining relationships between cells within it, to ensure the end result will be solvable. Valid simply connected mazes can however be generated by focusing on each cell independently. A binary tree maze is a standard orthogonal maze where each cell always has a passage leading up or leading left, but never both. To create a binary tree maze, for each cell flip a coin to decide whether to add a passage leading up or left. Always pick the same direction for cells on the boundary, and the end result will be a valid simply connected maze that looks like a binary tree, with the upper left corner its root. As with Sidewinder, the binary tree maze has no dead ends in the directions of bias.

A related form of flipping a coin for each cell is to create an image using a random mix of forward slash and backslash characters. This doesn't generate a valid simply connected maze, but rather a selection of closed loops and unicursal passages. (The manual for the Commodore 64 presents a BASIC program using this algorithm, but using PETSCII diagonal line graphic characters instead for a smoother graphic appearance.)

Cellular automaton algorithms[edit]

Certain types of cellular automata can be used to generate mazes.^[4] Two well-known such cellular automata, Maze and Mazectric, have rulestrings B3/S12345 and B3/S1234.^[4] In the former, this means that cells survive from one generation to the next if they have at least one and at most five neighbours. In the latter, this means that cells survive if they have one to four neighbours. If a cell has exactly three neighbours, it is born. It is similar to Conway's Game of Life in that patterns that do not have a living cell adjacent to 1, 4, or 5 other living cells in any generation will behave identically to it.^[4] However, for large patterns, it behaves very differently from Life.^[4]

For a random starting pattern, these maze-generating cellular automata will evolve into complex mazes with well-defined walls outlining corridors. Mazecetric, which has the rule B3/S1234 has a tendency to generate longer and straighter corridors compared with Maze, with the rule B3/S12345.^[4] Since these cellular automaton rules are deterministic, each maze generated is uniquely determined by its random starting pattern. This is a significant drawback since the mazes tend to be relatively predictable.

Like some of the graph-theory based methods described above, these cellular automata typically generate mazes from a single starting pattern; hence it will usually be relatively easy to find the way to the starting cell, but harder to find the way anywhere else.

See also[edit]

References[edit]

1. ^Wilson, David Bruce (May 22–24, 1996). 'Generating random spanning trees more quickly than the cover time'. Proceedings of the Twenty-eighth Annual ACM Symposium on Theory of Computing. Symposium on Theory of Computing. Philadelphia: ACM. pp. 296–303. CiteSeerX10.1.1.47.8598. doi:10.1145/237814.237880. ISBN0-89791-785-5.
2. ^Jamis Buck (29 December 2010). 'Maze Generation: Eller's Algorithm'.
3. ^Jamis Buck (3 February 2011). 'Maze Generation: Sidewinder Algorithm'.
4. ^ ^abcdeNathaniel Johnston; et al. (21 August 2010). 'Maze - LifeWiki'. LifeWiki. Retrieved 1 March 2011.

External links[edit]

• Think Labyrinth: Maze algorithms (details on these and other maze generation algorithms)
• Implementations of DFS maze creation algorithm in multiple languages at Rosetta Code

This describes in detail the [now superseded] deterministic random number generator (RNG) algorithm usedin CryptoSys API and the CryptoSys PKI Toolkit. We assert that the following CryptoSys RNG functions are fully compliant with the requirements ofFIPS PUB 140-2, Security Requirements For Cryptographic Modules (as updated with Change Notice 2 on 3 December 2002) and with ANSI X9.31 Appendix A.2.4 (which replaces X9.17 Appendix C):

CryptoSys API Version 3CryptoSys API Version 2 (deprecated)CryptoSys PKI

This information is published for peer review and comment.Please contact uswith your comments.See also the later version of this document.

Contents

Definitions

Random Number:

1. A number selected from a known set of numbers in such a way that each number in the set has the same probability of occurrence. 2. A number obtained by chance. 3. One of a sequence of numbers considered appropriate for satisfying certain statistical tests or believed to be free from conditions that might bias the result of a calculation.
(Federal Standard 1037C).

Random Number Generator:

Random Number Generators (RNGs) used for cryptographic applicationstypically produce a sequence of zero and one bits that may be combined into sub-sequences or blocks ofrandom numbers. There are two basic classes: deterministic and nondeterministic. A deterministic RNGconsists of an algorithm that produces a sequence of bits from an initial value called a seed. Anondeterministic RNG produces output that is dependent on some unpredictable physical source that isoutside human control. There are no FIPS Approved nondeterministic random number generators. [FIPS140]

Pseudo-Random Number Generator:

A pseudo-random number generator, or PRNG, is a random number generator that produces a sequence of values based on a seed and a current state. Given the same seed, a PRNG will always output the same sequence of values.[LAVA]

Seed key:

A secret value used to initialize a cryptographic function or operation.[FIPS140]

The terms pseudo-random number generator and deterministic RNG can be taken as equivalent for ourpurposes.

Terminology

We use the term RNG in this document to mean a deterministic RNG or PRNG that complies withFIPS 140-2 and X9.31.When we're talking about a random number, we use the terms number, byte, bitand bit string interchangably depending on the context.Note, too, that the term seed is used in three separate contexts: the seed key used to initiatethe RNG algorithm, a user-supplied seed, and a value SD stored in memory to retain entropy between calls.

Design Principles

The objective is to produce a sequence of the required number of pseudorandom bits.The algorithm must comply with the standard. The method must be independent of hardware. No data is to be stored in permanent storage.The algorithm should make sure thatsubsequent calls in the same thread or two calls on parallel threads do not produce indentical resuls.It should minimise the chances thattwo calls on different computers at the same time will produce an identical result.It should minimise the requirements to store persistent information between calls and be safe to usein a multi-threaded environment.

Security requirements

A minimum security requirement for a pseudorandom bit generator is that the length k of the random seed shouldbe sufficiently large so that a search over 2^^k elements (the total number of possible seeds) is infeasiblefor an adversary. Two general requirements are that the output sequences of a PRNG should be statistically indistinguishablefrom truly random sequences, and the output should be unpredictable to an adversary with limitedcomputational resources. [MENE]

The Theory

What Is Random Key Generation Algorithm Mean

From FIPS PUB 140-2 Annex C [FIPS140-C]:

ANNEX C: APPROVED RANDOM NUMBER GENERATORS

Annex C provides a list of the FIPS Approved random number generators applicable to FIPS PUB 140-2
(snip)...
3. American Bankers Association, Digital Signatures Using Reversible Public Key Cryptography for theFinancial Services Industry (rDSA), ANSI X9.31-1998 - Appendix A.2.4.

From X9.31-1998 Appendix A [AX931] and reproduced in [RNG931EXT]:

A.2.4 Generating Pseudo Random Numbers Using the DEA

Let ede*X(Y) represent the DEA multiple encryption of Y under the key *X. Let *K be a DEA key pair reserved only for thegeneration of pseudo random numbers, let V be a 64-bit seed value which is also kept secret, and let XOR be the exclusive-or operator.Let DT be a date/time vector which is updated on each iteration. I is an intermediate value. A 64-bit vector R is generated asfollows:Successive values of R may be concatenated to produce a pseudo random number of the desired length.

From FIPS PUB 140-2 Section 4.9.2 Self-Tests - Conditional Tests [FIPS140]:

Continuous random number generator test.

If a cryptographic module employs Approved or non-ApprovedRNGs in an Approved mode of operation, the module shall perform the following continuousrandom number generator test on each RNG that tests for failure to a constant value.

1. If each call to a RNG produces blocks of n bits (where n > 15), the first n-bit block generatedafter power-up, initialization, or reset shall not be used, but shall be saved for comparison withthe next n-bit block to be generated. Each subsequent generation of an n-bit block shall becompared with the previously generated block. The test shall fail if any two compared n-bitblocks are equal.

Notation

• CC, a 32-bit counter stored in thread-safe memory
• D, a 64-bit representation of the current date and time
• K, a 192-bit triple DES key
• L, a 64-bit value stored in thread-safe memory used to store the last value of X0
• P, a 64-bit value stored in thread-safe memory used to store the previously-generated block X
• S, a 64-bit generated seed value
• SD, a 64-bit value stored in thread-safe memory
• U, an optional user-supplied seed consisting of an arbitrary number of bytes
• X, X0, Xf, 64-bit generated values

Our FIPS 140-2 Compliant RNG Algorithm for generating N pseudorandom bytes

Given

• N, the required number of pseudorandom bytes
• U, an optional user-supplied seed consisting of an arbitrary number of bytes
• L, P, two 64-bit continuous check values stored in thread-safe memory

Step 1. Generate 32 pseudo-random bytes with theseed key generator (described below), adding the user-supplied seed, U, if any.

Step 2. Set the 192-bit Triple DES key, K, as the first 24 bytes generated in step 1, and set the seed, S, as the last 8 bytes [Note 1].

Step 3. Set D as a 64-bit representation of the current date and time [Note 2].

Step 4. Generate the 64-bit block X0 = G(S, K, D) where G is the X9.17 RNG algorithm described in ANSI X9.17 Appendix C/ANSI X9.31 Appendix A, and where S is updated as per that algorithm.

Step 5. Set up to carry out continuous random number generator tests:

1. If X0 equals L or X0 equals P, stop and notifya failure of the continuous random number generator test.
2. Set L = X0 and store in thread-safe memory for the next call.
3. Set P = X0.

Step 6. For R = N until R is equal to zero, do:

What Is Random Key Generation Algorithm Download

1. Generate a 64-bit block X = G(S, K, D), updating S in the process (see below).
2. If X equals the previously-generated block, P, thenstop and notify a failure of the continuous random number generator test [Note 3].
3. Set B = the lesser of R and 8.
4. Output B bytes from X. [Note 6]
5. Set R = R - B.
6. Set P = X.

Step 7. Generate a final block Xf = G(S, K, D) and set P = Xf [Note 3].

Step 8. Zeroise K, S, D, Xand any other internal buffers used. Retain L and P for subsequent use.

Flowchart

X9.17/X9.31 algorithm to generate the next 64-bit block

Given

• D, a 64-bit representation of the current date-time
• S, a secret 64-bit seed that will be updated by this process
• K, a secret Triple DES key

Step 1. Compute the 64-bit block X = G(S, K, D) as follows:

1. I = E(D, K)
2. X = E(I XOR S, K)
3. S' = E(X XOR I, K)

where E(p, K) is the Triple DES encryption of the 64-bit block p using key K.

Step 2. Return X and set S = S' for the next cycle.

Algorithm to generate a seed key

Given

• N, the required number of bytes
• U, an optional user-supplied seed consisting of M bytes
• CC, a 32-bit unsigned counter stored in thread-safe memory
• SD, a 64-bit value stored in thread-safe memory

Step 1. Increment the counter CC and save the updated value for subsequent calls.Roll over to zero if the value is incremented beyond ULONG_MAX.

Step 2. Create a 512 bit/64 byte message block as follows [Note 4]:

DT SST CC SD

where

• DT is a 64-bit representation of the current date-time
• SST is a 352-bit representation of the system status

On a Win32 system, we use this for the system status:

SST = PID TID TC MS

where

• PID is a 32-bit representation of the current process ID
• TID is a 32-bit representation of the current thread ID
• TC is a 32-bit representation of the system clock count
• MS is a 256-bit representation of the current system memory status

On a Linux system, we use:

SST = PID TC SI

where SI is a 288-bit representation of the current overall system statistics, truncated as necessary.

Step 3. If the user has supplied an optional seed of M bytes, add these to the message block as follows:

1. Increment the counter value, CC'.
2. Compute the 160-bit SHA-1 message digest of (M CC').
3. XOR this digest with the message block at byte offset 32:

This step has changed from an earlier method - see Note 5.

Step 4. For R = N until R is equal to zero, do:

1. Create an SHA-1 digest of the message block
2. Replace the first 20 bytes of theblock with the resulting message digest bytes.
3. Set B = the lesser of R and 20.
4. Output B bytes from the updated message block.
5. Set R = R - B.

Step 5. Update SD as follows:

1. Create an SHA-1 digest of the final message block from the previous step
2. Set SD' = the first 64 bits/8 bytes of the resulting digest.
3. Set SD = SD XOR SD'.
4. Save the updated SD in thread-safe memory for use in subsequent calls.

Step 6. Zeroise the message block and any other internal buffers used.

On Start-Up

When the process or thread starts:

1. Initialise the counter CC with a pseudo-random 32-bit value using a separate and not-necessarily-secure generatorlike rand() and store in thread-safe memory.This value will be used as the counter CC in the seed key algorithm above.
2. Set L = P = SD = 0 and store in thread-safe memory.
3. Call the RNG function to generate 8 bytes/64 bits and ignore the output. This will set and store two 64-bit values L and P forcontinuous testing, and a new 64-bit seed SD for subsequent calls. If this attempt to generate an RNG fails (e.g. by generating a zero value), stop and notify a failure of the RNG function.

Note that each thread has its own independent set of persistent values, CC, SD, L and P, stored in thread-safe memory between calls to the RNG.

Notes

1. Derivation of key K and seed

   The ANSI standard requires that the DEA key, K, is reserved (and presumably is kept secret)and that the seed is secret, but gives no further guidance on how they might be derived. There is noadvice in the newer Implementation Guidance for the FIPS PUB 140-2 [FIPS1402IG]but the olderImplementation Guidance for the FIPS PUB 140-1 [FIPS140IG] advised that

   It is acceptable for the output of a randomnumber generator to generate a seed value for one of the FIPS-approved pseudorandomnumber generators listed above, in order to generate keys.

   We assert that our method of deriving an independent key and seed each time using an SHA-1 hash of certainvolatile and time-related system variables is in accordance with the standard.

2. 64-bit representation of the current date and time

   On a Win32 system:-On a Linux system, you might do this:-The value produced here may be longer than 64 bits.

3. Continuous checks using P and L

   The 64-bit value P is used to carry out the continuous test required in Section 4.9.2 of FIPS 140-2, comparing each 64-bit block generated by the function G with the previously-generated block. The 64-bit value L is used to carry out an additional check to make sure that consecutive calls to the RNG do not return identical values.This additional check is not required by FIPS 140-2, but it catches the situationwhere the same seed key is used as the last time the RNG was called. In our opinion this is the most likely form of failure of this deterministic algorithm.

   Note that after a call to the RNG, neither of the stored values P or L have been output by the RNG. Each time the RNG is called, a dummy block is generated to compare with the last value, L, andan extra dummy block is generated at the end to make sure the final value of P is different from the last block of output.

4. Choice of initial value for seed key generator

   We chose the components of this particular 512-bit value for the following reasons:
   • It is fast and hardware independent.
   • All Win32 functions required are available in all variants of the Windows operating system.
   • By using a combination of the current time, clock tick, and process and thread IDs, it should provide a unique seed in any given thread on the same computer.
   • Using a snapshot of the memory status adds some volatility which should be hard to reproduce.
   • Using a thread-safe counter prevents subsequent calls in the same clock cycle producing the same result, and using a pseudo-random starting value for this counter reduces the chances of producing the same value on different computersat the same time.
   • Using and updating a 64-bit internal seed value SD between calls adds some entropy based on all previous calls since power up,and also prevents the output being the same on consecutive calls to the seed key generator.

   It could be improved by keeping a 'pool' of randomness on the hard-drive or by capturing 'random' hardware values such as mouse movements, keystroke timings, or fluctuationsin pressure across the hard drive head. These are precluded by our design criteria of being hardware independentand not storing any permanent data on the user's system..

   To produce the system-related seed values on a Win32 system:-On Linux, we had problems trying to use pthread-related functions, so we used this :-

5. Change in methods for blending the user-supplied seed

   Old method:
   1. if M <= 64, XOR the first M bytes of the message block with the seed bytes,i.e.
      for j=1 to M set block_byte(j) = block_byte(j) XOR seed_byte(j); or
   2. if M > 64, repeatedly XOR the message block with next 64 seed bytes until the remaining number of seed bytes is less than or equal to 64, then do as in (a).
   The new method described above creates the SHA-1 message digest of the user-supplied seed together with a counterand then XORs this into the message block. Using a message digest destroys any structure in the user-supplied seed that mightconceivably be used to affect the state of the block.

6. What we really do

   Actually, we don't do any of this. We just use the C stdlib function rand().We know nobody ever reads this far :-)

References

• [AX917]ANSI X9.17-1995Financial Institution Key Management (Wholesale), Appendix C,American National Standards Institute,1995. (Because ANSI has withdrawn X9.17, the appropriate reference is to ANSI X9.31).
• [AX931]ANSI X9.31-1998Digital Signatures using ReversiblePublic Key Cryptography for the Financial Services Industry (rDSA),Appendix A,American National Standards Institute,1998.
• [FIPS140]Federal Information Processing Standards PublicationFIPS PUB 140-2 Security Requirements for Cryptographic Modules,U.S. Department Of Commerce/National Institute of Standards and Technology,25 May 2001, updated 3 December 2002.
• [FIPS140-C]FIPS PUB 140-2Annex C: Approved Random Number Generatorsfor FIPS PUB 140-2,Security Requirements for Cryptographic Modules,Information Technology Laboratory,National Institute of Standards and Technology,draft 31 January 2005.
• [FIPS140IG]Implementation Guidance forFIPS PUB 140-1 and the CryptographicModule Validation Program,U.S. Department Of Commerce/National Institute of Standards and Technology,update 10 January 2002.
• [FIPS1402IG]Implementation Guidance forFIPS PUB 140-2 and the CryptographicModule Validation Program,U.S. Department Of Commerce/National Institute of Standards and Technology,update 22 September 2004.
• [FIPS46]Federal Information Processing Standard (FIPS) 46-3,Data Encryption Standard (DES),U.S. Department Of Commerce/National Institute of Standards and Technology,25 October 1999.
• [FIPS180]Federal Information Processing Standards PublicationFIPS PUB 180-1 Secure Hash Standard,U.S. Department Of Commerce/National Institute of Standards and Technology,17 April 1995.
• [LAVA]LavaRnd, Terms & Definitions: pseudo-random number generator,<http://www.lavarnd.org/faq/prng.html>
• [MENE] Menezes, van Oorschot and Vanstone,Handbook of Applied Cryptography,CRC Press LLC, 1997.
• [RNG931EXT]National Institute of Standards and Technology, NIST-Recommended Random Number GeneratorBased on ANSI X9.31 Appendix A.2.4 Using the 3-Key Triple DES and AES Algorithms, 31 January 2005.
• [SP80067]NIST Special Publication 800-67,Recommendation for the TripleData Encryption Algorithm(TDEA) Block Cipher,National Institute of Standards and Technology, Version 1, May 2004.
• [STAL] William Stallings,Cryptography and Network Security: Principles and Practice,2nd ed, Prentice-Hall, 1995.

Comments? Disagree? Found a mistake? Please let us know.

This page last updated: 9 September 2007