Network Working Group D. Eastlake, 3rd
Request for Comments: 4086 Motorola Laboratories
BCP: 106 J. Schiller
Obsoletes: 1750 MIT
Category: Best Current Practice S. Crocker
June 2005
Network Working Group D. Eastlake, 3rd
Request for Comments: 4086 Motorola Laboratories
BCP: 106 J. Schiller
Obsoletes: 1750 MIT
Category: Best Current Practice S. Crocker
June 2005
Randomness Requirements for Security
安全性的随机性要求
Status of This Memo
关于下段备忘
This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited.
本文件规定了互联网社区的最佳现行做法,并要求进行讨论和提出改进建议。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2005).
版权所有(C)互联网协会(2005年)。
Abstract
摘要
Security systems are built on strong cryptographic algorithms that foil pattern analysis attempts. However, the security of these systems is dependent on generating secret quantities for passwords, cryptographic keys, and similar quantities. The use of pseudo-random processes to generate secret quantities can result in pseudo-security. A sophisticated attacker may find it easier to reproduce the environment that produced the secret quantities and to search the resulting small set of possibilities than to locate the quantities in the whole of the potential number space.
安全系统是建立在强大的密码算法之上的,这种算法可以阻止模式分析的尝试。然而,这些系统的安全性取决于为密码、加密密钥和类似数量生成秘密数量。使用伪随机过程生成秘密量可能导致伪安全性。复杂的攻击者可能会发现,与在整个潜在数字空间中定位数量相比,更容易重现产生秘密数量的环境并搜索产生的一小部分可能性。
Choosing random quantities to foil a resourceful and motivated adversary is surprisingly difficult. This document points out many pitfalls in using poor entropy sources or traditional pseudo-random number generation techniques for generating such quantities. It recommends the use of truly random hardware techniques and shows that the existing hardware on many systems can be used for this purpose. It provides suggestions to ameliorate the problem when a hardware solution is not available, and it gives examples of how large such quantities need to be for some applications.
选择随机数量来挫败一个足智多谋、积极进取的对手,难度惊人。本文件指出了使用较差的熵源或传统的伪随机数生成技术生成此类数量时存在的许多缺陷。它建议使用真正随机的硬件技术,并表明许多系统上的现有硬件可用于此目的。它提供了在硬件解决方案不可用时改善问题的建议,并举例说明了某些应用程序需要多大数量的硬件。
Table of Contents
目录
1. Introduction and Overview .......................................3
2. General Requirements ............................................4
3. Entropy Sources .................................................7
3.1. Volume Required ............................................7
3.2. Existing Hardware Can Be Used For Randomness ...............8
3.2.1. Using Existing Sound/Video Input ....................8
3.2.2. Using Existing Disk Drives ..........................8
3.3. Ring Oscillator Sources ....................................9
3.4. Problems with Clocks and Serial Numbers ...................10
3.5. Timing and Value of External Events .......................11
3.6. Non-hardware Sources of Randomness ........................12
4. De-skewing .....................................................12
4.1. Using Stream Parity to De-Skew ............................13
4.2. Using Transition Mappings to De-Skew ......................14
4.3. Using FFT to De-Skew ......................................15
4.4. Using Compression to De-Skew ..............................15
5. Mixing .........................................................16
5.1. A Trivial Mixing Function .................................17
5.2. Stronger Mixing Functions .................................18
5.3. Using S-Boxes for Mixing ..................................19
5.4. Diffie-Hellman as a Mixing Function .......................19
5.5. Using a Mixing Function to Stretch Random Bits ............20
5.6. Other Factors in Choosing a Mixing Function ...............20
6. Pseudo-random Number Generators ................................21
6.1. Some Bad Ideas ............................................21
6.1.1. The Fallacy of Complex Manipulation ................21
6.1.2. The Fallacy of Selection from a Large Database .....22
6.1.3. Traditional Pseudo-random Sequences ................23
6.2. Cryptographically Strong Sequences ........................24
6.2.1. OFB and CTR Sequences ..............................25
6.2.2. The Blum Blum Shub Sequence Generator ..............26
6.3. Entropy Pool Techniques ...................................27
7. Randomness Generation Examples and Standards ...................28
7.1. Complete Randomness Generators ............................28
7.1.1. US DoD Recommendations for Password Generation .....28
7.1.2. The /dev/random Device .............................29
7.1.3. Windows CryptGenRandom .............................30
7.2. Generators Assuming a Source of Entropy ...................31
7.2.1. X9.82 Pseudo-Random Number Generation ..............31
7.2.2. X9.17 Key Generation ...............................33
7.2.3. DSS Pseudo-random Number Generation ................34
8. Examples of Randomness Required ................................34
8.1. Password Generation .......................................35
8.2. A Very High Security Cryptographic Key ....................36
9. Conclusion .....................................................38
10. Security Considerations ........................................38
1. Introduction and Overview .......................................3
2. General Requirements ............................................4
3. Entropy Sources .................................................7
3.1. Volume Required ............................................7
3.2. Existing Hardware Can Be Used For Randomness ...............8
3.2.1. Using Existing Sound/Video Input ....................8
3.2.2. Using Existing Disk Drives ..........................8
3.3. Ring Oscillator Sources ....................................9
3.4. Problems with Clocks and Serial Numbers ...................10
3.5. Timing and Value of External Events .......................11
3.6. Non-hardware Sources of Randomness ........................12
4. De-skewing .....................................................12
4.1. Using Stream Parity to De-Skew ............................13
4.2. Using Transition Mappings to De-Skew ......................14
4.3. Using FFT to De-Skew ......................................15
4.4. Using Compression to De-Skew ..............................15
5. Mixing .........................................................16
5.1. A Trivial Mixing Function .................................17
5.2. Stronger Mixing Functions .................................18
5.3. Using S-Boxes for Mixing ..................................19
5.4. Diffie-Hellman as a Mixing Function .......................19
5.5. Using a Mixing Function to Stretch Random Bits ............20
5.6. Other Factors in Choosing a Mixing Function ...............20
6. Pseudo-random Number Generators ................................21
6.1. Some Bad Ideas ............................................21
6.1.1. The Fallacy of Complex Manipulation ................21
6.1.2. The Fallacy of Selection from a Large Database .....22
6.1.3. Traditional Pseudo-random Sequences ................23
6.2. Cryptographically Strong Sequences ........................24
6.2.1. OFB and CTR Sequences ..............................25
6.2.2. The Blum Blum Shub Sequence Generator ..............26
6.3. Entropy Pool Techniques ...................................27
7. Randomness Generation Examples and Standards ...................28
7.1. Complete Randomness Generators ............................28
7.1.1. US DoD Recommendations for Password Generation .....28
7.1.2. The /dev/random Device .............................29
7.1.3. Windows CryptGenRandom .............................30
7.2. Generators Assuming a Source of Entropy ...................31
7.2.1. X9.82 Pseudo-Random Number Generation ..............31
7.2.2. X9.17 Key Generation ...............................33
7.2.3. DSS Pseudo-random Number Generation ................34
8. Examples of Randomness Required ................................34
8.1. Password Generation .......................................35
8.2. A Very High Security Cryptographic Key ....................36
9. Conclusion .....................................................38
10. Security Considerations ........................................38
11. Acknowledgments ................................................39
Appendix A: Changes from RFC 1750 ..................................40
Informative References .............................................41
11. Acknowledgments ................................................39
Appendix A: Changes from RFC 1750 ..................................40
Informative References .............................................41
Software cryptography is coming into wider use, although there is a long way to go until it becomes pervasive. Systems such as SSH, IPSEC, TLS, S/MIME, PGP, DNSSEC, and Kerberos are maturing and becoming a part of the network landscape [SSH] [IPSEC] [TLS] [S/MIME] [MAIL_PGP*] [DNSSEC*]. For comparison, when the previous version of this document [RFC1750] was issued in 1994, the only Internet cryptographic security specification in the IETF was the Privacy Enhanced Mail protocol [MAIL_PEM*].
软件加密技术正在得到更广泛的应用,尽管要普及还有很长的路要走。SSH、IPSEC、TLS、S/MIME、PGP、DNSSEC和Kerberos等系统正在成熟,并成为网络环境[SSH][IPSEC][TLS][S/MIME][MAIL_PGP*][DNSSEC*]的一部分。作为比较,当本文件的前一版本[RFC1750]于1994年发布时,IETF中唯一的互联网加密安全规范是隐私增强邮件协议[Mail_PEM*]。
These systems provide substantial protection against snooping and spoofing. However, there is a potential flaw. At the heart of all cryptographic systems is the generation of secret, unguessable (i.e., random) numbers.
这些系统为防止窥探和欺骗提供了实质性的保护。然而,有一个潜在的缺陷。所有密码系统的核心是生成秘密的、不可使用的(即随机)数字。
The lack of generally available facilities for generating such random numbers (that is, the lack of general availability of truly unpredictable sources) forms an open wound in the design of cryptographic software. For the software developer who wants to build a key or password generation procedure that runs on a wide range of hardware, this is a very real problem.
缺乏生成此类随机数的普遍可用设施(即,缺乏真正不可预测源的普遍可用性)形成了密码软件设计中的一个开放伤口。对于想要构建在各种硬件上运行的密钥或密码生成过程的软件开发人员来说,这是一个非常现实的问题。
Note that the requirement is for data that an adversary has a very low probability of guessing or determining. This can easily fail if pseudo-random data is used that meets only traditional statistical tests for randomness, or that is based on limited-range sources such as clocks. Sometimes such pseudo-random quantities can be guessed by an adversary searching through an embarrassingly small space of possibilities.
请注意,该要求适用于对手猜测或确定概率极低的数据。如果使用的伪随机数据仅满足随机性的传统统计测试,或者基于时钟等有限范围源,则很容易失败。有时,这样的伪随机量可以被对手在一个令人尴尬的小空间中搜索时猜到。
This Best Current Practice document describes techniques for producing random quantities that will be resistant to attack. It recommends that future systems include hardware random number generation or provide access to existing hardware that can be used for this purpose. It suggests methods for use if such hardware is not available, and it gives some estimates of the number of random bits required for sample applications.
本最佳实践文件描述了产生抗攻击随机量的技术。它建议未来的系统包括硬件随机数生成或提供对可用于此目的的现有硬件的访问。它提出了在这种硬件不可用的情况下使用的方法,并对样本应用程序所需的随机比特数给出了一些估计。
Today, a commonly encountered randomness requirement is to pick a user password, usually a simple character string. Obviously, a password that can be guessed does not provide security. For re-usable passwords, it is desirable that users be able to remember the password. This may make it advisable to use pronounceable character strings or phrases composed of ordinary words. But this affects only the format of the password information, not the requirement that the password be very hard to guess.
今天,一个常见的随机性要求是选择一个用户密码,通常是一个简单的字符串。显然,可以猜测的密码并不能提供安全性。对于可重复使用的密码,用户最好能够记住密码。因此,建议使用由普通单词组成的可发音字符串或短语。但这只会影响密码信息的格式,而不会影响密码很难猜测的要求。
Many other requirements come from the cryptographic arena. Cryptographic techniques can be used to provide a variety of services, including confidentiality and authentication. Such services are based on quantities, traditionally called "keys", that are unknown to and unguessable by an adversary.
许多其他需求来自加密领域。密码技术可用于提供各种服务,包括保密性和身份验证。此类服务基于数量,传统上称为“密钥”,对手不知道且无法使用。
There are even TCP/IP protocol uses for randomness in picking initial sequence numbers [RFC1948].
甚至还有TCP/IP协议用于随机选择初始序列号[RFC1948]。
Generally speaking, the above examples also illustrate two different types of random quantities that may be wanted. In the case of human-usable passwords, the only important characteristic is that they be unguessable. It is not important that they may be composed of ASCII characters, so the top bit of every byte is zero, for example. On the other hand, for fixed length keys and the like, one normally wants quantities that appear to be truly random, that is, quantities whose bits will pass statistical randomness tests.
一般来说,上述示例还说明了可能需要的两种不同类型的随机量。对于人类可用的密码,唯一重要的特征是它们不可用。它们是否由ASCII字符组成并不重要,例如,每个字节的顶部位都是零。另一方面,对于固定长度的键等,人们通常想要看起来是真正随机的量,即其比特将通过统计随机性测试的量。
In some cases, such as the use of symmetric encryption with the one-time pads or an algorithm like the US Advanced Encryption Standard [AES], the parties who wish to communicate confidentially and/or with authentication must all know the same secret key. In other cases, where asymmetric or "public key" cryptographic techniques are used, keys come in pairs. One key of the pair is private and must be kept secret by one party; the other is public and can be published to the world. It is computationally infeasible to determine the private key from the public key, and knowledge of the public key is of no help to an adversary [ASYMMETRIC]. See general references [SCHNEIER, FERGUSON, KAUFMAN].
在某些情况下,例如使用一次性PAD的对称加密或类似于美国高级加密标准[AES]的算法,希望秘密通信和/或认证的各方都必须知道相同的密钥。在其他情况下,使用非对称或“公钥”加密技术时,密钥成对出现。一对密钥为私钥,必须由一方保密;另一种是公开的,可以向世界公布。从公钥中确定私钥在计算上是不可行的,对公钥的了解对对手毫无帮助[不对称]。见一般参考文献[SCHNEIER、FERGUSON、KAUFMAN]。
The frequency and volume of the requirement for random quantities differs greatly for different cryptographic systems. With pure RSA, random quantities are required only when a new key pair is generated; thereafter, any number of messages can be signed without a further need for randomness. The public key Digital Signature Algorithm devised by the US National Institute of Standards and Technology (NIST) requires good random numbers for each signature [DSS]. And
对于不同的密码系统,随机量要求的频率和数量有很大的不同。对于纯RSA,只有在生成新密钥对时才需要随机数量;此后,可以对任意数量的消息进行签名,而不需要进一步的随机性。美国国家标准与技术研究所(NIST)设计的公钥数字签名算法要求每个签名具有良好的随机数[DSS]。和
encrypting with a one-time pad (in principle the strongest possible encryption technique) requires randomness of equal volume to all the messages to be processed. See general references [SCHNEIER, FERGUSON, KAUFMAN].
使用一次性pad加密(原则上是最强大的加密技术)需要对所有要处理的消息进行等容量的随机性。见一般参考文献[SCHNEIER、FERGUSON、KAUFMAN]。
In most of these cases, an adversary can try to determine the "secret" key by trial and error. This is possible as long as the key is enough smaller than the message that the correct key can be uniquely identified. The probability of an adversary succeeding at this must be made acceptably low, depending on the particular application. The size of the space the adversary must search is related to the amount of key "information" present, in an information-theoretic sense [SHANNON]. This depends on the number of different secret values possible and the probability of each value, as follows:
在大多数情况下,对手可以通过反复试验来确定“秘密”密钥。这是可能的,只要密钥比消息小到可以唯一标识正确的密钥。敌方在这方面取得成功的概率必须降低到可接受的程度,这取决于具体的应用。在信息论意义上,敌方必须搜索的空间大小与关键“信息”的数量有关[SHANNON]。这取决于可能的不同秘密值的数量和每个值的概率,如下所示:
-----
\
Bits of information = \ - p * log ( p )
/ i 2 i
/
-----
-----
\
Bits of information = \ - p * log ( p )
/ i 2 i
/
-----
where i counts from 1 to the number of possible secret values and p sub i is the probability of the value numbered i. (Because p sub i is less than one, the log will be negative, so each term in the sum will be non-negative.)
其中i从1计数到可能的秘密值的数量,p sub i是编号i的值的概率。(由于p sub i小于1,因此对数将为负,因此总和中的每个项都将为非负。)
If there are 2^n different values of equal probability, then n bits of information are present and an adversary would have to try, on the average, half of the values, or 2^(n-1), before guessing the secret quantity. If the probability of different values is unequal, then there is less information present, and fewer guesses will, on average, be required by an adversary. In particular, any values that an adversary can know to be impossible or of low probability can be initially ignored by the adversary, who will search through the more probable values first.
如果有2^ n个相同概率的不同值,则存在n位信息,对手在猜测秘密量之前,平均必须尝试一半的值,或2^(n-1)。如果不同值的概率不相等,那么存在的信息就更少,平均而言,对手需要的猜测也更少。特别是,任何敌方可能知道不可能或概率较低的值最初都会被敌方忽略,而敌方会首先搜索更可能的值。
For example, consider a cryptographic system that uses 128-bit keys. If these keys are derived using a fixed pseudo-random number generator that is seeded with an 8-bit seed, then an adversary needs to search through only 256 keys (by running the pseudo-random number generator with every possible seed), not 2^128 keys as may at first appear to be the case. Only 8 bits of "information" are in these 128-bit keys.
例如,考虑使用128位密钥的密码系统。如果这些密钥是使用固定的伪随机数生成器生成的,该生成器的种子为8位种子,那么对手只需搜索256个密钥(通过使用每个可能的种子运行伪随机数生成器),而不是像最初看起来的那样搜索2^128个密钥。这128位密钥中只有8位“信息”。
While the above analysis is correct on average, it can be misleading in some cases for cryptographic analysis where what is really important is the work factor for an adversary. For example, assume that there is a pseudo-random number generator generating 128-bit keys, as in the previous paragraph, but that it generates zero half of the time and a random selection from the remaining 2^128 - 1 values the rest of the time. The Shannon equation above says that there are 64 bits of information in one of these key values, but an adversary, simply by trying the value zero, can break the security of half of the uses, albeit a random half. Thus, for cryptographic purposes, it is also useful to look at other measures, such as min-entropy, defined as
虽然上述分析平均来说是正确的,但在某些情况下,对于真正重要的是对手的工作因素的密码分析,它可能会产生误导。例如,假设有一个伪随机数生成器生成128位密钥,如前一段所述,但它会生成一半时间为零的密钥,其余时间从剩余的2^128-1值中随机选择。上面的香农方程表明,其中一个键值中包含64位信息,但对手只需尝试零,就可以破坏一半使用的安全性,尽管是随机的一半。因此,出于密码学目的,查看其他度量也很有用,例如定义为
Min-entropy = - log ( maximum ( p ) ) i
最小熵=-log(最大(p))i
where i is as above. Using this equation, we get 1 bit of min-entropy for our new hypothetical distribution, as opposed to 64 bits of classical Shannon entropy.
我的位置如上所述。利用这个方程,我们得到了新假设分布的1位最小熵,而不是经典香农熵的64位。
A continuous spectrum of entropies, sometimes called Renyi entropy, has been defined, specified by the parameter r. Here r = 1 is Shannon entropy and r = infinity is min-entropy. When r = zero, it is just log (n), where n is the number of non-zero probabilities. Renyi entropy is a non-increasing function of r, so min-entropy is always the most conservative measure of entropy and usually the best to use for cryptographic evaluation [LUBY].
一个连续的熵谱,有时被称为Renyi熵,已经被定义,由参数r指定。这里r=1是香农熵,r=无穷大是最小熵。当r=0时,它就是log(n),其中n是非零概率的数目。Renyi熵是r的非增函数,因此最小熵始终是熵的最保守度量,通常是用于密码评估的最佳度量[LUBY]。
Statistically tested randomness in the traditional sense is NOT the same as the unpredictability required for security use.
传统意义上经统计检验的随机性与安全使用所需的不可预测性不同。
For example, the use of a widely available constant sequence, such as the random table from the CRC Standard Mathematical Tables, is very weak against an adversary. An adversary who learns of or guesses it can easily break all security, future and past, based on the sequence [CRC]. As another example, using AES with a constant key to encrypt successive integers such as 1, 2, 3, ... will produce output that also has excellent statistical randomness properties but is predictable. On the other hand, taking successive rolls of a six-sided die and encoding the resulting values in ASCII would produce statistically poor output with a substantial unpredictable component. So note that passing or failing statistical tests doesn't reveal whether something is unpredictable or predictable.
例如,广泛使用的常量序列,如CRC标准数学表中的随机表,在对抗对手时非常脆弱。根据序列[CRC],得知或猜测它的对手可以轻易破坏所有安全,包括未来和过去。作为另一个示例,使用带有常量密钥的AES加密连续整数,如1、2、3、。。。将产生具有良好统计随机性特性但可预测的输出。另一方面,对六面模具进行连续滚动,并将结果值编码为ASCII,将产生统计上较差的输出,其中包含大量不可预测的组件。所以请注意,通过或失败的统计测试并不能揭示某些事情是不可预测的还是可预测的。
Entropy sources tend to be very implementation dependent. Once one has gathered sufficient entropy, it can be used as the seed to produce the required amount of cryptographically strong pseudo-randomness, as described in Sections 6 and 7, after being de-skewed or mixed as necessary, as described in Sections 4 and 5.
熵源往往非常依赖于实现。一旦收集到足够的熵,就可以将其用作种子,在必要时进行反扭曲或混合(如第4节和第5节所述)后,产生所需数量的加密强伪随机性(如第6节和第7节所述)。
Is there any hope for true, strong, portable randomness in the future? There might be. All that's needed is a physical source of unpredictable numbers.
未来真的、强大的、可移植的随机性还有希望吗?可能有。所需要的只是一个不可预测数字的物理来源。
Thermal noise (sometimes called Johnson noise in integrated circuits) or a radioactive decay source and a fast, free-running oscillator would do the trick directly [GIFFORD]. This is a trivial amount of hardware, and it could easily be included as a standard part of a computer system's architecture. Most audio (or video) input devices are usable [TURBID]. Furthermore, any system with a spinning disk or ring oscillator and a stable (crystal) time source or the like has an adequate source of randomness ([DAVIS] and Section 3.3). All that's needed is the common perception among computer vendors that this small additional hardware and the software to access it is necessary and useful.
热噪声(有时在集成电路中称为约翰逊噪声)或放射性衰变源和快速、自由运行的振荡器会直接起作用[GIFFORD]。这是一个微不足道的硬件,它可以很容易地作为计算机系统架构的标准部分。大多数音频(或视频)输入设备可用[混浊]。此外,任何具有旋转圆盘或环形振荡器和稳定(晶体)时间源等的系统都具有足够的随机性源([DAVIS]和第3.3节)。所需要的只是计算机供应商之间的共同看法,即访问这些额外的硬件和软件是必要和有用的。
ANSI X9 is currently developing a standard that includes a part devoted to entropy sources. See Part 2 of [X9.82].
ANSI X9目前正在开发一个标准,其中包括一个专门用于熵源的部分。参见[X9.82]的第2部分。
How much unpredictability is needed? Is it possible to quantify the requirement in terms of, say, number of random bits per second?
需要多少不可预测性?是否有可能用每秒随机比特数来量化需求?
The answer is that not very much is needed. For AES, the key can be 128 bits, and, as we show in an example in Section 8, even the highest security system is unlikely to require strong keying material of much over 200 bits. If a series of keys is needed, they can be generated from a strong random seed (starting value) using a cryptographically strong sequence, as explained in Section 6.2. A few hundred random bits generated at start-up or once a day is enough if such techniques are used. Even if the random bits are generated as slowly as one per second and it is not possible to overlap the generation process, it should be tolerable in most high-security applications to wait 200 seconds occasionally.
答案是不需要太多。对于AES,密钥可以是128位,并且,正如我们在第8节的示例中所示,即使是最高安全性的系统也不可能需要超过200位的强密钥材料。如果需要一系列密钥,可以使用加密强序列从强随机种子(起始值)生成密钥,如第6.2节所述。如果使用这种技术,在启动时或每天生成几百个随机比特就足够了。即使随机比特以每秒一个的速度生成,并且不可能与生成过程重叠,在大多数高安全性应用程序中,偶尔等待200秒也是可以接受的。
These numbers are trivial to achieve. It could be achieved by a person repeatedly tossing a coin, and almost any hardware based process is likely to be much faster.
这些数字实现起来微不足道。这可以通过一个人反复投掷硬币来实现,几乎任何基于硬件的过程都可能要快得多。
As described below, many computers come with hardware that can, with care, be used to generate truly random quantities.
如下所述,许多计算机都配备了硬件,可以小心地用来生成真正的随机量。
Many computers are built with inputs that digitize some real-world analog source, such as sound from a microphone or video input from a camera. The "input" from a sound digitizer with no source plugged in or from a camera with the lens cap on is essentially thermal noise. If the system has enough gain to detect anything, such input can provide reasonably high quality random bits. This method is extremely dependent on the hardware implementation.
许多计算机的输入可以数字化现实世界中的模拟源,如麦克风的声音或摄像机的视频输入。来自未插入声源的声音数字化仪或打开镜头盖的相机的“输入”本质上是热噪声。如果系统有足够的增益来检测任何东西,这样的输入可以提供相当高质量的随机位。这种方法非常依赖于硬件实现。
For example, on some UNIX-based systems, one can read from the /dev/audio device with nothing plugged into the microphone jack or with the microphone receiving only low level background noise. Such data is essentially random noise, although it should not be trusted without some checking, in case of hardware failure, and it will have to be de-skewed.
例如,在一些基于UNIX的系统上,可以在麦克风插孔中不插入任何东西或麦克风仅接收低电平背景噪声的情况下读取/dev/audio设备。这类数据本质上是随机噪声,尽管在硬件故障的情况下,如果不进行一些检查,就不应该信任它,并且必须对其进行反扭曲。
Combining this approach with compression to de-skew (see Section 4), one can generate a huge amount of medium-quality random data with the UNIX-style command line:
将此方法与压缩反扭曲相结合(参见第4节),可以使用UNIX风格的命令行生成大量中等质量的随机数据:
cat /dev/audio | compress - >random-bits-file
cat /dev/audio | compress - >random-bits-file
A detailed examination of this type of randomness source appears in [TURBID].
对这种随机性源的详细检查见[混浊]。
Disk drives have small random fluctuations in their rotational speed due to chaotic air turbulence [DAVIS, Jakobsson]. The addition of low-level disk seek-time instrumentation produces a series of measurements that contain this randomness. Such data is usually highly correlated, so significant processing is needed, as described in Section 5.2 below. Nevertheless, experimentation a decade ago showed that, with such processing, even slow disk drives on the slower computers of that day could easily produce 100 bits a minute or more of excellent random data.
由于混乱的空气湍流,磁盘驱动器的旋转速度有很小的随机波动[DAVIS,Jakobson]。添加低级磁盘寻道时间仪器会产生一系列包含这种随机性的测量值。此类数据通常高度相关,因此需要进行重要处理,如下文第5.2节所述。尽管如此,十年前的实验表明,通过这种处理,即使是在当时速度较慢的计算机上运行速度较慢的磁盘驱动器,也很容易每分钟产生100位或更多的优秀随机数据。
Every increase in processor speed, which increases the resolution with which disk motion can be timed or increases the rate of disk seeks, increases the rate of random bit generation possible with this technique. At the time of this paper and with modern hardware, a more typical rate of random bit production would be in excess of
处理器速度的每一次提高,都会提高磁盘运动计时的分辨率,或提高磁盘寻道的速率,从而增加此技术可能产生的随机位的速率。在本文撰写之时,使用现代硬件,更典型的随机位生成速率将超过
10,000 bits a second. This technique is used in random number generators included in many operating system libraries.
每秒10000位。此技术用于许多操作系统库中包含的随机数生成器。
Note: the inclusion of cache memories in disk controllers has little effect on this technique if very short seek times, which represent cache hits, are simply ignored.
注意:如果很短的寻道时间(表示缓存命中数)被忽略,那么磁盘控制器中包含的缓存对该技术几乎没有影响。
If an integrated circuit is being designed or field-programmed, an odd number of gates can be connected in series to produce a free-running ring oscillator. By sampling a point in the ring at a fixed frequency (for example, one determined by a stable crystal oscillator), some amount of entropy can be extracted due to variations in the free-running oscillator timing. It is possible to increase the rate of entropy by XOR'ing sampled values from a few ring oscillators with relatively prime lengths. It is sometimes recommended that an odd number of rings be used so that, even if the rings somehow become synchronously locked to each other, there will still be sampled bit transitions. Another possible source to sample is the output of a noisy diode.
如果一个集成电路正在设计或现场编程,奇数个门可以串联起来,产生一个自由运行的环形振荡器。通过以固定频率(例如,由稳定晶体振荡器确定的频率)对环中的一个点进行采样,由于自由运行振荡器定时的变化,可以提取一定量的熵。通过对几个具有相对素数长度的环形振荡器的采样值进行异或运算,可以提高熵的速率。有时建议使用奇数个环,以便即使环以某种方式彼此同步锁定,仍将存在采样位转换。另一个可能的采样源是噪声二极管的输出。
Sampled bits from such sources will have to be heavily de-skewed, as disk rotation timings must be (see Section 4). An engineering study would be needed to determine the amount of entropy being produced depending on the particular design. In any case, these can be good sources whose cost is a trivial amount of hardware by modern standards.
由于磁盘旋转定时必须如此(见第4节),来自此类源的采样位必须进行严重的反扭曲。需要进行工程研究,以确定根据特定设计产生的熵量。在任何情况下,这些都可能是很好的资源,按照现代标准,它们的成本只是少量的硬件。
As an example, IEEE 802.11i suggests the circuit below, with due attention in the design to isolation of the rings from each other and from clocked circuits to avoid undesired synchronization, etc., and with extensive post processing [IEEE_802.11i].
例如,IEEE 802.11i建议使用以下电路,在设计中应适当注意环与环之间的隔离以及与时钟电路的隔离,以避免不期望的同步等,并具有广泛的后处理[IEEE_802.11i]。
|\ |\ |\
+-->| >0-->| >0-- 19 total --| >0--+-------+
| |/ |/ |/ | |
| | |
+----------------------------------+ V
+-----+
|\ |\ |\ | | output
+-->| >0-->| >0-- 23 total --| >0--+--->| XOR |------>
| |/ |/ |/ | | |
| | +-----+
+----------------------------------+ ^ ^
| |
|\ |\ |\ | |
+-->| >0-->| >0-- 29 total --| >0--+------+ |
| |/ |/ |/ | |
| | |
+----------------------------------+ |
|
Other randomness, if available ---------+
|\ |\ |\
+-->| >0-->| >0-- 19 total --| >0--+-------+
| |/ |/ |/ | |
| | |
+----------------------------------+ V
+-----+
|\ |\ |\ | | output
+-->| >0-->| >0-- 23 total --| >0--+--->| XOR |------>
| |/ |/ |/ | | |
| | +-----+
+----------------------------------+ ^ ^
| |
|\ |\ |\ | |
+-->| >0-->| >0-- 29 total --| >0--+------+ |
| |/ |/ |/ | |
| | |
+----------------------------------+ |
|
Other randomness, if available ---------+
Computer clocks and similar operating system or hardware values, provide significantly fewer real bits of unpredictability than might appear from their specifications.
计算机时钟和类似的操作系统或硬件值所提供的不可预测性的实际比特数比它们的规范中可能出现的要少得多。
Tests have been done on clocks on numerous systems, and it was found that their behavior can vary widely and in unexpected ways. One version of an operating system running on one set of hardware may actually provide, say, microsecond resolution in a clock, while a different configuration of the "same" system may always provide the same lower bits and only count in the upper bits at much lower resolution. This means that successive reads of the clock may produce identical values even if enough time has passed that the value "should" change based on the nominal clock resolution. There are also cases where frequently reading a clock can produce artificial sequential values, because of extra code that checks for the clock being unchanged between two reads and increases it by one! Designing portable application code to generate unpredictable numbers based on such system clocks is particularly challenging because the system designer does not always know the properties of the system clock.
已经在许多系统上对时钟进行了测试,结果发现它们的行为可能会以意想不到的方式发生巨大变化。在一组硬件上运行的操作系统的一个版本实际上可能提供(比如)微秒级的时钟分辨率,而“同一”系统的不同配置可能总是提供相同的低位,并且仅以更低的分辨率计算高位。这意味着时钟的连续读取可能产生相同的值,即使经过足够的时间,该值“应该”根据标称时钟分辨率改变。还有一些情况下,频繁读取时钟会产生人为的顺序值,因为额外的代码会检查两次读取之间的时钟是否保持不变,并将其增加一倍!设计便携式应用程序代码以根据此类系统时钟生成不可预测的数字尤其具有挑战性,因为系统设计者并不总是知道系统时钟的属性。
Use of a hardware serial number (such as an Ethernet MAC address) may also provide fewer bits of uniqueness than one would guess. Such quantities are usually heavily structured, and subfields may have only a limited range of possible values, or values may be easily guessable based on approximate date of manufacture or other data.
使用硬件序列号(如以太网MAC地址)也可以提供比人们猜测的更少的唯一性位。此类数量通常结构复杂,子字段可能只有有限的可能值范围,或者根据大致的制造日期或其他数据可以轻松猜测值。
For example, it is likely that a company that manufactures both computers and Ethernet adapters will, at least internally, use its own adapters, which significantly limits the range of built-in addresses.
例如,一家同时生产计算机和以太网适配器的公司可能至少在内部使用自己的适配器,这大大限制了内置地址的范围。
Problems such as those described above make the production of code to generate unpredictable quantities difficult if the code is to be ported across a variety of computer platforms and systems.
如果要将代码移植到各种计算机平台和系统上,上述问题会使代码生成难以预测的数量变得困难。
It is possible to measure the timing and content of mouse movement, key strokes, and similar user events. This is a reasonable source of unguessable data, with some qualifications. On some machines, input such as key strokes is buffered. Even though the user's inter-keystroke timing may have sufficient variation and unpredictability, there might not be an easy way to access that variation. Another problem is that no standard method exists for sampling timing details. This makes it hard to use this technique to build standard software intended for distribution to a large range of machines.
可以测量鼠标移动、按键和类似用户事件的时间和内容。这是不可用数据的合理来源,但有一些限制。在某些机器上,输入(如按键)是缓冲的。即使用户的击键时间可能有足够的变化和不可预测性,也可能没有一种简单的方法来访问这种变化。另一个问题是,不存在采样定时细节的标准方法。这使得使用此技术构建用于分发到大量机器的标准软件变得困难。
The amount of mouse movement and the actual key strokes are usually easier to access than timings, but they may yield less unpredictability because the user may provide highly repetitive input.
鼠标移动量和实际的按键次数通常比计时更容易访问,但它们可能产生较少的不可预测性,因为用户可能提供高度重复的输入。
Other external events, such as network packet arrival times and lengths, can also be used, but only with great care. In particular, the possibility of manipulation of such network traffic measurements by an adversary and the lack of history at system start-up must be carefully considered. If this input is subject to manipulation, it must not be trusted as a source of entropy.
也可以使用其他外部事件,如网络数据包到达时间和长度,但必须非常小心。特别是,必须仔细考虑对手操纵此类网络流量测量的可能性以及系统启动时缺乏历史记录。如果该输入受到操纵,则不得将其视为熵的来源。
In principle, almost any external sensor, such as raw radio reception or temperature sensing in appropriately equipped computers, can be used. But in each case, careful consideration must be given to how much this data is subject to adversarial manipulation and to how much entropy it can actually provide.
原则上,几乎可以使用任何外部传感器,如原始无线电接收或适当配备的计算机中的温度感应。但在每种情况下,都必须仔细考虑这些数据有多少受到敌对操纵,以及它实际能提供多少熵。
The above techniques are quite powerful against attackers that have no access to the quantities being measured. For example, these techniques would be powerful against offline attackers who had no access to one's environment and who were trying to crack one's random seed after the fact. In all cases, the more accurately one can measure the timing or value of an external sensor, the more rapidly one can generate bits.
上述技术对于无法访问所测量数量的攻击者来说非常强大。例如,这些技术将对无法访问个人环境并试图在事后破解个人随机种子的离线攻击者具有强大的抵御能力。在所有情况下,测量外部传感器的定时或值越精确,生成位的速度就越快。
The best source of input entropy would be a hardware-based random source such as ring oscillators, disk drive timing, thermal noise, or radioactive decay. However, if none of these is available, there are other possibilities. These include system clocks, system or input/output buffers, user/system/hardware/network serial numbers or addresses and timing, and user input. Unfortunately, each of these sources can produce very limited or predictable values under some circumstances.
输入熵的最佳来源是基于硬件的随机源,如环形振荡器、磁盘驱动器定时、热噪声或放射性衰变。然而,如果这些都不可用,还有其他的可能性。这些包括系统时钟、系统或输入/输出缓冲区、用户/系统/硬件/网络序列号或地址和定时以及用户输入。不幸的是,在某些情况下,这些来源中的每一个都可能产生非常有限或可预测的价值。
Some of the sources listed above would be quite strong on multi-user systems, where each user of the system is in essence a source of randomness. However, on a small single-user or embedded system, especially at start-up, it might be possible for an adversary to assemble a similar configuration. This could give the adversary inputs to the mixing process that were well-enough correlated to those used originally to make exhaustive search practical.
上面列出的一些源在多用户系统上非常强大,其中系统的每个用户本质上都是随机性源。然而,在小型单用户或嵌入式系统上,尤其是在启动时,对手可能会组装类似的配置。这可以为混合过程提供对手的输入,这些输入与最初使用的输入有足够的相关性,从而使穷举搜索变得切实可行。
The use of multiple random inputs with a strong mixing function is recommended and can overcome weakness in any particular input. The timing and content of requested "random" user keystrokes can yield hundreds of random bits, but conservative assumptions need to be made. For example, one reasonably conservative assumption would be that an inter-keystroke interval provides at most a few bits of randomness, but only when the interval is unique in the sequence of intervals up to that point. A similar assumption would be that a key code provides a few bits of randomness, but only when the code is unique in the sequence. Thus, an interval or key code that duplicated a previous value would be assumed to provide no additional randomness. The results of mixing these timings with typed characters could be further combined with clock values and other inputs.
建议使用具有强混合功能的多个随机输入,可以克服任何特定输入的弱点。请求的“随机”用户击键的时间和内容可以产生数百个随机位,但需要做出保守的假设。例如,一个合理保守的假设是,击键间隔最多提供几位随机性,但仅当该间隔在该点之前的间隔序列中是唯一的时。类似的假设是,一个关键代码提供了一些随机性,但仅当代码在序列中是唯一的时。因此,假设与先前值重复的间隔或键代码不提供额外的随机性。将这些计时与类型化字符混合的结果可以进一步与时钟值和其他输入相结合。
This strategy may make practical portable code for producing good random numbers for security, even if some of the inputs are very weak on some of the target systems. However, it may still fail against a high-grade attack on small, single-user, or embedded systems, especially if the adversary has ever been able to observe the generation process in the past. A hardware-based random source is still preferable.
这种策略可以生成实用的可移植代码,用于生成安全性良好的随机数,即使某些目标系统上的某些输入非常弱。但是,对于小型、单用户或嵌入式系统的高级攻击,它仍然可能失败,特别是如果对手过去能够观察到生成过程。基于硬件的随机源仍然是首选。
Is there any specific requirement on the shape of the distribution of quantities gathered for the entropy to produce the random numbers? The good news is that the distribution need not be uniform. All that is needed to bound performance is a conservative estimate of how
对于熵产生随机数所收集的数量分布的形状是否有任何具体要求?好消息是,分布不必是统一的。约束性能所需要的只是保守估计如何约束性能
non-uniform it is. Simple techniques to de-skew a bit stream are given below, and stronger cryptographic techniques are described in Section 5.2.
这是不统一的。下面给出了消除位流倾斜的简单技术,第5.2节描述了更强的加密技术。
As a simple but not particularly practical example, consider taking a sufficiently long string of bits and mapping the string to "zero" or "one". The mapping will not yield a perfectly uniform distribution, but it can be as close as desired. One mapping that serves the purpose is to take the parity of the string. This has the advantages that it is robust across all degrees of skew up to the estimated maximum skew and that it is trivial to implement in hardware.
作为一个简单但不是特别实际的例子,考虑取一个足够长的位串并将字符串映射成“0”或“1”。映射不会产生完全均匀的分布,但它可以尽可能接近所需。一个用于此目的的映射是获取字符串的奇偶校验。这样做的优点是,它在所有程度的倾斜上都是健壮的,直到估计的最大倾斜,并且在硬件中实现起来非常简单。
The following analysis gives the number of bits that must be sampled:
以下分析给出了必须采样的位数:
Suppose that the ratio of ones to zeros is ( 0.5 + E ) to ( 0.5 - E ), where E is between 0 and 0.5 and is a measure of the "eccentricity" of the distribution. Consider the distribution of the parity function of N bit samples. The respective probabilities that the parity will be one or zero will be the sum of the odd or even terms in the binomial expansion of (p + q)^N, where p = 0.5 + E, the probability of a one, and q = 0.5 - E, the probability of a zero.
假设1与0的比率为(0.5+E)到(0.5-E),其中E在0和0.5之间,是分布“偏心率”的度量。考虑N位样本的奇偶校验函数的分布。奇偶校验为1或0的概率分别为(p+q)^N的二项式展开式中奇偶项的和,其中p=0.5+E,概率为1,q=0.5-E,概率为0。
These sums can be computed easily as
这些总和可以很容易地计算出来
N N
1/2 * ( ( p + q ) + ( p - q ) )
N N
1/2 * ( ( p + q ) + ( p - q ) )
and N N 1/2 * ( ( p + q ) - ( p - q ) ).
和n1/2*((p+q)-(p-q))。
(Which formula corresponds to the probability that the parity will be 1 depends on whether N is odd or even.)
(哪个公式对应奇偶校验为1的概率取决于N是奇数还是偶数。)
Since p + q = 1 and p - q = 2E, these expressions reduce to
Since p + q = 1 and p - q = 2E, these expressions reduce to
N 1/2 * [1 + (2E) ]
N 1/2*[1+(2E)]
and N 1/2 * [1 - (2E) ].
和N 1/2*[1-(2E)]。
Neither of these will ever be exactly 0.5 unless E is zero, but we can bring them arbitrarily close to 0.5. If we want the probabilities to be within some delta d of 0.5, e.g., then
除非E为零,否则这两个值都不会精确到0.5,但我们可以任意使它们接近0.5。如果我们希望概率在0.5的delta d范围内,例如
N ( 0.5 + ( 0.5 * (2E) ) ) < 0.5 + d.
N(0.5+(0.5*(2E))<0.5+d。
Solving for N yields N > log(2d)/log(2E). (Note that 2E is less than 1, so its log is negative. Division by a negative number reverses the sense of an inequality.)
求解N得到N>log(2d)/log(2E)。(请注意2E小于1,因此其对数为负数。除以负数可反转不等式的含义。)
The following table gives the length N of the string that must be sampled for various degrees of skew in order to come within 0.001 of a 50/50 distribution.
下表给出了必须针对不同程度的倾斜进行采样的字符串长度N,以便在50/50分布的0.001范围内。
+---------+--------+-------+
| Prob(1) | E | N |
+---------+--------+-------+
| 0.5 | 0.00 | 1 |
| 0.6 | 0.10 | 4 |
| 0.7 | 0.20 | 7 |
| 0.8 | 0.30 | 13 |
| 0.9 | 0.40 | 28 |
| 0.95 | 0.45 | 59 |
| 0.99 | 0.49 | 308 |
+---------+--------+-------+
+---------+--------+-------+
| Prob(1) | E | N |
+---------+--------+-------+
| 0.5 | 0.00 | 1 |
| 0.6 | 0.10 | 4 |
| 0.7 | 0.20 | 7 |
| 0.8 | 0.30 | 13 |
| 0.9 | 0.40 | 28 |
| 0.95 | 0.45 | 59 |
| 0.99 | 0.49 | 308 |
+---------+--------+-------+
The last entry shows that even if the distribution is skewed 99% in favor of ones, the parity of a string of 308 samples will be within 0.001 of a 50/50 distribution. But, as we shall see in section 5.2, there are much stronger techniques that extract more of the available entropy.
最后一项显示,即使分布偏向于1,偏离了99%,308个样本串的奇偶性也将在50/50分布的0.001范围内。但是,正如我们将在第5.2节中看到的,有更强大的技术可以提取更多的可用熵。
Another technique, originally due to von Neumann [VON_NEUMANN], is to examine a bit stream as a sequence of non-overlapping pairs. One could then discard any 00 or 11 pairs found, interpret 01 as a 0 and 10 as a 1. Assume that the probability of a 1 is 0.5+E and that the probability of a 0 is 0.5-E, where E is the eccentricity of the source as described in the previous section. Then the probability of each pair is shown in the following table:
另一种技术最初源于冯·诺依曼[von_Neumann],它将比特流作为一个非重叠对序列进行检查。然后可以丢弃找到的任何00或11对,将01解释为0,将10解释为1。假设a 1的概率为0.5+E,且a 0的概率为0.5-E,其中E为前一节中所述的震源偏心率。然后,每对的概率如下表所示:
+------+-----------------------------------------+
| pair | probability |
+------+-----------------------------------------+
| 00 | (0.5 - E)^2 = 0.25 - E + E^2 |
| 01 | (0.5 - E)*(0.5 + E) = 0.25 - E^2 |
| 10 | (0.5 + E)*(0.5 - E) = 0.25 - E^2 |
| 11 | (0.5 + E)^2 = 0.25 + E + E^2 |
+------+-----------------------------------------+
+------+-----------------------------------------+
| pair | probability |
+------+-----------------------------------------+
| 00 | (0.5 - E)^2 = 0.25 - E + E^2 |
| 01 | (0.5 - E)*(0.5 + E) = 0.25 - E^2 |
| 10 | (0.5 + E)*(0.5 - E) = 0.25 - E^2 |
| 11 | (0.5 + E)^2 = 0.25 + E + E^2 |
+------+-----------------------------------------+
This technique will completely eliminate any bias but requires an indeterminate number of input bits for any particular desired number of output bits. The probability of any particular pair being discarded is 0.5 + 2E^2, so the expected number of input bits to produce X output bits is X/(0.25 - E^2).
这种技术将完全消除任何偏差,但对于任何特定数量的输出位,需要不确定数量的输入位。任何特定对被丢弃的概率为0.5+2E^2,因此产生X个输出位的预期输入位数为X/(0.25-E^2)。
This technique assumes that the bits are from a stream where each bit has the same probability of being a 0 or 1 as any other bit in the stream and that bits are uncorrelated, i.e., that the bits come from identical independent distributions. If alternate bits are from two correlated sources, for example, the above analysis breaks down.
该技术假设比特来自流,其中每个比特与流中的任何其他比特具有相同的成为0或1的概率,并且比特是不相关的,即,比特来自相同的独立分布。例如,如果备用位来自两个相关源,则上述分析将失效。
The above technique also provides another illustration of how a simple statistical analysis can mislead if one is not always on the lookout for patterns that could be exploited by an adversary. If the algorithm were misread slightly so that overlapping successive bits pairs were used instead of non-overlapping pairs, the statistical analysis given would be the same. However, instead of providing an unbiased, uncorrelated series of random 1s and 0s, it would produce a totally predictable sequence of exactly alternating 1s and 0s.
上述技术还提供了另一个例子,说明了如果一个人不总是注意可能被对手利用的模式,那么简单的统计分析是如何误导的。如果算法被轻微误读,以至于使用重叠的连续比特对而不是非重叠比特对,那么给出的统计分析将是相同的。然而,它不是提供一个无偏、不相关的随机1和0序列,而是产生一个完全可预测的1和0交替序列。
When real-world data consists of strongly correlated bits, it may still contain useful amounts of entropy. This entropy can be extracted through various transforms, the most powerful of which are described in section 5.2 below.
当真实世界的数据由强相关位组成时,它可能仍然包含有用的熵。该熵可通过各种变换提取,其中最强大的变换将在下文第5.2节中描述。
Using the Fourier transform of the data or its optimized variant, the FFT, is interesting primarily for theoretical reasons. It can be shown that this technique will discard strong correlations. If adequate data is processed and if remaining correlations decay, spectral lines that approach statistical independence and normally distributed randomness can be produced [BRILLINGER].
使用数据的傅里叶变换或其优化变量FFT,主要是出于理论原因。可以证明,这种技术将丢弃强相关性。如果处理足够的数据并且剩余的相关性衰减,则可以产生接近统计独立性和正态分布随机性的谱线[BRILLINGER]。
Reversible compression techniques also provide a crude method of de-skewing a skewed bit stream. This follows directly from the definition of reversible compression and the formula in Section 2 for the amount of information in a sequence. Since the compression is reversible, the same amount of information must be present in the shorter output as was present in the longer input. By the Shannon information equation, this is only possible if, on average, the probabilities of the different shorter sequences are more uniformly distributed than were the probabilities of the longer sequences. Therefore, the shorter sequences must be de-skewed relative to the input.
可逆压缩技术还提供了一种消除倾斜比特流倾斜的粗略方法。这直接源自可逆压缩的定义和第2节中关于序列中信息量的公式。由于压缩是可逆的,因此较短的输出中的信息量必须与较长的输入中的信息量相同。根据香农信息方程,仅当平均而言,不同较短序列的概率比较长序列的概率分布更均匀时,这才是可能的。因此,较短的序列必须相对于输入去偏斜。
However, many compression techniques add a somewhat predictable preface to their output stream and may insert a similar sequence periodically in their output or otherwise introduce subtle patterns of their own. They should be considered only rough techniques compared to those described in Section 5.2. At a minimum, the beginning of the compressed sequence should be skipped and only later bits should used for applications requiring roughly-random bits.
然而,许多压缩技术在其输出流中添加了某种程度上可预测的序列,可能会在其输出中周期性地插入类似的序列,或者引入自己的微妙模式。与第5.2节中所述相比,它们应仅被视为粗略的技术。至少,压缩序列的开头应该被跳过,只有后面的位应该用于需要大致随机位的应用程序。
What is the best overall strategy for obtaining unguessable random numbers in the absence of a strong, reliable hardware entropy source? It is to obtain input from a number of uncorrelated sources and to mix them with a strong mixing function. Such a function will preserve the entropy present in any of the sources, even if other quantities being combined happen to be fixed or easily guessable (low entropy). This approach may be advisable even with a good hardware source, as hardware can also fail. However, this should be weighed against a possible increase in the chance of overall failure due to added software complexity.
在没有强大、可靠的硬件熵源的情况下,获取不可用随机数的最佳总体策略是什么?它是从许多不相关的源中获取输入,并用强混合函数将其混合。这样的函数将保留任何来源中存在的熵,即使其他被组合的量恰好是固定的或容易猜测(低熵)。即使硬件源很好,这种方法也可能是可取的,因为硬件也可能出现故障。然而,这应该与由于软件复杂性增加而导致的整体故障可能性增加进行权衡。
Once one has used good sources, such as some of those listed in Section 3, and mixed them as described in this section, one has a strong seed. This can then be used to produce large quantities of cryptographically strong material as described in Sections 6 and 7.
一旦一个人使用了好的资源,例如第3节中列出的一些资源,并按照本节中的描述将它们混合在一起,他就有了一个强大的种子。然后,这可以用于生产大量加密强度高的材料,如第6节和第7节所述。
A strong mixing function is one that combines inputs and produces an output in which each output bit is a different complex non-linear function of all the input bits. On average, changing any input bit will change about half the output bits. But because the relationship is complex and non-linear, no particular output bit is guaranteed to change when any particular input bit is changed.
强混合函数是一种组合输入并产生输出的函数,其中每个输出位是所有输入位的不同复杂非线性函数。平均而言,更改任何输入位都会更改大约一半的输出位。但是,由于这种关系是复杂和非线性的,当任何特定的输入位发生变化时,都不能保证任何特定的输出位发生变化。
Consider the problem of converting a stream of bits that is skewed towards 0 or 1 or which has a somewhat predictable pattern to a shorter stream which is more random, as discussed in Section 4. This is simply another case where a strong mixing function is desired, to mix the input bits and produce a smaller number of output bits. The technique given in Section 4.1, using the parity of a number of bits, is simply the result of successively XORing them. This is examined as a trivial mixing function, immediately below. Use of stronger mixing functions to extract more of the randomness in a stream of skewed bits is examined in Section 5.2. See also [NASLUND].
考虑将一个被倾斜到0或1或具有某种可预测模式的比特流转换成更随机的较短流的问题,如第4节中所讨论的。这只是另一种需要强混合功能的情况,以混合输入位并产生较少数量的输出位。第4.1节中给出的使用多个位的奇偶校验的技术,仅仅是连续对它们进行异或运算的结果。这是一个简单的混合函数,如下所示。第5.2节研究了如何使用更强的混合函数在倾斜比特流中提取更多的随机性。另见[NASLUND]。
For expository purposes we describe a trivial example for single bit inputs using the Exclusive Or (XOR) function. This function is equivalent to addition without carry, as show in the table below. This is a degenerate case in which the one output bit always changes for a change in either input bit. But, despite its simplicity, it provides a useful illustration.
出于解释目的,我们描述了一个使用异或(XOR)函数的单位输入的简单示例。此函数相当于不带进位的加法,如下表所示。这是一种退化情况,其中一个输出位总是随任一输入位的变化而变化。但是,尽管它很简单,但它提供了一个有用的例子。
+-----------+-----------+----------+
| input 1 | input 2 | output |
+-----------+-----------+----------+
| 0 | 0 | 0 |
| 0 | 1 | 1 |
| 1 | 0 | 1 |
| 1 | 1 | 0 |
+-----------+-----------+----------+
+-----------+-----------+----------+
| input 1 | input 2 | output |
+-----------+-----------+----------+
| 0 | 0 | 0 |
| 0 | 1 | 1 |
| 1 | 0 | 1 |
| 1 | 1 | 0 |
+-----------+-----------+----------+
If inputs 1 and 2 are uncorrelated and combined in this fashion, then the output will be an even better (less skewed) random bit than the inputs are. If we assume an "eccentricity" E as defined in Section 4.1 above, then the output eccentricity relates to the input eccentricity as follows:
如果输入1和2是不相关的,并且以这种方式组合,那么输出将是比输入更好的(不那么扭曲)随机位。如果我们假设上文第4.1节中定义的“偏心率”E,则输出偏心率与输入偏心率相关,如下所示:
E = 2 * E * E output input 1 input 2
E=2*E*E输出输入1输入2
Since E is never greater than 1/2, the eccentricity is always improved, except in the case in which at least one input is a totally skewed constant. This is illustrated in the following table, where the top and left side values are the two input eccentricities and the entries are the output eccentricity:
由于E永远不会大于1/2,因此偏心率始终会得到改善,但至少有一个输入是完全倾斜常数的情况除外。下表对此进行了说明,其中顶部和左侧值为两个输入偏心率,条目为输出偏心率:
+--------+--------+--------+--------+--------+--------+--------+
| E | 0.00 | 0.10 | 0.20 | 0.30 | 0.40 | 0.50 |
+--------+--------+--------+--------+--------+--------+--------+
| 0.00 | 0.00 | 0.00 | 0.00 | 0.00 | 0.00 | 0.00 |
| 0.10 | 0.00 | 0.02 | 0.04 | 0.06 | 0.08 | 0.10 |
| 0.20 | 0.00 | 0.04 | 0.08 | 0.12 | 0.16 | 0.20 |
| 0.30 | 0.00 | 0.06 | 0.12 | 0.18 | 0.24 | 0.30 |
| 0.40 | 0.00 | 0.08 | 0.16 | 0.24 | 0.32 | 0.40 |
| 0.50 | 0.00 | 0.10 | 0.20 | 0.30 | 0.40 | 0.50 |
+--------+--------+--------+--------+--------+--------+--------+
+--------+--------+--------+--------+--------+--------+--------+
| E | 0.00 | 0.10 | 0.20 | 0.30 | 0.40 | 0.50 |
+--------+--------+--------+--------+--------+--------+--------+
| 0.00 | 0.00 | 0.00 | 0.00 | 0.00 | 0.00 | 0.00 |
| 0.10 | 0.00 | 0.02 | 0.04 | 0.06 | 0.08 | 0.10 |
| 0.20 | 0.00 | 0.04 | 0.08 | 0.12 | 0.16 | 0.20 |
| 0.30 | 0.00 | 0.06 | 0.12 | 0.18 | 0.24 | 0.30 |
| 0.40 | 0.00 | 0.08 | 0.16 | 0.24 | 0.32 | 0.40 |
| 0.50 | 0.00 | 0.10 | 0.20 | 0.30 | 0.40 | 0.50 |
+--------+--------+--------+--------+--------+--------+--------+
However, note that the above calculations assume that the inputs are not correlated. If the inputs were, say, the parity of the number of minutes from midnight on two clocks accurate to a few seconds, then each might appear random if sampled at random intervals much longer
但是,请注意,上述计算假设输入不相关。比如说,如果输入是两个时钟上从午夜到几秒钟的分钟数的奇偶校验,那么如果以更长的随机间隔进行采样,则每个时钟都可能看起来是随机的
than a minute. Yet if they were both sampled and combined with XOR, the result would be zero most of the time.
不到一分钟。然而,如果同时对它们进行采样并与XOR相结合,大多数情况下结果都是零。
The US Government Advanced Encryption Standard [AES] is an example of a strong mixing function for multiple bit quantities. It takes up to 384 bits of input (128 bits of "data" and 256 bits of "key") and produces 128 bits of output, each of which is dependent on a complex non-linear function of all input bits. Other encryption functions with this characteristic, such as [DES], can also be used by considering them to mix all of their key and data input bits.
美国政府高级加密标准[AES]是多比特量强混合函数的一个示例。它最多占用384位输入(128位“数据”和256位“密钥”),并产生128位输出,每个输出都依赖于所有输入位的复杂非线性函数。具有此特性的其他加密功能,例如[DES],也可以通过考虑它们混合所有密钥和数据输入位来使用。
Another good family of mixing functions is the "message digest" or hashing functions such as the US Government Secure Hash Standards [SHA*] and the MD4, MD5 [MD4, MD5] series. These functions all take a practically unlimited amount of input and produce a relatively short fixed-length output mixing all the input bits. The MD* series produces 128 bits of output, SHA-1 produces 160 bits, and other SHA functions produce up to 512 bits.
另一个很好的混合函数系列是“消息摘要”或散列函数,如美国政府安全散列标准[SHA*]和MD4、MD5[MD4、MD5]系列。这些函数都接受几乎无限量的输入,并产生一个相对较短的固定长度输出,混合所有输入位。MD*系列产生128位输出,SHA-1产生160位,其他SHA函数最多产生512位。
Although the message digest functions are designed for variable amounts of input, AES and other encryption functions can also be used to combine any number of inputs. If 128 bits of output is adequate, the inputs can be packed into a 128-bit data quantity and successive AES "keys", padding with zeros if needed; the quantity is then successively encrypted by the "keys" using AES in Electronic Codebook Mode. Alternatively, the input could be packed into one 128-bit key and multiple data blocks and a CBC-MAC could be calculated [MODES].
尽管消息摘要函数设计用于可变的输入量,但AES和其他加密函数也可用于组合任意数量的输入。如果128位的输出足够,输入可以打包成128位的数据量和连续的AES“键”,如果需要,用零填充;然后在电子码本模式下使用AES通过“密钥”对数量进行连续加密。或者,输入可以打包成一个128位密钥和多个数据块,并且可以计算CBC-MAC[模式]。
More complex mixing should be used if more than 128 bits of output are needed and one wants to employ AES (but note that it is absolutely impossible to get more bits of "randomness" out than are put in). For example, suppose that inputs are packed into three quantities, A, B, and C. One may use AES to encrypt A with B and then with C as keys to produce the first part of the output, then encrypt B with C and then A for more output and, if necessary, encrypt C with A and then B for yet more output. Still more output can be produced by reversing the order of the keys given above. The same can be done with the hash functions, hashing various subsets of the input data or different copies of the input data with different prefixes and/or suffixes to produce multiple outputs.
如果需要128位以上的输出,并且希望使用AES,则应使用更复杂的混合(但请注意,输出的“随机性”比特数绝对不可能超过输入的比特数)。例如,假设输入被压缩为三个量,A、B和C。可以使用AES用B加密A,然后用C作为密钥生成输出的第一部分,然后用C加密B,然后用A加密更多输出,如有必要,用A加密C,然后用B加密更多输出。通过颠倒上述键的顺序,可以产生更多的输出。同样,可以使用散列函数,对输入数据的各种子集或具有不同前缀和/或后缀的输入数据的不同副本进行散列,以产生多个输出。
For an example of using a strong mixing function, reconsider the case of a string of 308 bits, each of which is biased 99% toward zero. The parity technique given in Section 4.1 reduces this to one bit, with only a 1/1000 deviance from being equally likely a zero or one. But, applying the equation for information given in Section 2, this
对于使用强混合函数的示例,请重新考虑308位的字符串的情况,其中每个位都向零偏移99%。第4.1节中给出的奇偶校验技术将其减少到一位,只有1/1000的偏差与0或1的可能性相等。但是,应用第2节中给出的信息方程
308-bit skewed sequence contains over 5 bits of information. Thus, hashing it with SHA-1 and taking the bottom 5 bits of the result would yield 5 unbiased random bits and not the single bit given by calculating the parity of the string. Alternatively, for some applications, you could use the entire hash output to retain almost all of the 5+ bits of entropy in a 160-bit quantity.
308位倾斜序列包含超过5位的信息。因此,使用SHA-1对其进行散列并获取结果的底部5位将产生5个无偏随机位,而不是通过计算字符串奇偶校验给出的单个位。或者,对于某些应用程序,您可以使用整个哈希输出以160位的数量保留几乎所有5+位的熵。
Many modern block encryption functions, including DES and AES, incorporate modules known as S-Boxes (substitution boxes). These produce a smaller number of outputs from a larger number of inputs through a complex non-linear mixing function that has the effect of concentrating limited entropy from the inputs into the output.
许多现代块加密功能,包括DES和AES,都包含称为S盒(替换盒)的模块。它们通过复杂的非线性混合函数从大量输入中产生少量输出,该函数具有将有限熵从输入集中到输出的效果。
S-Boxes sometimes incorporate bent Boolean functions (functions of an even number of bits producing one output bit with maximum non-linearity). Looking at the output for all input pairs differing in any particular bit position, exactly half the outputs are different. An S-Box in which each output bit is produced by a bent function such that any linear combination of these functions is also a bent function is called a "perfect S-Box".
S盒有时包含bent布尔函数(偶数个位的函数产生一个具有最大非线性的输出位)。查看在任何特定位位置不同的所有输入对的输出,正好有一半的输出是不同的。一个S盒,其中每个输出位由一个bent函数产生,因此这些函数的任何线性组合也是一个bent函数,称为“完美S盒”。
S-boxes and various repeated applications or cascades of such boxes can be used for mixing [SBOX1, SBOX2].
S盒和各种重复应用或此类盒的级联可用于混合[SBOX1,SBOX2]。
Diffie-Hellman exponential key exchange is a technique that yields a shared secret between two parties. It can be computationally infeasible for a third party to determine this secret even if they can observe all the messages between the two communicating parties. This shared secret is a mixture of initial quantities generated by each of the parties [D-H].
Diffie-Hellman指数密钥交换是一种在双方之间产生共享秘密的技术。即使第三方能够观察到两个通信方之间的所有消息,在计算上也不可能确定该秘密。该共享秘密是各方产生的初始量的混合物[D-H]。
If these initial quantities are random and uncorrelated, then the shared secret combines their entropy but, of course, can not produce more randomness than the size of the shared secret generated.
如果这些初始量是随机且不相关的,那么共享秘密结合了它们的熵,但是,当然,不能产生比生成的共享秘密的大小更大的随机性。
Although this is true if the Diffie-Hellman computation is performed privately, an adversary who can observe either of the public keys and knows the modulus being used need only search through the space of the other secret key in order to be able to calculate the shared secret [D-H]. So, conservatively, it would be best to consider public Diffie-Hellman to produce a quantity whose guessability corresponds to the worse of the two inputs. Because of this and the fact that Diffie-Hellman is computationally intensive, its use as a mixing function is not recommended.
虽然如果Diffie-Hellman计算是私下进行的,这是正确的,但是能够观察到其中一个公钥并且知道所使用的模的对手只需要搜索其他密钥的空间,以便能够计算共享密钥[D-H]。因此,保守地,最好考虑公共Diffie Hellman产生一个数量,其猜测对应于两个输入的差。由于Diffie-Hellman是计算密集型函数,因此不建议将其用作混合函数。
Although it is not necessary for a mixing function to produce the same or fewer output bits than its inputs, mixing bits cannot "stretch" the amount of random unpredictability present in the inputs. Thus, four inputs of 32 bits each, in which there are 12 bits worth of unpredictability (such as 4,096 equally probable values) in each input, cannot produce more than 48 bits worth of unpredictable output. The output can be expanded to hundreds or thousands of bits by, for example, mixing with successive integers, but the clever adversary's search space is still 2^48 possibilities. Furthermore, mixing to fewer bits than are input will tend to strengthen the randomness of the output.
尽管混合函数不必产生与其输入相同或更少的输出位,但混合位不能“拉伸”输入中存在的随机不可预测性。因此,每个32位的四个输入,其中每个输入中有12位值的不可预测性(例如4096个等概率值),不能产生超过48位值的不可预测输出。例如,通过与连续整数混合,输出可以扩展到数百或数千位,但聪明的对手的搜索空间仍然是2^48。此外,混合到比输入更少的位将倾向于加强输出的随机性。
The last table in Section 5.1 shows that mixing a random bit with a constant bit with Exclusive Or will produce a random bit. While this is true, it does not provide a way to "stretch" one random bit into more than one. If, for example, a random bit is mixed with a 0 and then with a 1, this produces a two bit sequence but it will always be either 01 or 10. Since there are only two possible values, there is still only the one bit of original randomness.
第5.1节中的最后一个表显示,将随机位与带异或的常量位混合将产生随机位。虽然这是事实,但它并没有提供将一个随机位“拉伸”到多个随机位的方法。例如,如果一个随机位与0混合,然后与1混合,这将产生一个两位序列,但它将始终是01或10。因为只有两个可能的值,所以仍然只有一位原始随机性。
For local use, AES has the advantages that it has been widely tested for flaws, is reasonably efficient in software, and is widely documented and implemented with hardware and software implementations available all over the world including open source code. The SHA* family have had a little less study and tend to require more CPU cycles than AES but there is no reason to believe they are flawed. Both SHA* and MD5 were derived from the earlier MD4 algorithm. They all have source code available [SHA*, MD4, MD5]. Some signs of weakness have been found in MD4 and MD5. In particular, MD4 has only three rounds and there are several independent breaks of the first two or last two rounds. And some collisions have been found in MD5 output.
对于本地使用,AES的优点是,它已经过广泛的缺陷测试,在软件方面相当有效,并且被广泛记录并使用世界各地可用的硬件和软件实现(包括开源代码)实现。SHA*家族的研究较少,而且往往比AES需要更多的CPU周期,但没有理由相信它们有缺陷。SHA*和MD5都源自早期的MD4算法。它们都有可用的源代码[SHA*,MD4,MD5]。在MD4和MD5中发现了一些弱点的迹象。特别是,MD4只有三轮,前两轮或最后两轮有几次独立的突破。在MD5输出中发现了一些冲突。
AES was selected by a robust, public, and international process. It and SHA* have been vouched for by the US National Security Agency (NSA) on the basis of criteria that mostly remain secret, as was DES. While this has been the cause of much speculation and doubt, investigation of DES over the years has indicated that NSA involvement in modifications to its design, which originated with IBM, was primarily to strengthen it. There has been no announcement of a concealed or special weakness being found in DES. It is likely that the NSA modifications to MD4 to produce the SHA algorithms similarly strengthened these algorithms, possibly against threats not yet known in the public cryptographic community.
AES是通过一个强有力的、公开的和国际性的过程选择的。美国国家安全局(NSA)根据基本上仍是秘密的标准,为它和SHA*提供了担保,DES也是如此。虽然这一直是许多猜测和怀疑的原因,但多年来对DES的调查表明,NSA参与修改其设计(起源于IBM)主要是为了加强它。没有任何迹象表明DES存在隐藏的或特殊的弱点。NSA对MD4的修改很可能会产生类似的SHA算法,从而增强这些算法,可能是针对公共密码社区中未知的威胁。
Where input lengths are unpredictable, hash algorithms are more convenient to use than block encryption algorithms since they are generally designed to accept variable length inputs. Block encryption algorithms generally require an additional padding algorithm to accommodate inputs that are not an even multiple of the block size.
在输入长度不可预测的情况下,哈希算法比块加密算法更便于使用,因为它们通常被设计为接受可变长度的输入。块加密算法通常需要一个额外的填充算法来容纳不是块大小偶数倍的输入。
As of the time of this document, the authors know of no patent claims to the basic AES, DES, SHA*, MD4, and MD5 algorithms other than patents for which an irrevocable royalty free license has been granted to the world. There may, of course, be essential patents of which the authors are unaware or patents on implementations or uses or other relevant patents issued or to be issued.
截至本文件发布之时,作者还不知道对基本AES、DES、SHA*、MD4和MD5算法的任何专利要求,但已向世界授予不可撤销的免版税许可的专利除外。当然,可能存在作者不知道的基本专利,或实施或使用的专利,或已发布或将发布的其他相关专利。
When a seed has sufficient entropy, from input as described in Section 3 and possibly de-skewed and mixed as described in Sections 4 and 5, one can algorithmically extend that seed to produce a large number of cryptographically-strong random quantities. Such algorithms are platform independent and can operate in the same fashion on any computer. For the algorithms to be secure, their input and internal workings must be protected from adversarial observation.
当一个种子具有足够的熵时,从第3节所述的输入,到第4节和第5节所述的可能的去偏斜和混合,可以通过算法扩展该种子以产生大量加密强随机量。这些算法与平台无关,可以在任何计算机上以相同的方式运行。为了保证算法的安全,必须保护其输入和内部工作免受敌对观察。
The design of such pseudo-random number generation algorithms, like the design of symmetric encryption algorithms, is not a task for amateurs. Section 6.1 below lists a number of bad ideas that failed algorithms have used. To learn what works, skip Section 6.1 and just read the remainder of this section and Section 7, which describes and references some standard pseudo random number generation algorithms. See Section 7 and Part 3 of [X9.82].
与对称加密算法的设计一样,此类伪随机数生成算法的设计不是业余爱好者的任务。下面的第6.1节列出了一些失败的算法所使用的错误想法。要了解什么是有效的,跳过第6.1节,只需阅读本节和第7节的其余部分,其中描述并参考了一些标准的伪随机数生成算法。见[X9.82]第7节和第3部分。
The subsections below describe a number of ideas that might seem reasonable but that lead to insecure pseudo-random number generation.
下面的小节描述了一些看似合理但会导致不安全的伪随机数生成的想法。
One approach that may give a misleading appearance of unpredictability is to take a very complex algorithm (or an excellent traditional pseudo-random number generator with good statistical properties) and to calculate a cryptographic key by starting with limited data such as the computer system clock value as the seed. Adversaries who knew roughly when the generator was started would have a relatively small number of seed values to test, as they would know likely values of the system clock. Large numbers of pseudo-
一种可能使人产生不可预测性的误导性外观的方法是采用非常复杂的算法(或具有良好统计特性的优秀传统伪随机数生成器),并通过从有限的数据(如计算机系统时钟值)开始计算加密密钥作为种子。大致知道发电机何时启动的对手将有相对较少的种子值需要测试,因为他们知道系统时钟的可能值。大量的伪-
random bits could be generated, but the search space that an adversary would need to check could be quite small.
可以生成随机位,但对手需要检查的搜索空间可能非常小。
Thus, very strong or complex manipulation of data will not help if the adversary can learn what the manipulation is and if there is not enough entropy in the starting seed value. They can usually use the limited number of results stemming from a limited number of seed values to defeat security.
因此,如果对手能够了解操作是什么,并且如果起始种子值中没有足够的熵,那么非常强大或复杂的数据操作将没有帮助。他们通常可以使用有限数量的种子值产生的有限数量的结果来破坏安全性。
Another serious strategic error is to assume that a very complex pseudo-random number generation algorithm will produce strong random numbers, when there has been no theory behind or analysis of the algorithm. There is a excellent example of this fallacy near the beginning of Chapter 3 in [KNUTH], where the author describes a complex algorithm. It was intended that the machine language program corresponding to the algorithm would be so complicated that a person trying to read the code without comments wouldn't know what the program was doing. Unfortunately, actual use of this algorithm showed that it almost immediately converged to a single repeated value in one case and a small cycle of values in another case.
另一个严重的战略错误是假设一个非常复杂的伪随机数生成算法将产生强随机数,而该算法背后没有任何理论或分析。在[KNUTH]第3章的开头,有一个很好的例子说明了这个谬误,作者在那里描述了一个复杂的算法。其目的是,与算法相对应的机器语言程序将如此复杂,以至于试图在没有注释的情况下阅读代码的人将不知道程序在做什么。不幸的是,该算法的实际使用表明,在一种情况下它几乎立即收敛到单个重复值,在另一种情况下收敛到一个小的值循环。
Not only does complex manipulation not help you if you have a limited range of seeds, but blindly-chosen complex manipulation can destroy the entropy in a good seed!
如果你的种子范围有限,复杂的操作不仅对你没有帮助,而且盲目选择复杂的操作会破坏好种子的熵!
Another approach that can give a misleading appearance of unpredictability is to randomly select a quantity from a database and to assume that its strength is related to the total number of bits in the database. For example, typical USENET servers process many megabytes of information per day [USENET_1, USENET_2]. Assume that a random quantity was selected by fetching 32 bytes of data from a random starting point in this data. This does not yield 32*8 = 256 bits worth of unguessability. Even if much of the data is human language that contains no more than 2 or 3 bits of information per byte, it doesn't yield 32*2 = 64 bits of unguessability. For an adversary with access to the same Usenet database, the unguessability rests only on the starting point of the selection. That is perhaps a little over a couple of dozen bits of unguessability.
另一种可能产生不可预测性的误导性外观的方法是从数据库中随机选择一个数量,并假设其强度与数据库中的总位数有关。例如,典型的USENET服务器每天处理许多兆字节的信息[USENET_1,USENET_2]。假设通过从该数据的随机起始点获取32字节数据来选择随机数量。这不会产生32*8=256位的不可用性。即使大部分数据是人类语言,每个字节包含的信息不超过2或3位,也不会产生32*2=64位的不可用性。对于访问同一Usenet数据库的对手,不可用性仅取决于选择的起点。这可能是几十个不可用的地方多一点。
The same argument applies to selecting sequences from the data on a publicly available CD/DVD recording or any other large public database. If the adversary has access to the same database, this "selection from a large volume of data" step buys little. However, if a selection can be made from data to which the adversary has no access, such as system buffers on an active multi-user system, it may be of help.
同样的参数也适用于从公共CD/DVD记录或任何其他大型公共数据库的数据中选择序列。如果对手可以访问同一个数据库,那么“从大量数据中选择”这一步骤收效甚微。但是,如果可以从对手无法访问的数据(例如活动多用户系统上的系统缓冲区)中进行选择,则可能会有所帮助。
This section talks about traditional sources of deterministic or "pseudo-random" numbers. These typically start with a "seed" quantity and use simple numeric or logical operations to produce a sequence of values. Note that none of the techniques discussed in this section is suitable for cryptographic use. They are presented for general information.
本节讨论确定性或“伪随机”数的传统来源。这些通常从“种子”数量开始,并使用简单的数字或逻辑操作来生成一系列值。请注意,本节中讨论的任何技术都不适用于加密使用。它们是为一般信息而提供的。
[KNUTH] has a classic exposition on pseudo-random numbers. Applications he mentions are simulations of natural phenomena, sampling, numerical analysis, testing computer programs, decision making, and games. None of these have the same characteristics as the sorts of security uses we are talking about. Only in the last two could there be an adversary trying to find the random quantity. However, in these cases, the adversary normally has only a single chance to use a guessed value. In guessing passwords or attempting to break an encryption scheme, the adversary normally has many, perhaps unlimited, chances at guessing the correct value. Sometimes the adversary can store the message to be broken and repeatedly attack it. Adversaries are also be assumed to be aided by a computer.
[KNUTH]对伪随机数有一个经典的解释。他提到的应用包括自然现象模拟、采样、数值分析、测试计算机程序、决策和游戏。所有这些都没有与我们正在讨论的安全使用类型相同的特征。只有在最后两种情况下,才会有对手试图找到随机数量。然而,在这些情况下,对手通常只有一次机会使用猜测值。在猜测密码或试图破坏加密方案时,对手通常有很多(可能是无限)机会猜测正确的值。有时,对手可以存储要破坏的消息并反复攻击它。对手也被认为是由计算机辅助的。
For testing the "randomness" of numbers, Knuth suggests a variety of measures, including statistical and spectral. These tests check things like autocorrelation between different parts of a "random" sequence or distribution of its values. But these tests could be met by a constant stored random sequence, such as the "random" sequence printed in the CRC Standard Mathematical Tables [CRC]. Despite meeting all the tests suggested by Knuth, that sequence is unsuitable for cryptographic us, as adversaries must be assumed to have copies of all commonly published "random" sequences and to be able to spot the source and predict future values.
为了测试数字的“随机性”,Knuth提出了多种测量方法,包括统计和光谱测量。这些测试检查“随机”序列不同部分之间的自相关性或其值的分布。但这些测试可以通过恒定存储的随机序列来满足,例如CRC标准数学表[CRC]中打印的“随机”序列。尽管满足了Knuth建议的所有测试,但该序列不适合加密us,因为必须假设对手拥有所有常见发布的“随机”序列的副本,并且能够发现源并预测未来的值。
A typical pseudo-random number generation technique is the linear congruence pseudo-random number generator. This technique uses modular arithmetic, where the value numbered N+1 is calculated from the value numbered N by
一种典型的伪随机数生成技术是线性同余伪随机数生成器。该技术使用模运算,其中编号为N+1的值由编号为N的值计算得出
V = ( V * a + b )(Mod c)
N+1 N
V = ( V * a + b )(Mod c)
N+1 N
The above technique has a strong relationship to linear shift register pseudo-random number generators, which are well understood cryptographically [SHIFT*]. In such generators, bits are introduced at one end of a shift register as the Exclusive Or (binary sum without carry) of bits from selected fixed taps into the register. For example, consider the following:
上述技术与线性移位寄存器伪随机数生成器有很强的关系,后者在密码学上得到了很好的理解[shift*]。在这种生成器中,位被引入移位寄存器的一端,作为从选定的固定抽头进入寄存器的位的异或(无进位的二进制和)。例如,考虑以下内容:
+----+ +----+ +----+ +----+
| B | <-- | B | <-- | B | <-- . . . . . . <-- | B | <-+
| 0 | | 1 | | 2 | | n | |
+----+ +----+ +----+ +----+ |
| | | |
| | V +-----+
| V +----------------> | |
V +-----------------------------> | XOR |
+---------------------------------------------------> | |
+-----+
+----+ +----+ +----+ +----+
| B | <-- | B | <-- | B | <-- . . . . . . <-- | B | <-+
| 0 | | 1 | | 2 | | n | |
+----+ +----+ +----+ +----+ |
| | | |
| | V +-----+
| V +----------------> | |
V +-----------------------------> | XOR |
+---------------------------------------------------> | |
+-----+
V = ( ( V * 2 ) + B XOR B ... )(Mod 2^n)
N+1 N 0 2
V = ( ( V * 2 ) + B XOR B ... )(Mod 2^n)
N+1 N 0 2
The quality of traditional pseudo-random number generator algorithms is measured by statistical tests on such sequences. Carefully-chosen values a, b, c, and initial V or carefully-chosen placement of the shift register tap in the above simple process can produce excellent statistics.
传统伪随机数生成器算法的质量是通过对这些序列的统计测试来衡量的。在上述简单过程中,仔细选择值a、b、c和初始V,或仔细选择移位寄存器抽头的位置,可以产生出色的统计数据。
These sequences may be adequate in simulations (Monte Carlo experiments) as long as the sequence is orthogonal to the structure of the space being explored. Even there, subtle patterns may cause problems. However, such sequences are clearly bad for use in security applications. They are fully predictable if the initial state is known. Depending on the form of the pseudo-random number generator, the sequence may be determinable from observation of a short portion of the sequence [SCHNEIER, STERN]. For example, with the generators above, one can determine V(n+1) given knowledge of V(n). In fact, it has been shown that with these techniques, even if only one bit of the pseudo-random values are released, the seed can be determined from short sequences.
只要序列与所探索空间的结构正交,这些序列在模拟(蒙特卡罗实验)中就足够了。即使在那里,微妙的模式也可能导致问题。然而,这样的序列显然不适合在安全应用中使用。如果初始状态已知,它们是完全可预测的。根据伪随机数生成器的形式,可以通过观察序列的短部分来确定序列[SCHNEIER,STERN]。例如,使用上面的生成器,可以在已知V(n)的情况下确定V(n+1)。事实上,已经证明,使用这些技术,即使仅释放一位伪随机值,也可以从短序列中确定种子。
Not only have linear congruent generators been broken, but techniques are now known for breaking all polynomial congruent generators [KRAWCZYK].
不仅线性同余发生器被破坏,而且现在已知的技术是破坏所有多项式同余发生器[KRAWCZYK]。
In cases where a series of random quantities must be generated, an adversary may learn some values in the sequence. In general, adversaries should not be able to predict other values from the ones that they know.
在必须生成一系列随机量的情况下,对手可以从序列中学习一些值。一般来说,对手不应该能够从他们知道的值中预测其他值。
The correct technique is to start with a strong random seed, to take cryptographically strong steps from that seed [FERGUSON, SCHNEIER], and not to reveal the complete state of the generator in the sequence elements. If each value in the sequence can be calculated in a fixed
正确的技术是从一个强随机种子开始,从该种子中采取加密的强步骤[FERGUSON,SCHNEIER],而不是在序列元素中揭示生成器的完整状态。如果序列中的每个值都可以用固定的
way from the previous value, then when any value is compromised, all future values can be determined. This would be the case, for example, if each value were a constant function of the previously used values, even if the function were a very strong, non-invertible message digest function.
从以前的值开始,然后当任何值被破坏时,可以确定所有未来的值。例如,如果每个值都是以前使用的值的常量函数,即使该函数是非常强的、不可逆的消息摘要函数,也会出现这种情况。
(Note that if a technique for generating a sequence of key values is fast enough, it can trivially be used as the basis for a confidentiality system. If two parties use the same sequence generation technique and start with the same seed material, they will generate identical sequences. These could, for example, be XOR'ed at one end with data being sent to encrypt it, and XOR'ed with this data as received to decrypt it, due to the reversible properties of the XOR operation. This is commonly referred to as a simple stream cipher.)
(请注意,如果生成键值序列的技术足够快,它可以作为保密系统的基础。如果双方使用相同的序列生成技术并从相同的种子材料开始,他们将生成相同的序列。例如,这些序列可以在一端进行异或运算,同时保存数据。)由于XOR操作的可逆属性,发送以对其进行加密,并与接收到的数据进行异或以解密。这通常被称为简单流密码。)
One way to produce a strong sequence is to take a seed value and hash the quantities produced by concatenating the seed with successive integers, or the like, and then to mask the values obtained so as to limit the amount of generator state available to the adversary.
产生强序列的一种方法是获取种子值并散列通过将种子与连续整数等串联而产生的量,然后屏蔽获得的值以限制对手可用的生成器状态量。
It may also be possible to use an "encryption" algorithm with a random key and seed value to encrypt successive integers, as in counter (CTR) mode encryption. Alternatively, one can feedback all of the output value from encryption into the value to be encrypted for the next iteration. This is a particular example of output feedback mode (OFB) [MODES].
也可以使用带有随机密钥和种子值的“加密”算法来加密连续整数,如计数器(CTR)模式加密。或者,可以将加密的所有输出值反馈到下一次迭代要加密的值中。这是输出反馈模式(OFB)[模式]的一个特殊示例。
An example is shown below in which shifting and masking are used to combine part of the output feedback with part of the old input. This type of partial feedback should be avoided for reasons described below.
下面显示了一个示例,其中移位和掩蔽用于将部分输出反馈和部分旧输入相结合。由于下述原因,应避免此类部分反馈。
+---------------+
| V |
| | n |--+
+--+------------+ |
| | +---------+
shift| +---> | | +-----+
+--+ | Encrypt | <--- | Key |
| +-------- | | +-----+
| | +---------+
V V
+------------+--+
| V | |
| n+1 |
+---------------+
+---------------+
| V |
| | n |--+
+--+------------+ |
| | +---------+
shift| +---> | | +-----+
+--+ | Encrypt | <--- | Key |
| +-------- | | +-----+
| | +---------+
V V
+------------+--+
| V | |
| n+1 |
+---------------+
Note that if a shift of one is used, this is the same as the shift register technique described in Section 6.1.3, but with the all-important difference that the feedback is determined by a complex non-linear function of all bits rather than by a simple linear or polynomial combination of output from a few bit position taps.
请注意,如果使用1的移位,这与第6.1.3节中描述的移位寄存器技术相同,但最重要的区别是,反馈由所有位的复杂非线性函数确定,而不是由几个位位置抽头输出的简单线性或多项式组合确定。
Donald W. Davies showed that this sort of shifted partial output feedback significantly weakens an algorithm, compared to feeding all the output bits back as input. In particular, for DES, repeatedly encrypting a full 64-bit quantity will give an expected repeat in about 2^63 iterations. Feeding back anything less than 64 (and more than 0) bits will give an expected repeat in between 2^31 and 2^32 iterations!
Donald W.Davies指出,与将所有输出位作为输入反馈相比,这种移位部分输出反馈显著削弱了算法。特别是,对于DES,重复加密完整的64位量将在大约2^63次迭代中产生预期的重复。反馈任何小于64位(且大于0位)的内容将在2^31和2^32迭代之间产生预期的重复!
To predict values of a sequence from others when the sequence was generated by these techniques is equivalent to breaking the cryptosystem or to inverting the "non-invertible" hashing with only partial information available. The less information revealed in each iteration, the harder it will be for an adversary to predict the sequence. Thus it is best to use only one bit from each value. It has been shown that in some cases this makes it impossible to break a system even when the cryptographic system is invertible and could be broken if all of each generated value were revealed.
当序列由这些技术生成时,要从其他序列中预测序列的值,相当于破坏密码系统或在只有部分信息可用的情况下反转“不可逆”散列。每次迭代中透露的信息越少,对手就越难预测序列。因此,最好只使用每个值中的一位。已经证明,在某些情况下,即使密码系统是可逆的,也不可能破坏系统,并且如果所有生成的值都被揭示,则可能破坏系统。
Currently the generator which has the strongest public proof of strength is called the Blum Blum Shub generator, named after its inventors [BBS]. It is also very simple and is based on quadratic residues. Its only disadvantage is that it is computationally intensive compared to the traditional techniques given in Section 6.1.3. This is not a major drawback if it is used for moderately-infrequent purposes, such as generating session keys.
目前,拥有最强大的公共实力证明的发电机被称为Blum Blum Shub发电机,以其发明者[BBS]命名。它也非常简单,并且基于二次剩余。它唯一的缺点是,与第6.1.3节中给出的传统技术相比,它需要大量计算。如果它用于不经常使用的目的,例如生成会话密钥,则这不是一个主要缺点。
Simply choose two large prime numbers (say, p and q) that each gives a remainder of 3 when divided by 4. Let n = p * q. Then choose a random number, x, that is relatively prime to n. The initial seed for the generator and the method for calculating subsequent values are then:
只需选择两个大素数(例如,p和q),当除以4时,每个大素数的余数为3。设n=p*q。然后选择一个随机数x,它相对于n是素数。生成器的初始种子和计算后续值的方法如下:
2
s = ( x )(Mod n)
0
2
s = ( s )(Mod n)
i+1 i
2
s = ( x )(Mod n)
0
2
s = ( s )(Mod n)
i+1 i
Be careful to use only a few bits from the bottom of each s. It is always safe to use only the lowest-order bit. If one uses no more than the:
注意只使用每个s底部的几个位。仅使用最低阶位总是安全的。如果仅使用以下各项:
log ( log ( s ) ) 2 2 i
日志(日志)2 i
low-order bits, then predicting any additional bits from a sequence generated in this manner is provably as hard as factoring n. As long as the initial x is secret, n can be made public if desired.
低阶位,然后从以这种方式生成的序列中预测任何附加位,可以证明与分解n一样困难。只要初始x是秘密的,如果需要,n可以公开。
An interesting characteristic of this generator is that any of the s values can be directly calculated. In particular,
该生成器的一个有趣特性是,可以直接计算任何s值。特别地,
( (2^i) (Mod ((p-1)*(q-1)) ) )
s = ( s )(Mod n)
i 0
( (2^i) (Mod ((p-1)*(q-1)) ) )
s = ( s )(Mod n)
i 0
This means that in applications where many keys are generated in this fashion, it is not necessary to save them all. Each key can be effectively indexed and recovered from that small index and the initial s and n.
这意味着在以这种方式生成多个键的应用程序中,不必全部保存它们。每个键都可以有效地索引,并从该小索引和初始s和n中恢复。
Many modern pseudo-random number sources, such as those described in Sections 7.1.2 and 7.1.3 utilize the technique of maintaining a "pool" of bits and providing operations for strongly mixing input with some randomness into the pool and extracting pseudo-random bits from the pool. This is illustrated in the figure below.
许多现代伪随机数源,如第7.1.2节和第7.1.3节中所述的伪随机数源,利用维护比特“池”的技术,并提供将具有一定随机性的输入强混合到池中并从池中提取伪随机比特的操作。下图对此进行了说明。
+--------+ +------+ +---------+
--->| Mix In |--->| POOL |--->| Extract |--->
| Bits | | | | Bits |
+--------+ +------+ +---------+
^ V
| |
+-----------+
+--------+ +------+ +---------+
--->| Mix In |--->| POOL |--->| Extract |--->
| Bits | | | | Bits |
+--------+ +------+ +---------+
^ V
| |
+-----------+
Bits to be fed into the pool can come from any of the various hardware, environmental, or user input sources discussed above. It is also common to save the state of the pool on system shutdown and to restore it on re-starting, when stable storage is available.
要馈入池中的位可以来自上面讨论的各种硬件、环境或用户输入源中的任何一个。在系统关闭时保存池的状态,在稳定存储可用时在重新启动时恢复池的状态也是很常见的。
Care must be taken that enough entropy has been added to the pool to support particular output uses desired. See [RSA_BULL1] for similar suggestions.
必须注意向池中添加足够的熵以支持所需的特定输出用途。有关类似建议,请参见[RSA_BULL1]。
Several public standards and widely deployed examples are now in place for the generation of keys or other cryptographically random quantities. Some, in section 7.1, include an entropy source. Others, described in section 7.2, provide the pseudo-random number strong-sequence generator but assume the input of a random seed or input from a source of entropy.
一些公共标准和广泛部署的示例现在已经到位,用于生成密钥或其他加密随机量。第7.1节中的一些包括熵源。第7.2节所述的其他方法提供伪随机数强序列生成器,但假设输入为随机种子或来自熵源的输入。
Three standards are described below. The two older standards use DES, with its 64-bit block and key size limit, but any equally strong or stronger mixing function could be substituted [DES]. The third is a more modern and stronger standard based on SHA-1 [SHA*]. Lastly, the widely deployed modern UNIX and Windows random number generators are described.
下面介绍三个标准。两个较旧的标准使用DES,具有64位块和密钥大小限制,但任何同样强或更强的混合函数都可以被替代[DES]。第三个是基于SHA-1[SHA*]的更现代、更强的标准。最后,描述了广泛部署的现代UNIX和Windows随机数生成器。
The United States Department of Defense has specific recommendations for password generation [DoD]. It suggests using the US Data Encryption Standard [DES] in Output Feedback Mode [MODES] as follows:
美国国防部对密码生成(DoD)有具体建议。建议在输出反馈模式[模式]下使用美国数据加密标准[DES],如下所示:
Use an initialization vector determined from the system clock, system ID, user ID, and date and time; use a key determined from system interrupt registers, system status registers, and system counters; and, as plain text, use an external randomly generated 64-bit quantity such as the ASCII bytes for 8 characters typed in by a system administrator.
使用根据系统时钟、系统ID、用户ID以及日期和时间确定的初始化向量;使用由系统中断寄存器、系统状态寄存器和系统计数器确定的密钥;并且,作为纯文本,使用外部随机生成的64位数量,例如系统管理员键入的8个字符的ASCII字节。
The password can then be calculated from the 64 bit "cipher text" generated by DES in 64-bit Output Feedback Mode. As many bits as are needed can be taken from these 64 bits and expanded into a pronounceable word, phrase, or other format if a human being needs to remember the password.
然后,可以根据DES在64位输出反馈模式下生成的64位“密码文本”计算密码。如果人们需要记住密码,可以从这64位中提取所需的任意多个位,并将其扩展为可发音的单词、短语或其他格式。
Several versions of the UNIX operating system provide a kernel-resident random number generator. Some of these generators use events captured by the Kernel during normal system operation.
UNIX操作系统的几个版本提供了驻留在内核中的随机数生成器。其中一些生成器使用内核在正常系统操作期间捕获的事件。
For example, on some versions of Linux, the generator consists of a random pool of 512 bytes represented as 128 words of 4 bytes each. When an event occurs, such as a disk drive interrupt, the time of the event is XOR'ed into the pool, and the pool is stirred via a primitive polynomial of degree 128. The pool itself is treated as a ring buffer, with new data being XOR'ed (after stirring with the polynomial) across the entire pool.
例如,在某些版本的Linux上,生成器由512字节的随机池组成,表示为128个字,每个字4字节。当一个事件发生时,例如磁盘驱动器中断,事件的时间被异或输入池中,池通过128次的原始多项式被搅动。池本身被视为一个环形缓冲区,新数据在整个池中被异或(在用多项式搅拌后)。
Each call that adds entropy to the pool estimates the amount of likely true entropy the input contains. The pool itself contains a accumulator that estimates the total over all entropy of the pool.
向池中添加熵的每个调用都会估计输入中可能包含的真实熵的数量。池本身包含一个累加器,用于估计池的总熵。
Input events come from several sources, as listed below. Unfortunately, for server machines without human operators, the first and third are not available, and entropy may be added slowly in that case.
输入事件来自多个来源,如下所示。不幸的是,对于没有人工操作的服务器机器,第一个和第三个不可用,在这种情况下,熵可能会缓慢增加。
1. Keyboard interrupts. The time of the interrupt and the scan code are added to the pool. This in effect adds entropy from the human operator by measuring inter-keystroke arrival times.
1. 键盘中断。中断时间和扫描代码被添加到池中。这实际上通过测量击键间的到达时间增加了人类操作员的熵。
2. Disk completion and other interrupts. A system being used by a person will likely have a hard-to-predict pattern of disk
2. 磁盘完成和其他中断。一个人正在使用的系统可能会有难以预测的磁盘模式
accesses. (But not all disk drivers support capturing this timing information with sufficient accuracy to be useful.)
访问。(但并非所有磁盘驱动程序都支持以足够的准确度捕获此计时信息以使其有用。)
3. Mouse motion. The timing and mouse position are added in.
3. 鼠标运动。中添加了计时和鼠标位置。
When random bytes are required, the pool is hashed with SHA-1 [SHA*] to yield the returned bytes of randomness. If more bytes are required than the output of SHA-1 (20 bytes), then the hashed output is stirred back into the pool and a new hash is performed to obtain the next 20 bytes. As bytes are removed from the pool, the estimate of entropy is correspondingly decremented.
当需要随机字节时,池将使用SHA-1[SHA*]散列以产生返回的随机字节。如果需要比SHA-1的输出(20字节)更多的字节,则将散列输出搅拌回池中,并执行新的散列以获得下一个20字节。当从池中删除字节时,熵的估计值相应地减小。
To ensure a reasonably random pool upon system startup, the standard startup and shutdown scripts save the pool to a disk file at shutdown and read this file at system startup.
为了确保系统启动时有一个合理的随机池,标准的启动和关闭脚本在关闭时将池保存到磁盘文件中,并在系统启动时读取此文件。
There are two user-exported interfaces. /dev/random returns bytes from the pool but blocks when the estimated entropy drops to zero. As entropy is added to the pool from events, more data becomes available via /dev/random. Random data obtained from such a /dev/random device is suitable for key generation for long term keys, if enough random bits are in the pool or are added in a reasonable amount of time.
有两个用户导出的界面/dev/random从池中返回字节,但当估计的熵降至零时会阻塞。随着熵从事件添加到池中,更多的数据通过/dev/random变得可用。如果池中有足够的随机位或在合理的时间内添加了足够的随机位,则从这种/dev/Random设备获得的随机数据适合于长期密钥的密钥生成。
/dev/urandom works like /dev/random; however, it provides data even when the entropy estimate for the random pool drops to zero. This may be adequate for session keys or for other key generation tasks for which blocking to await more random bits is not acceptable. The risk of continuing to take data even when the pool's entropy estimate is small in that past output may be computable from current output, provided that an attacker can reverse SHA-1. Given that SHA-1 is designed to be non-invertible, this is a reasonable risk.
/dev/urandom的工作方式类似于/dev/random;然而,即使随机池的熵估计降到零,它也提供数据。对于会话密钥或其他密钥生成任务来说,这可能是足够的,对于这些任务,阻塞等待更多随机位是不可接受的。即使在池的熵估计值很小的情况下,继续获取数据的风险也可以从当前输出计算过去的输出,前提是攻击者可以反转SHA-1。鉴于SHA-1设计为不可逆,这是一个合理的风险。
To obtain random numbers under Linux, Solaris, or other UNIX systems equipped with code as described above, all an application has to do is open either /dev/random or /dev/urandom and read the desired number of bytes.
要在Linux、Solaris或其他配备有上述代码的UNIX系统下获取随机数,应用程序只需打开/dev/random或/dev/urandom并读取所需的字节数。
(The Linux Random device was written by Theodore Ts'o. It was based loosely on the random number generator in PGP 2.X and PGP 3.0 (aka PGP 5.0).)
(Linux随机设备由Theodore Ts'o编写。它松散地基于PGP2.X和PGP3.0(又名PGP5.0)中的随机数生成器。)
Microsoft's recommendation to users of the widely deployed Windows operating system is generally to use the CryptGenRandom pseudo-random number generation call with the CryptAPI cryptographic service provider. This takes a handle to a cryptographic service provider
Microsoft向广泛部署的Windows操作系统用户推荐的建议通常是使用CryptAPI加密服务提供商的CryptGenRandom伪随机数生成调用。这将获取加密服务提供程序的句柄
library, a pointer to a buffer by which the caller can provide entropy and into which the generated pseudo-randomness is returned, and an indication of how many octets of randomness are desired.
库,一个指向缓冲区的指针,调用者可以通过该缓冲区提供熵,并将生成的伪随机性返回到该缓冲区,以及指示需要多少个八位组的随机性。
The Windows CryptAPI cryptographic service provider stores a seed state variable with every user. When CryptGenRandom is called, this is combined with any randomness provided in the call and with various system and user data such as the process ID, thread ID, system clock, system time, system counter, memory status, free disk clusters, and hashed user environment block. This data is all fed to SHA-1, and the output is used to seed an RC4 key stream. That key stream is used to produce the pseudo-random data requested and to update the user's seed state variable.
Windows CryptoAPI加密服务提供程序为每个用户存储一个种子状态变量。调用CryptGenRandom时,它与调用中提供的任何随机性以及各种系统和用户数据相结合,如进程ID、线程ID、系统时钟、系统时间、系统计数器、内存状态、可用磁盘群集和散列用户环境块。该数据全部馈送到SHA-1,输出用于为RC4密钥流种子。该密钥流用于生成请求的伪随机数据并更新用户的种子状态变量。
Users of Windows ".NET" will probably find it easier to use the RNGCryptoServiceProvider.GetBytes method interface.
Windows“.NET”的用户可能会发现使用RNGCryptoServiceProvider.GetBytes方法接口更容易。
For further information, see [WSC].
有关更多信息,请参阅[WSC]。
The pseudo-random number generators described in the following three sections all assume that a seed value with sufficient entropy is provided to them. They then generate a strong sequence (see Section 6.2) from that seed.
以下三节中描述的伪随机数生成器都假设为它们提供了具有足够熵的种子值。然后,它们从该种子生成一个强序列(见第6.2节)。
The ANSI X9F1 committee is in the final stages of creating a standard for random number generation covering both true randomness generators and pseudo-random number generators. It includes a number of pseudo-random number generators based on hash functions, one of which will probably be based on HMAC SHA hash constructs [RFC2104]. The draft version of this generator is described below, omitting a number of optional features [X9.82].
ANSI X9F1委员会正处于创建随机数生成标准的最后阶段,该标准涵盖真实随机数生成器和伪随机数生成器。它包括许多基于哈希函数的伪随机数生成器,其中一个可能基于HMAC SHA哈希构造[RFC2104]。该生成器的草稿版本如下所述,省略了一些可选功能[X9.82]。
In the subsections below, the HMAC hash construct is simply referred to as HMAC but, of course, a particular standard SHA function must be selected in an particular use. Generally speaking, if the strength of the pseudo-random values to be generated is to be N bits, the SHA function chosen must generate N or more bits of output, and a source of at least N bits of input entropy will be required. The same hash function must be used throughout an instantiation of this generator.
在下面的小节中,HMAC哈希构造被简单地称为HMAC,但是,当然,在特定用途中必须选择特定的标准SHA函数。一般来说,如果要生成的伪随机值的强度为N比特,则所选择的SHA函数必须生成N个或更多比特的输出,并且将需要至少N个比特的输入熵的源。在该生成器的整个实例化过程中必须使用相同的哈希函数。
In the following sections, the notation give below is used:
在以下章节中,使用以下符号:
hash_length is the output size of the underlying hash function in use.
hash_length是正在使用的基础哈希函数的输出大小。
input_entropy is the input bit string that provides entropy to the generator.
input_entropy是向生成器提供熵的输入位字符串。
K is a bit string of size hash_length that is part of the state of the generator and is updated at least once each time random bits are generated.
K是大小为hash_长度的位字符串,它是生成器状态的一部分,并且在每次生成随机位时至少更新一次。
V is a bit string of size hash_length and is part of the state of the generator. It is updated each time hash_length bits of output are generated.
V是大小为hash_长度的位字符串,是生成器状态的一部分。每次生成输出的hash_长度位时,它都会更新。
"|" represents concatenation.
“|”表示串联。
Set V to all zero bytes, except the low-order bit of each byte is set to one.
将V设置为所有零字节,但每个字节的低位设置为1。
Set K to all zero bytes, then set:
将K设置为所有零字节,然后设置:
K = HMAC ( K, V | 0x00 | input_entropy )
K=HMAC(K,V | 0x00 |输入| u熵)
V = HMAC ( K, V )
V=HMAC(K,V)
K = HMAC ( K, V | 0x01 | input_entropy )
K=HMAC(K,V | 0x01 |输入| u熵)
V = HMAC ( K, V )
V=HMAC(K,V)
Note: All SHA algorithms produce an integral number of bytes, so the lengths of K and V will be integral numbers of bytes.
注意:所有SHA算法都产生整数字节数,因此K和V的长度将是整数字节数。
When output is called for, simply set:
当需要输出时,只需设置:
V = HMAC ( K, V )
V=HMAC(K,V)
and use the leading bits from V. If more bits are needed than the length of V, set "temp" to a null bit string and then repeatedly perform:
并使用V的前导位。如果需要比V长度更多的位,请将“temp”设置为空位字符串,然后重复执行:
V = HMAC ( K, V ) temp = temp | V
V=HMAC(K,V)温度=温度| V
stopping as soon as temp is equal to or longer than the number of random bits requested. Use the requested number of leading bits from temp. The definition of the algorithm prohibits requesting more than 2^35 bits.
当temp等于或大于请求的随机位数时停止。使用从temp请求的前导位数。算法的定义禁止请求超过2^35位的数据。
After extracting and saving the pseudo-random output bits as described above, before returning you must also perform two more HMACs as follows:
如上所述提取并保存伪随机输出位后,在返回之前,还必须执行两个以上的HMAC,如下所示:
K = HMAC ( K, V | 0x00 ) V = HMAC ( K, V )
K=HMAC(K,V | 0x00)V=HMAC(K,V)
The American National Standards Institute has specified the following method for generating a sequence of keys [X9.17]:
美国国家标准协会规定了以下生成键序列的方法[X9.17]:
s is the initial 64 bit seed. 0
s是初始64位种子。0
g is the sequence of generated 64-bit key quantities n
g是生成的64位密钥数量n的序列
k is a random key reserved for generating this key sequence.
k是为生成此密钥序列而保留的随机密钥。
t is the time at which a key is generated, to as fine a resolution as is available (up to 64 bits).
t是生成密钥的时间,分辨率尽可能高(高达64位)。
DES ( K, Q ) is the DES encryption of quantity Q with key K.
DES(K,Q)是用密钥K对数量Q进行DES加密。
Then:
然后:
g = DES ( k, DES ( k, t ) XOR s ) n n
g=DES(k,DES(k,t)xos)n
s = DES ( k, DES ( k, t ) XOR g ) n+1 n
s=DES(k,DES(k,t)XOR g)n+1n
If g sub n is to be used as a DES key, then every eighth bit should be adjusted for parity for that use, but the entire 64 bit unmodified g should be used in calculating the next s.
如果g sub n用作DES密钥,则每八位应调整一次奇偶校验,但整个未修改的64位g应用于计算下一个s。
Appendix 3 of the NIST Digital Signature Standard [DSS] provides a method of producing a sequence of pseudo-random 160 bit quantities for use as private keys or the like. This has been modified by Change Notice 1 [DSS_CN1] to produce the following algorithm for generating general-purpose pseudo-random numbers:
NIST数字签名标准[DSS]的附录3提供了一种生成伪随机160位量序列的方法,用于私钥等。变更通知1[DSS_CN1]对此进行了修改,以生成以下生成通用伪随机数的算法:
t = 0x 67452301 EFCDAB89 98BADCFE 10325476 C3D2E1F0
t=0x 67452301 EFCDAB89 98BADCFE 10325476 C3D2E1F0
XKEY = initial seed 0
XKEY=初始种子0
For j = 0 to ...
对于j=0到。。。
XVAL = ( XKEY + optional user input ) (Mod 2^512)
j
XVAL = ( XKEY + optional user input ) (Mod 2^512)
j
X = G( t, XVAL ) j
X=G(t,XVAL)j
XKEY = ( 1 + XKEY + X ) (Mod 2^512)
j+1 j j
XKEY = ( 1 + XKEY + X ) (Mod 2^512)
j+1 j j
The quantities X thus produced are the pseudo-random sequence of 160-bit values. Two functions can be used for "G" above. Each produces a 160-bit value and takes two arguments, a 160-bit value and a 512 bit value.
由此产生的量X是160位值的伪随机序列。上述“G”可使用两个功能。每个都生成一个160位的值,并接受两个参数,一个160位的值和一个512位的值。
The first is based on SHA-1 and works by setting the 5 linking variables, denoted H with subscripts in the SHA-1 specification, to the first argument divided into fifths. Then steps (a) through (e) of section 7 of the NIST SHA-1 specification are run over the second argument as if it were a 512-bit data block. The values of the linking variable after those steps are then concatenated to produce the output of G [SHA*].
第一个基于SHA-1,通过将5个链接变量(在SHA-1规范中用下标表示为H)设置为第一个分为五个的参数。然后,NIST SHA-1规范第7节的步骤(a)至(e)在第二个参数上运行,就像它是512位数据块一样。然后将这些步骤之后的链接变量的值连接起来,以生成G[SHA*]的输出。
As an alternative method, NIST also defined an alternate G function based on multiple applications of the DES encryption function [DSS].
作为替代方法,NIST还根据DES加密功能[DSS]的多种应用定义了替代G函数。
Below are two examples showing rough calculations of randomness needed for security. The first is for moderate security passwords, while the second assumes a need for a very high-security cryptographic key.
下面是两个示例,显示了安全性所需的随机性的粗略计算。第一种是中等安全性密码,而第二种则假设需要非常高安全性的加密密钥。
In addition, [ORMAN] and [RSA_BULL13] provide information on the public key lengths that should be used for exchanging symmetric keys.
此外,[ORMAN]和[RSA_BULL13]提供了关于交换对称密钥时应使用的公钥长度的信息。
Assume that user passwords change once a year and that it is desired that the probability that an adversary could guess the password for a particular account be less than one in a thousand. Further assume that sending a password to the system is the only way to try a password. Then the crucial question is how often an adversary can try possibilities. Assume that delays have been introduced into a system so that an adversary can make at most one password try every six seconds. That's 600 per hour, or about 15,000 per day, or about 5,000,000 tries in a year. Assuming any sort of monitoring, it is unlikely that someone could actually try continuously for a year. Even if log files are only checked monthly, 500,000 tries is more plausible before the attack is noticed and steps are taken to change passwords and make it harder to try more passwords.
假设用户密码每年更改一次,并且希望对手猜测特定帐户密码的概率小于千分之一。进一步假设向系统发送密码是尝试密码的唯一方法。那么关键的问题是对手多久能尝试一次可能性。假设系统中引入了延迟,因此对手最多可以每六秒钟尝试一次密码。即每小时600次,或每天15000次,或一年500万次。假设进行任何形式的监控,不太可能有人真的连续尝试一年。即使只每月检查一次日志文件,在发现攻击并采取措施更改密码和使尝试更多密码更加困难之前,尝试500000次也更为合理。
To have a one-in-a-thousand chance of guessing the password in 500,000 tries implies a universe of at least 500,000,000 passwords, or about 2^29. Thus, 29 bits of randomness are needed. This can probably be achieved by using the US DoD-recommended inputs for password generation, as it has 8 inputs that probably average over 5 bits of randomness each (see section 7.1). Using a list of 1,000 words, the password could be expressed as a three-word phrase (1,000,000,000 possibilities). By using case-insensitive letters and digits, six characters would suffice ((26+10)^6 = 2,176,782,336 possibilities).
在500000次尝试中有千分之一的机会猜到密码意味着至少有500000000个密码,或者大约2^29。因此,需要29位随机性。这可能通过使用美国国防部推荐的密码生成输入来实现,因为它有8个输入,每个输入可能平均超过5位随机性(见第7.1节)。使用1000个单词的列表,密码可以表示为三个单词的短语(100000000种可能性)。通过使用不区分大小写的字母和数字,六个字符就足够了((26+10)^6=2176782336)。
For a higher-security password, the number of bits required goes up. To decrease the probability by 1,000 requires increasing the universe of passwords by the same factor, which adds about 10 bits. Thus, to have only a one in a million chance of a password being guessed under the above scenario would require 39 bits of randomness and a password that was a four-word phrase from a 1,000 word list, or eight letters/digits. To go to a one-in-10^9 chance, 49 bits of randomness are needed, implying a five-word phrase or a ten-letter/digit password.
对于更高安全性的密码,所需的位数会增加。要将概率降低1000,需要将密码的范围增加相同的因子,即增加大约10位。因此,在上述情况下,如果密码被猜测的概率只有百万分之一,则需要39位随机性和1000字列表中的四字短语密码,或八个字母/数字。要达到十分之一的概率,需要49位随机性,这意味着一个五个单词的短语或一个十个字母/数字的密码。
In a real system, of course, there are other factors. For example, the larger and harder to remember passwords are, the more likely users will bed to write them down, resulting in an additional risk of compromise.
当然,在实际系统中,还有其他因素。例如,密码越大、越难记住,用户就越有可能在床上记下密码,从而增加泄露的风险。
Assume that a very high security key is needed for symmetric encryption/decryption between two parties. Assume also that an adversary can observe communications and knows the algorithm being used. Within the field of random possibilities, the adversary can try key values in hopes of finding the one in use. Assume further that brute force trial of keys is the best the adversary can do.
假设双方之间的对称加密/解密需要非常高的安全密钥。还假设对手可以观察通信并知道正在使用的算法。在随机可能性范围内,对手可以尝试关键值,希望找到正在使用的值。进一步假设对钥匙的暴力审判是对手所能做的最好的。
How much effort will it take to try each key? For very high-security applications, it is best to assume a low value of effort. Even if it would clearly take tens of thousands of computer cycles or more to try a single key, there may be some pattern that enables huge blocks of key values to be tested with much less effort per key. Thus, it is probably best to assume no more than a couple of hundred cycles per key. (There is no clear lower bound on this, as computers operate in parallel on a number of bits and a poor encryption algorithm could allow many keys or even groups of keys to be tested in parallel. However, we need to assume some value and can hope that a reasonably strong algorithm has been chosen for our hypothetical high-security task.)
试一试每把钥匙需要多少努力?对于非常高安全性的应用程序,最好假定付出的努力值较低。即使尝试一个键显然要花费数万个或更多的计算机周期,也可能有某种模式可以让大量的键值块在每一个键上进行测试,所需的工作量要少得多。因此,最好假设每个键不超过几百个周期。(这方面没有明确的下限,因为计算机在多个比特上并行运行,而糟糕的加密算法可能允许并行测试多个密钥,甚至多组密钥。然而,我们需要假设一些值,并希望为我们假设的高安全性任务选择一个相当强的算法。)
If the adversary can command a highly parallel processor or a large network of work stations, 10^11 cycles per second is probably a minimum assumption today. Looking forward a few years, there should be at least an order of magnitude improvement. Thus, it is reasonable to assume that 10^10 keys could be checked per second, or 3.6*10^12 per hour or 6*10^14 per week, or 2.4*10^15 per month. This implies a need for a minimum of 63 bits of randomness in keys, to be sure that they cannot be found in a month. Even then it is possible that, a few years from now, a highly determined and resourceful adversary could break the key in 2 weeks; on average, they need try only half the keys.
如果对手能够指挥一个高度并行的处理器或一个大型工作站网络,那么每秒10^11个周期可能是目前的最低假设。展望未来几年,至少会有一个数量级的改善。因此,可以合理地假设每秒可以检查10^10个键,或每小时检查3.6*10^12个键,或每周检查6*10^14个键,或每月检查2.4*10^15个键。这意味着密钥中至少需要63位随机性,以确保在一个月内无法找到它们。即便如此,几年后,一个意志坚定、足智多谋的对手也有可能在两周内攻破这把钥匙;平均来说,他们只需要试一下一半的钥匙。
These questions are considered in detail in "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security: A Report by an Ad Hoc Group of Cryptographers and Computer Scientists" [KeyStudy] that was sponsored by the Business Software Alliance. It concluded that a reasonable key length in 1995 for very high security is in the range of 75 to 90 bits and, since the cost of cryptography does not vary much with the key size, it recommends 90 bits. To update these recommendations, just add 2/3 of a bit per year for Moore's law [MOORE]. This translates to a determination, in the year 2004, a reasonable key length is in the 81- to 96-bit range. In fact, today, it is increasingly common to use keys longer than 96
商业软件联盟赞助的“对称密码提供充分商业安全性的最小密钥长度:密码学家和计算机科学家特设小组的报告”[KeyStudy]详细讨论了这些问题。它得出的结论是,1995年非常高安全性的合理密钥长度在75到90位之间,并且由于加密成本与密钥大小没有太大差异,因此建议使用90位。为了更新这些建议,只需每年为摩尔定律[Moore]增加2/3比特。这意味着在2004年确定了一个合理的密钥长度在81到96位范围内。事实上,如今,使用超过96的键越来越普遍
bits, such as 128-bit (or longer) keys with AES and keys with effective lengths of 112-bits with triple-DES.
位,例如具有AES的128位(或更长)密钥和具有三重DES的有效长度为112位的密钥。
If chosen or known plain text and the resulting encrypted text are available, a "meet-in-the-middle" attack is possible if the structure of the encryption algorithm allows it. (In a known plain text attack, the adversary knows all or part (possibly some standard header or trailer fields) of the messages being encrypted. In a chosen plain text attack, the adversary can force some chosen plain text to be encrypted, possibly by "leaking" an exciting text that is sent by the adversary over an encrypted channel because the text is so interesting.
如果选择的或已知的纯文本以及生成的加密文本可用,则如果加密算法的结构允许,“中间相遇”攻击是可能的。(在已知的纯文本攻击中,对手知道被加密的消息的全部或部分(可能是一些标准头或尾字段)。在选择的纯文本攻击中,对手可能通过“泄漏”强制对选择的纯文本进行加密对手通过加密通道发送的激动人心的文本,因为该文本非常有趣。
The following is an oversimplified explanation of the meet-in-the-middle attack: the adversary can half-encrypt the known or chosen plain text with all possible first half-keys, sort the output, and then half-decrypt the encoded text with all the second half-keys. If a match is found, the full key can be assembled from the halves and used to decrypt other parts of the message or other messages. At its best, this type of attack can halve the exponent of the work required by the adversary while adding a very large but roughly constant factor of effort. Thus, if this attack can be mounted, a doubling of the amount of randomness in the very strong key to a minimum of 192 bits (96*2) is required for the year 2004, based on the [KeyStudy] analysis.
以下是对中间相遇攻击的过于简单的解释:对手可以使用所有可能的前半部分密钥对已知或选定的纯文本进行半加密,对输出进行排序,然后使用所有后半部分密钥对编码文本进行半解密。如果找到匹配项,则可以从两部分组合完整密钥,并用于解密消息或其他消息的其他部分。在最好的情况下,这种类型的攻击可以使对手所需的工作量减半,同时增加非常大但大致不变的工作量。因此,根据[KeyStudy]分析,如果可以发起此攻击,则2004年需要将非常强密钥中的随机性增加一倍,至少达到192位(96*2)。
This amount of randomness is well beyond the limit of that in the inputs recommended by the US DoD for password generation and could require user-typing timing, hardware random number generation, or other sources of randomness.
这种随机性远远超出了美国国防部推荐的密码生成输入的限制,可能需要用户输入定时、硬件随机数生成或其他随机性来源。
The meet-in-the-middle attack assumes that the cryptographic algorithm can be decomposed in this way. Hopefully no modern algorithm has this weakness, but there may be cases where we are not sure of that or even of what algorithm a key will be used with. Even if a basic algorithm is not subject to a meet-in-the-middle attack, an attempt to produce a stronger algorithm by applying the basic algorithm twice (or two different algorithms sequentially) with different keys will gain less added security than would be expected. Such a composite algorithm would be subject to a meet-in-the-middle attack.
中间相遇攻击假设密码算法可以通过这种方式分解。希望没有一种现代算法具有这种弱点,但在某些情况下,我们甚至不确定密钥将与什么算法一起使用。即使基本算法不受中间相遇攻击,通过使用不同密钥应用基本算法两次(或连续应用两种不同算法)来产生更强算法的尝试也会获得比预期更少的附加安全性。这种复合算法将受到中间相遇攻击。
Enormous resources may be required to mount a meet-in-the-middle attack, but they are probably within the range of the national security services of a major nation. Essentially all nations spy on other nations' traffic.
发动中间会合攻击可能需要巨大的资源,但它们可能在一个大国的国家安全部门的范围内。基本上所有国家都在监视其他国家的交通。
[KeyStudy] also considers the possibilities of special-purpose code-breaking hardware and having an adequate safety margin.
[KeyStudy]还考虑了特殊用途代码中断硬件的可能性,并具有足够的安全裕度。
Note that key length calculations such as those above are controversial and depend on various assumptions about the cryptographic algorithms in use. In some cases, a professional with a deep knowledge of algorithm-breaking techniques and of the strength of the algorithm in use could be satisfied with less than half of the 192 bit key size derived above.
请注意,如上所述的密钥长度计算是有争议的,并且取决于所使用的加密算法的各种假设。在某些情况下,对算法破解技术和所用算法的强度有深入了解的专业人员可以满足于上述192位密钥大小的不到一半。
For further examples of conservative design principles, see [FERGUSON].
有关保守设计原则的更多示例,请参见[FERGUSON]。
Generation of unguessable "random" secret quantities for security use is an essential but difficult task.
生成用于安全用途的不可利用的“随机”秘密量是一项重要但困难的任务。
Hardware techniques for producing the needed entropy would be relatively simple. In particular, the volume and quality would not need to be high, and existing computer hardware, such as audio input or disk drives, can be used.
产生所需熵的硬件技术相对简单。特别是,音量和质量不需要很高,可以使用现有的计算机硬件,如音频输入或磁盘驱动器。
Widely-available computational techniques can process low-quality random quantities from multiple sources, or a larger quantity of such low-quality input from one source, to produce a smaller quantity of higher-quality keying material. In the absence of hardware sources of randomness, a variety of user and software sources can frequently, with care, be used instead. However, most modern systems already have hardware, such as disk drives or audio input, that could be used to produce high-quality randomness.
广泛可用的计算技术可以处理来自多个源的低质量随机量,或来自一个源的大量此类低质量输入,以生成数量较少的高质量键控材料。在没有随机性硬件源的情况下,可以经常小心地使用各种用户和软件源。然而,大多数现代系统已经有硬件,如磁盘驱动器或音频输入,可以用来产生高质量的随机性。
Once a sufficient quantity of high-quality seed key material (a couple of hundred bits) is available, computational techniques are available to produce cryptographically-strong sequences of computationally-unpredictable quantities from this seed material.
一旦有足够数量的高质量种子密钥材料(几百位)可用,就可以使用计算技术从该种子材料中生成计算上不可预测量的加密强序列。
The entirety of this document concerns techniques and recommendations for generating unguessable "random" quantities for use as passwords, cryptographic keys, initialization vectors, sequence numbers, and similar security applications.
本文件的全部内容涉及生成不可使用的“随机”量的技术和建议,用于密码、加密密钥、初始化向量、序列号和类似的安全应用。
Special thanks to Paul Hoffman and John Kelsey for their extensive comments and to Peter Gutmann, who has permitted the incorporation of material from his paper "Software Generation of Practically Strong Random Numbers".
特别感谢保罗·霍夫曼(Paul Hoffman)和约翰·凯尔西(John Kelsey)的广泛评论,以及彼得·古特曼(Peter Gutmann),他允许将其论文《几乎强随机数的软件生成》中的材料纳入其中。
The following people (in alphabetic order) have contributed substantially to this document:
以下人员(按字母顺序)对本文件做出了重大贡献:
Steve Bellovin, Daniel Brown, Don Davis, Peter Gutmann, Tony Hansen, Sandy Harris, Paul Hoffman, Scott Hollenback, Russ Housley, Christian Huitema, John Kelsey, Mats Naslund, and Damir Rajnovic.
史蒂夫·贝洛文、丹尼尔·布朗、唐·戴维斯、彼得·古特曼、托尼·汉森、桑迪·哈里斯、保罗·霍夫曼、斯科特·霍伦贝克、罗斯·霍斯利、克里斯蒂安·惠特马、约翰·凯尔西、马茨·纳斯伦德和达米尔·拉吉诺维奇。
The following people (in alphabetic order) contributed to RFC 1750, the predecessor of this document:
以下人员(按字母顺序)对本文件的前身RFC 1750作出了贡献:
David M. Balenson, Don T. Davis, Carl Ellison, Marc Horowitz, Christian Huitema, Charlie Kaufman, Steve Kent, Hal Murray, Neil Haller, Richard Pitkin, Tim Redmond, and Doug Tygar.
David M.Balenson、Don T.Davis、Carl Ellison、Marc Horowitz、Christian Huitema、Charlie Kaufman、Steve Kent、Hall Murray、Neil Haller、Richard Pitkin、Tim Redmond和Doug Tygar。
Appendix A: Changes from RFC 1750
附录A:RFC 1750的变更
1. Additional acknowledgements have been added.
1. 已添加其他确认。
2. Insertion of section 5.3 on mixing with S-boxes.
2. 插入第5.3节关于与S型盒混合的内容。
3. Addition of section 3.3 on Ring Oscillator randomness sources.
3. 增加关于环形振荡器随机性源的第3.3节。
4. Addition of AES and the members of the SHA series producing more than 160 bits. Use of AES has been emphasized and the use of DES de-emphasized.
4. 添加AES和SHA系列的成员,产生超过160位。强调了AES的使用,而不再强调DES的使用。
5. Addition of section 6.3 on entropy pool techniques.
5. 增加关于熵池技术的第6.3节。
6. Addition of section 7.2.3 on the pseudo-random number generation techniques given in FIPS 186-2 (with Change Notice 1), 7.2.1 on those given in X9.82, section 7.1.2 on the random number generation techniques of the /dev/random device in Linux and other UNIX systems, and section 7.1.3 on random number generation techniques in the Windows operating system.
6. 增加了第7.2.3节关于FIPS 186-2(更改通知1)中给出的伪随机数生成技术,第7.2.1节关于X9.82中给出的伪随机数生成技术,第7.1.2节关于Linux和其他UNIX系统中/dev/random设备的随机数生成技术,第7.1.3节介绍Windows操作系统中的随机数生成技术。
7. Addition of references to the "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security" study published in January 1996 [KeyStudy] and to [RFC1948].
7. 增加了1996年1月发表的“对称密码提供充分商业安全的最小密钥长度”研究[KeyStudy]和[RFC1948]的参考文献。
8. Added caveats to using Diffie-Hellman as a mixing function and, because of those caveats and its computationally intensive nature, recommend against its use.
8. 增加了使用Diffie-Hellman作为混合函数的注意事项,由于这些注意事项及其计算密集性,建议不要使用它。
9. Addition of references to the X9.82 effort and the [TURBID] and [NASLUND] papers.
9. 增加了对X9.82工作和[浑浊]和[NASLUND]论文的参考。
10. Addition of discussion of min-entropy and Renyi entropy and references to the [LUBY] book.
10. 增加了对最小熵和仁义熵的讨论,并参考了[LUBY]一书。
11. Major restructuring, minor wording changes, and a variety of reference updates.
11. 重大重组、细微措辞变更和各种参考更新。
Informative References
资料性引用
[AES] "Specification of the Advanced Encryption Standard (AES)", United States of America, US National Institute of Standards and Technology, FIPS 197, November 2001.
[AES]“高级加密标准(AES)规范”,美利坚合众国,美国国家标准与技术研究所,FIPS 197,2001年11月。
[ASYMMETRIC] Simmons, G., Ed., "Secure Communications and Asymmetric Cryptosystems", AAAS Selected Symposium 69, ISBN 0-86531-338-5, Westview Press, 1982.
[非对称]Simmons,G.,Ed.,“安全通信和非对称密码系统”,AAAS选择研讨会69,ISBN 0-86531-338-5,Westview出版社,1982年。
[BBS] Blum, L., Blum, M., and M. Shub, "A Simple Unpredictable Pseudo-Random Number Generator", SIAM Journal on Computing, v. 15, n. 2, 1986.
[BBS]Blum,L.,Blum,M.,和M.Shub,“一个简单的不可预测的伪随机数生成器”,暹罗计算杂志,v。15,n。2, 1986.
[BRILLINGER] Brillinger, D., "Time Series: Data Analysis and Theory", Holden-Day, 1981.
[BRILLINGER]BRILLINGER,D.,“时间序列:数据分析和理论”,霍尔顿日,1981年。
[CRC] "C.R.C. Standard Mathematical Tables", Chemical Rubber Publishing Company.
[CRC]“C.R.C.标准数学表”,化学橡胶出版公司。
[DAVIS] Davis, D., Ihaka, R., and P. Fenstermacher, "Cryptographic Randomness from Air Turbulence in Disk Drives", Advances in Cryptology - Crypto '94, Springer-Verlag Lecture Notes in Computer Science #839, 1984.
[DAVIS]DAVIS,D.,Ihaka,R.,和P.Fenstermacher,“磁盘驱动器中空气湍流产生的密码随机性”,《密码学进展——加密》94,Springer-Verlag《计算机科学》课堂讲稿#839,1984。
[DES] "Data Encryption Standard", US National Institute of Standards and Technology, FIPS 46-3, October 1999. Also, "Data Encryption Algorithm", American National Standards Institute, ANSI X3.92-1981. See also FIPS 112, "Password Usage", which includes FORTRAN code for performing DES.
[DES]“数据加密标准”,美国国家标准与技术研究所,FIPS 46-3,1999年10月。此外,“数据加密算法”,美国国家标准协会,ANSI X3.92-1981。另见FIPS 112,“密码使用”,其中包括用于执行DES的FORTRAN代码。
[D-H] Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC 2631, June 1999.
[D-H]Rescorla,E.,“Diffie-Hellman密钥协商方法”,RFC 26311999年6月。
[DNSSEC1] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, March 2005.
[DNSSEC1]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全介绍和要求”,RFC 4033,2005年3月。
[DNSSEC2] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, March 2005.
[DNSSEC2]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全扩展的资源记录”,RFC 40342005年3月。
[DNSSEC3] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Protocol Modifications for the DNS Security Extensions", RFC 4035, March 2005.
[DNSSEC3]Arends,R.,Austein,R.,Larson,M.,Massey,D.,和S.Rose,“DNS安全扩展的协议修改”,RFC 4035,2005年3月。
[DoD] "Password Management Guideline", United States of America, Department of Defense, Computer Security Center, CSC-STD-002-85, April 1885.
[国防部]《密码管理指南》,美国国防部计算机安全中心,CSC-STD-002-851885年4月。
(See also "Password Usage", FIPS 112, which incorporates CSC-STD-002-85 as one of its appendices. FIPS 112 is currently available at: http://www.idl.nist.gov/fipspubs/fip112.htm.)
(另请参见“密码使用”,FIPS 112,其中包含CSC-STD-002-85作为其附录之一。FIPS 112目前可从以下网址获得:http://www.idl.nist.gov/fipspubs/fip112.htm.)
[DSS] "Digital Signature Standard (DSS)", US National Institute of Standards and Technology, FIPS 186-2, January 2000.
[DSS]“数字签名标准(DSS)”,美国国家标准与技术研究所,FIPS 186-22000年1月。
[DSS_CN1] "Digital Signature Standard Change Notice 1", US National Institute of Standards and Technology, FIPS 186-2 Change Notice 1, 5, October 2001.
[DSS_CN1]“数字签名标准变更通知1”,美国国家标准与技术研究所,FIPS 186-2变更通知1,2001年10月5日。
[FERGUSON] Ferguson, N. and B. Schneier, "Practical Cryptography", Wiley Publishing Inc., ISBN 047122894X, April 2003.
[FERGUSON]FERGUSON,N.和B.Schneier,“实用密码术”,威利出版公司,ISBN 047122894X,2003年4月。
[GIFFORD] Gifford, D., "Natural Random Number", MIT/LCS/TM-371, September 1988.
[GIFFORD]GIFFORD,D.,“自然随机数”,麻省理工学院/LCS/TM-3711988年9月。
[IEEE_802.11i] "Amendment to Standard for Telecommunications and Information Exchange Between Systems - LAN/MAN Specific Requirements - Part 11: Wireless Medium Access Control (MAC) and physical layer (PHY) specifications: Medium Access Control (MAC) Security Enhancements", IEEE, January 2004.
[IEEE_802.11i]“系统间电信和信息交换标准的修订-局域网/城域网特定要求-第11部分:无线介质访问控制(MAC)和物理层(PHY)规范:介质访问控制(MAC)安全增强”,IEEE,2004年1月。
[IPSEC] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998.
[IPSEC]Kent,S.和R.Atkinson,“互联网协议的安全架构”,RFC 2401,1998年11月。
[Jakobsson] Jakobsson, M., Shriver, E., Hillyer, B., and A. Juels, "A practical secure random bit generator", Proceedings of the Fifth ACM Conference on Computer and Communications Security, 1998.
[Jakobson]Jakobson,M.,Shriver,E.,Hillyer,B.,和A.Juels,“实用安全随机位生成器”,第五届ACM计算机和通信安全会议记录,1998年。
[KAUFMAN] Kaufman, C., Perlman, R., and M. Speciner, "Network Security: Private Communication in a Public World", Prentis Hall PTR, ISBN 0-13-046019-2, 2nd Edition 2002.
[KAUFMAN]KAUFMAN,C.,Perlman,R.,和M.Speciner,“网络安全:公共世界中的私人通信”,Prentis Hall PTR,ISBN 0-13-046019-2,2002年第二版。
[KeyStudy] Blaze, M., Diffie, W., Riverst, R., Schneier, B. Shimomura, T., Thompson, E., and M. Weiner, "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security: A Report by an Ad Hoc Group of Cryptographers and Computer Scientists", January 1996. Currently available at: http://www.crypto.com/papers/keylength.txt and http://www.securitydocs.com/library/441.
[KeyStudy]Blaze,M.,Diffie,W.,Riverst,R.,Schneier,B.Shimomura,T.,Thompson,E.,和M.Weiner,“对称密码提供充分商业安全的最小密钥长度:密码学家和计算机科学家特设小组的报告”,1996年1月。目前可在以下网址获得:http://www.crypto.com/papers/keylength.txt 和http://www.securitydocs.com/library/441.
[KNUTH] Knuth, D., "The Art of Computer Programming", Volume 2: Seminumerical Algorithms, Chapter 3: Random Numbers, Addison-Wesley Publishing Company, 3rd Edition, November 1997.
[KNUTH]KNUTH,D.,“计算机编程的艺术”,第2卷:半数值算法,第3章:随机数,Addison-Wesley出版社,第3版,1997年11月。
[KRAWCZYK] Krawczyk, H., "How to Predict Congruential Generators", Journal of Algorithms, V. 13, N. 4, December 1992.
[KRAWCZYK]KRAWCZYK,H.,“如何预测同余生成元”,《算法杂志》,第13卷,第4期,1992年12月。
[LUBY] Luby, M., "Pseudorandomness and Cryptographic Applications", Princeton University Press, ISBN 0691025460, 8 January 1996.
[LUBY]LUBY,M.,“伪随机性和密码应用”,普林斯顿大学出版社,ISBN 0691025460,1996年1月8日。
[MAIL_PEM1] Linn, J., "Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and Authentication Procedures", RFC 1421, February 1993.
[MAIL_PEM1]Linn,J.,“互联网电子邮件的隐私增强:第一部分:信息加密和认证程序”,RFC 14211993年2月。
[MAIL_PEM2] Kent, S., "Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management", RFC 1422, February 1993.
[MAIL_PEM2]Kent,S.,“因特网电子邮件的隐私增强:第二部分:基于证书的密钥管理”,RFC 1422,1993年2月。
[MAIL_PEM3] Balenson, D., "Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers", RFC 1423, February 1993.
[MAIL_PEM3]Balenson,D.,“互联网电子邮件的隐私增强:第三部分:算法、模式和标识符”,RFC 1423,1993年2月。
[MAIL_PEM4] Kaliski, B., "Privacy Enhancement for Internet Electronic Mail: Part IV: Key Certification and Related Services", RFC 1424, February 1993.
[MAIL_PEM4]Kaliski,B.,“互联网电子邮件的隐私增强:第四部分:关键认证和相关服务”,RFC 1424,1993年2月。
[MAIL_PGP1] Callas, J., Donnerhacke, L., Finney, H., and R. Thayer, "OpenPGP Message Format", RFC 2440, November 1998.
[MAIL_PGP1]Callas,J.,Donnerhacke,L.,Finney,H.,和R.Thayer,“OpenPGP消息格式”,RFC 24401998年11月。
[MAIL_PGP2] Elkins, M., Del Torto, D., Levien, R., and T. Roessler, "MIME Security with OpenPGP", RFC 3156, August 2001.
[MAIL_PGP2]Elkins,M.,Del Torto,D.,Levien,R.,和T.Roessler,“OpenPGP的MIME安全性”,RFC 3156,2001年8月。
[S/MIME] RFCs 2632 through 2634:
[S/MIME]RFCs 2632至2634:
Ramsdell, B., "S/MIME Version 3 Certificate Handling", RFC 2632, June 1999.
Ramsdell,B.,“S/MIME版本3证书处理”,RFC 2632,1999年6月。
Ramsdell, B., "S/MIME Version 3 Message Specification", RFC 2633, June 1999.
Ramsdell,B.,“S/MIME版本3消息规范”,RFC 2633,1999年6月。
Hoffman, P., "Enhanced Security Services for S/MIME", RFC 2634, June 1999.
Hoffman,P.,“S/MIME的增强安全服务”,RFC 2634,1999年6月。
[MD4] Rivest, R., "The MD4 Message-Digest Algorithm", RFC 1320, April 1992.
[MD4]Rivest,R.,“MD4消息摘要算法”,RFC1320,1992年4月。
[MD5] Rivest, R., "The MD5 Message-Digest Algorithm ", RFC 1321, April 1992.
[MD5]Rivest,R.,“MD5消息摘要算法”,RFC 13211992年4月。
[MODES] "DES Modes of Operation", US National Institute of Standards and Technology, FIPS 81, December 1980. Also: "Data Encryption Algorithm - Modes of Operation", American National Standards Institute, ANSI X3.106-1983.
[模式]“DES操作模式”,美国国家标准与技术研究所,FIPS 811980年12月。另外:“数据加密算法-操作模式”,美国国家标准协会,ANSI X3.106-1983。
[MOORE] Moore's Law: the exponential increase in the logic density of silicon circuits. Originally formulated by Gordon Moore in 1964 as a doubling every year starting in 1962, in the late 1970s the rate fell to a doubling every 18 months and has remained there through the date of this document. See "The New Hacker's Dictionary", Third Edition, MIT Press, ISBN 0-262-18178-9, Eric S. Raymond, 1996.
摩尔定律:硅电路逻辑密度的指数增长。最初由戈登·摩尔(Gordon Moore)于1964年提出,从1962年开始每年翻一番。20世纪70年代末,该比率降至每18个月翻一番,并一直保持到本文件发布之日。见“新黑客词典”,第三版,麻省理工学院出版社,ISBN 0-262-18178-9,埃里克·s·雷蒙德,1996年。
[NASLUND] Naslund, M. and A. Russell, "Extraction of Optimally Unbiased Bits from a Biased Source", IEEE Transactions on Information Theory. 46(3), May 2000.
[NASLUND]NASLUND,M.和A.Russell,“从有偏源中提取最佳无偏位”,IEEE信息论交易。46(3),2000年5月。
[ORMAN] Orman, H. and P. Hoffman, "Determining Strengths For Public Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766, April 2004.
[ORMAN]ORMAN,H.和P.Hoffman,“确定用于交换对称密钥的公钥的强度”,BCP 86,RFC 3766,2004年4月。
[RFC1750] Eastlake 3rd, D., Crocker, S., and J. Schiller, "Randomness Recommendations for Security", RFC 1750, December 1994.
[RFC1750]Eastlake 3rd,D.,Crocker,S.,和J.Schiller,“安全性的随机性建议”,RFC 1750,1994年12月。
[RFC1948] Bellovin, S., "Defending Against Sequence Number Attacks", RFC 1948, May 1996.
[RFC1948]Bellovin,S.,“防御序列号攻击”,RFC 1948,1996年5月。
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997.
[RFC2104]Krawczyk,H.,Bellare,M.,和R.Canetti,“HMAC:用于消息认证的键控哈希”,RFC 2104,1997年2月。
[RSA_BULL1] "Suggestions for Random Number Generation in Software", RSA Laboratories Bulletin #1, January 1996.
[RSA#u BULL1]“软件中随机数生成的建议”,RSA实验室公报#1,1996年1月。
[RSA_BULL13] Silverman, R., "A Cost-Based Security Analysis of Symmetric and Asymmetric Key Lengths", RSA Laboratories Bulletin #13, April 2000 (revised November 2001).
[RSA#u BULL13]Silverman,R.,“对称和非对称密钥长度的基于成本的安全分析”,RSA实验室公告,2000年4月13日(2001年11月修订)。
[SBOX1] Mister, S. and C. Adams, "Practical S-box Design", Selected Areas in Cryptography, 1996.
[SBOX1]Mister,S.和C.Adams,“实用S盒设计”,密码学选定领域,1996年。
[SBOX2] Nyberg, K., "Perfect Non-linear S-boxes", Advances in Cryptography, Eurocrypt '91 Proceedings, Springer-Verland, 1991.
[SBOX2]Nyberg,K.,“完美非线性S-盒”,密码学进展,欧洲密码'91会议录,Springer Verland,1991年。
[SCHNEIER] Schneier, B., "Applied Cryptography: Protocols, Algorithms, and Source Code in C", 2nd Edition, John Wiley & Sons, 1996.
[SCHNEIER]SCHNEIER,B.,“应用密码学:C语言中的协议、算法和源代码”,第二版,John Wiley&Sons,1996年。
[SHANNON] Shannon, C., "The Mathematical Theory of Communication", University of Illinois Press, 1963. Originally from: Bell System Technical Journal, July and October, 1948.
Shannon,C.,《通信的数学理论》,伊利诺伊大学出版社,1963。原文:贝尔系统技术杂志,1948年7月和10月。
[SHIFT1] Golub, S., "Shift Register Sequences", Aegean Park Press, Revised Edition, 1982.
[SHIFT1]Golub,S.,“移位寄存器序列”,爱琴海公园出版社,修订版,1982年。
[SHIFT2] Barker, W., "Cryptanalysis of Shift-Register Generated Stream Cypher Systems", Aegean Park Press, 1984.
[SHIFT2]Barker,W.“移位寄存器生成的流密码系统的密码分析”,爱琴海公园出版社,1984年。
[SHA] "Secure Hash Standard", US National Institute of Science and Technology, FIPS 180-2, 1 August 2002.
[SHA]“安全哈希标准”,美国国家科学技术研究所,FIPS 180-22002年8月1日。
[SHA_RFC] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm 1 (SHA1)", RFC 3174, September 2001.
[SHA_RFC]Eastlake 3rd,D.和P.Jones,“美国安全哈希算法1(SHA1)”,RFC 31742001年9月。
[SSH] Products of the SECSH Working Group, Works in Progress, 2005.
[SSH]SECSH工作组的产品,在建工程,2005年。
[STERN] Stern, J., "Secret Linear Congruential Generators are not Cryptographically Secure", Proc. IEEE STOC, 1987.
[STERN]STERN,J.,“秘密线性同余生成器不是加密安全的”,Proc。IEEE STOC,1987年。
[TLS] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999.
[TLS]Dierks,T.和C.Allen,“TLS协议版本1.0”,RFC 2246,1999年1月。
[TURBID] Denker, J., "High Entropy Symbol Generator", <http://www.av8n.com/turbid/paper/turbid.htm>, 2003.
[混浊]Denker,J.,“高熵符号发生器”<http://www.av8n.com/turbid/paper/turbid.htm>, 2003.
[USENET_1] Kantor, B. and P. Lapsley, "Network News Transfer Protocol", RFC 977, February 1986.
[USENET_1]Kantor,B.和P.Lapsley,“网络新闻传输协议”,RFC 977,1986年2月。
[USENET_2] Barber, S., "Common NNTP Extensions", RFC 2980, October 2000.
[USENET_2]Barber,S.,“通用NNTP扩展”,RFC 29802000年10月。
[VON_NEUMANN] Von Nuemann, J., "Various techniques used in connection with random digits", Von Neumann's Collected Works, Vol. 5, Pergamon Press, 1963.
[VON_NEUMANN]VON Nuemann,J.,“与随机数字相关的各种技术”,VON NEUMANN的作品集,第5卷,佩加蒙出版社,1963年。
[WSC] Howard, M. and D. LeBlanc, "Writing Secure Code, Second Edition", Microsoft Press, ISBN 0735617228, December 2002.
[WSC]霍华德,M.和D. LeBlanc,“编写安全代码,第二版”,微软出版社,ISBN 0735617228,2002年12月。
[X9.17] "American National Standard for Financial Institution Key Management (Wholesale)", American Bankers Association, 1985.
[X9.17]“美国金融机构密钥管理国家标准(批发)”,美国银行家协会,1985年。
[X9.82] "Random Number Generation", American National Standards Institute, ANSI X9F1, Work in Progress. Part 1 - Overview and General Principles. Part 2 - Non-Deterministic Random Bit Generators Part 3 - Deterministic Random Bit Generators
[X9.82]“随机数生成”,美国国家标准协会,ANSI X9F1,正在进行中。第1部分-概述和一般原则。第2部分-非确定性随机位生成器第3部分-确定性随机位生成器
Authors' Addresses
作者地址
Donald E. Eastlake 3rd Motorola Laboratories 155 Beaver Street Milford, MA 01757 USA
Donald E.Eastlake 3rd Motorola Laboratories美国马萨诸塞州米尔福德市海狸街155号,邮编01757
Phone: +1 508-786-7554 (w)
+1 508-634-2066 (h)
EMail: Donald.Eastlake@motorola.com
Phone: +1 508-786-7554 (w)
+1 508-634-2066 (h)
EMail: Donald.Eastlake@motorola.com
Jeffrey I. Schiller MIT, Room E40-311 77 Massachusetts Avenue Cambridge, MA 02139-4307 USA
杰弗里·席勒麻省理工学院,美国马萨诸塞州剑桥马萨诸塞大道77号E40-311室,邮编:02139-4307
Phone: +1 617-253-0161
EMail: jis@mit.edu
Phone: +1 617-253-0161
EMail: jis@mit.edu
Steve Crocker
斯蒂芬·克罗克
EMail: steve@stevecrocker.com
EMail: steve@stevecrocker.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2005).
版权所有(C)互联网协会(2005年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。