A new Request for Comments is now available in online RFC libraries.


        RFC 1750:

        Title:      Randomness Recommendations for Security
        Author:     D. Eastlake, 3rd, S. Crocker & J. Schiller
        Date:       December 1994
        Mailbox:    dee@lkg.dec.com, crocker@cybercash.com,
                    jis@mit.edu
        Pages:      25
        Characters: 73,842
        Updates/Obsoletes:  none

        URL:        ftp://ds.internic.net/rfc/rfc1750.txt


Security systems today are built on increasingly strong cryptographic
algorithms that foil pattern analysis attempts. However, the security
of these systems is dependent on generating secret quantities for
passwords, cryptographic keys, and similar quantities.  The use of
pseudo-random processes to generate secret quantities can result in
pseudo-security.  The sophisticated attacker of these security systems
may find it easier to reproduce the environment that produced the
secret quantities, searching the resulting small set of possibilities,
than to locate the quantities in the whole of the number space.
Choosing random quantities to foil a resourceful and motivated
adversary is surprisingly difficult.  This paper points out many
pitfalls in using traditional pseudo-random number generation
techniques for choosing such quantities.  It recommends the use of
truly random hardware techniques and shows that the existing hardware
on many systems can be used for this purpose.  It provides suggestions
to ameliorate the problem when a hardware solution is not available.
And it gives examples of how large such quantities need to be for some
particular applications.

This memo provides information for the Internet community.  This memo
does not specify an Internet standard of any kind.  Distribution of
this memo is unlimited.

This announcement is sent to the IETF list and the RFC-DIST list.
Requests to be added to or deleted from the IETF distribution list
should be sent to IETF-REQUEST@CNRI.RESTON.VA.US.  Requests to be
added to or deleted from the RFC-DIST distribution list should
be sent to RFC-REQUEST@NIC.DDN.MIL.

Details on obtaining RFCs via FTP or EMAIL may be obtained by sending
an EMAIL message to rfc-info@ISI.EDU with the message body 
help: ways_to_get_rfcs.  For example:

        To: rfc-info@ISI.EDU
        Subject: getting rfcs

        help: ways_to_get_rfcs

Requests for special distribution should be addressed to either the
author of the RFC in question, or to admin@DS.INTERNIC.NET.  Unless
specifically noted otherwise on the RFC itself, all RFCs are for
unlimited distribution.

Submissions for Requests for Comments should be sent to
RFC-EDITOR@ISI.EDU.  Please consult RFC 1543, Instructions to RFC
Authors, for further information.


Joyce K. Reynolds
USC/Information Sciences Institute