BCP 86, RFC 4086 on Randomness Requirements for Security

rfc-editor@rfc-editor.org Mon, 06 June 2005 23:45 UTC

Received: from localhost.localdomain ([] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DfRHs-0004xV-GC; Mon, 06 Jun 2005 19:45:44 -0400
Received: from odin.ietf.org ([] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DfRHq-0004xQ-SZ for ietf-announce@megatron.ietf.org; Mon, 06 Jun 2005 19:45:42 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org []) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA01103 for <ietf-announce@ietf.org>; Mon, 6 Jun 2005 19:45:39 -0400 (EDT)
Received: from boreas.isi.edu ([]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DfRcn-0001YA-42 for ietf-announce@ietf.org; Mon, 06 Jun 2005 20:07:21 -0400
Received: from ISI.EDU (adma.isi.edu []) by boreas.isi.edu (8.11.6p2+0917/8.11.2) with ESMTP id j56Nj5L04154; Mon, 6 Jun 2005 16:45:05 -0700 (PDT)
Message-Id: <200506062345.j56Nj5L04154@boreas.isi.edu>
To: ietf-announce@ietf.org
From: rfc-editor@rfc-editor.org
Mime-Version: 1.0
Content-Type: Multipart/Mixed; Boundary="NextPart"
Date: Mon, 06 Jun 2005 16:45:05 -0700
X-ISI-4-39-6-MailScanner: Found to be clean
X-MailScanner-From: rfc-ed@isi.edu
X-Spam-Score: -14.6 (--------------)
X-Scan-Signature: 287c806b254c6353fcb09ee0e53bbc5e
Cc: rfc-editor@rfc-editor.org
Subject: BCP 86, RFC 4086 on Randomness Requirements for Security
X-BeenThere: ietf-announce@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: ietf-announce.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf-announce@ietf.org>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=subscribe>
Sender: ietf-announce-bounces@ietf.org
Errors-To: ietf-announce-bounces@ietf.org

A new Request for Comments is now available in online RFC libraries.

        BCP 106
        RFC 4086

        Title:      Randomness Requirements for Security
        Author(s):  D. Eastlake, 3rd, J. Schiller, S. Crocker
        Status:     Best Current Practice
        Date:       June 2005
        Mailbox:    Donald.Eastlake@motorola.com, jis@mit.edu,
        Pages:      48
        Characters: 114321
        Obsoletes:  1750
        See Also:   BCP 106

        I-D Tag:    draft-eastlake-randomness2-10.txt

        URL:        ftp://ftp.rfc-editor.org/in-notes/rfc4086.txt

Security systems are built on strong cryptographic algorithms that
foil pattern analysis attempts.  However, the security of these
systems is dependent on generating secret quantities for passwords,
cryptographic keys, and similar quantities.  The use of pseudo-random
processes to generate secret quantities can result in pseudo-security.
A sophisticated attacker may find it easier to reproduce the
environment that produced the secret quantities and to search the
resulting small set of possibilities than to locate the quantities in
the whole of the potential number space.

Choosing random quantities to foil a resourceful and motivated
adversary is surprisingly difficult.  This document points out many
pitfalls in using poor entropy sources or traditional pseudo-random
number generation techniques for generating such quantities.  It
recommends the use of truly random hardware techniques and shows that
the existing hardware on many systems can be used for this purpose.
It provides suggestions to ameliorate the problem when a hardware
solution is not available, and it gives examples of how large such
quantities need to be for some applications.

This document specifies an Internet Best Current Practices for the
Internet Community, and requests discussion and suggestions for
improvements.  Distribution of this memo is unlimited.

This announcement is sent to the IETF list and the RFC-DIST list.
Requests to be added to or deleted from the IETF distribution list
should be sent to IETF-REQUEST@IETF.ORG.  Requests to be
added to or deleted from the RFC-DIST distribution list should

Details on obtaining RFCs via FTP or EMAIL may be obtained by sending
an EMAIL message to rfc-info@RFC-EDITOR.ORG with the message body 
help: ways_to_get_rfcs.  For example:

        To: rfc-info@RFC-EDITOR.ORG
        Subject: getting rfcs

        help: ways_to_get_rfcs

Requests for special distribution should be addressed to either the
author of the RFC in question, or to RFC-Manager@RFC-EDITOR.ORG.  Unless
specifically noted otherwise on the RFC itself, all RFCs are for
unlimited distribution.

Submissions for Requests for Comments should be sent to
RFC-EDITOR@RFC-EDITOR.ORG.  Please consult RFC 2223, Instructions to RFC
Authors, for further information.

Joyce K. Reynolds and Sandy Ginoza
USC/Information Sciences Institute


Below is the data which will enable a MIME compliant Mail Reader 
implementation to automatically retrieve the ASCII version
of the RFCs.
IETF-Announce mailing list