• Subject: Re: Secure PRNG?
  • From: Larry Loen <lwloen@xxxxxxxxxxxx>
  • Date: Tue, 28 Mar 2000 14:24:30 -0600 (CST)

If you are dealing with security problems relating to  
this sort of thing, I suggest you try the book 
"Modern Cryptography" by Meyer and Matyas, available 
in any decent technical library.  I believe that 
somewhere, it covers topics like this.  Certainly, 
the discussions on key management will be very 
relevant to your question. 

It's a fairly old book now, but still readable and 
for my money, clear and useful in a field where 
one's intuition often fails. 

When it comes to this sort of thing, it is easy to 
implement things that _look_ good, but are really 
very weak (ie, you don't preserve whatever secrets 
you think you're preserving even though a lot of 
scrambled up looking data is flowing around). 

You may well find, for instance, that a cryptographically 
random _seed_ is insufficient if that seed is then fed 
into a standard pseudorandom number generator.  Abusing 
pseudo random number generators for cryptographic use 
is well known to be a problem to those who know 
how to hack ciphers, but is surprisingly unknown to the general 
programmers whose exposure to security is intermittent 
and only a small part of a larger job.   

If that's what you intend; don't do it. 

If you need to secure data, you may need to use a decent cryptography  
system to really secure the data you're 
trying to secure, because many non-cryptographic programmable 
"random number generators" are totally insecure against 
50 year old cryptography methods.  Some can even be cracked 
with ordinary paper and pencil!  The old Data Encryption 
Standard has a mode which works in the role you may be 
thinking of here and it is very random and also  
cryptographically strong. 

Please note, also, that if you are trying to 
secure some data this way, the general security of the AS/400 
is presumably irrelevant.  That is, if you are sure 
that AS/400 can keep the data from flowing to those 
without proper access via the regular AS/400 security,  
you don't need any kind of cryptography 
with our without a pseudo random number generator. 

On the other hand, if the data is, say, flowing outside 
of the '400 on the general Internet, or is otherwise 
in a *PUBLIC file or something, then your security is  
entirely dependent on the quality of the method you use 
to encrypt the data. 


Larry W. Loen (lwloen@rchland.vnet.ibm.com) 
Department HP4 
IBM   Rochester, Minnesota 
      (507)253-3535 
      t/l  553-3535  
+---
| This is the JAVA/400 Mailing List!
| To submit a new message, send your mail to JAVA400-L@midrange.com.
| To subscribe to this list send email to JAVA400-L-SUB@midrange.com.
| To unsubscribe from this list send email to JAVA400-L-UNSUB@midrange.com.
| Questions should be directed to the list owner: joe@zappie.net
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.