rfc1750.txt

bind 9.3结合mysql数据库

   the number of minutes from midnight on two clocks accurate to a few
   seconds, then each might appear random if sampled at random intervals
   much longer than a minute.  Yet if they were both sampled and
   combined with xor, the result would be zero most of the time.

6.1.2 Stronger Mixing Functions

   The US Government Data Encryption Standard [DES] is an example of a
   strong mixing function for multiple bit quantities.  It takes up to
   120 bits of input (64 bits of "data" and 56 bits of "key") and
   produces 64 bits of output each of which is dependent on a complex
   non-linear function of all input bits.  Other strong encryption
   functions with this characteristic can also be used by considering
   them to mix all of their key and data input bits.

   Another good family of mixing functions are the "message digest" or
   hashing functions such as The US Government Secure Hash Standard
   [SHS] and the MD2, MD4, MD5 [MD2, MD4, MD5] series.  These functions
   all take an arbitrary amount of input and produce an output mixing
   all the input bits. The MD* series produce 128 bits of output and SHS
   produces 160 bits.






Eastlake, Crocker & Schiller                                   [Page 16]

RFC 1750        Randomness Recommendations for Security    December 1994


   Although the message digest functions are designed for variable
   amounts of input, DES and other encryption functions can also be used
   to combine any number of inputs.  If 64 bits of output is adequate,
   the inputs can be packed into a 64 bit data quantity and successive
   56 bit keys, padding with zeros if needed, which are then used to
   successively encrypt using DES in Electronic Codebook Mode [DES
   MODES].  If more than 64 bits of output are needed, use more complex
   mixing.  For example, if inputs are packed into three quantities, A,
   B, and C, use DES to encrypt A with B as a key and then with C as a
   key to produce the 1st part of the output, then encrypt B with C and
   then A for more output and, if necessary, encrypt C with A and then B
   for yet more output.  Still more output can be produced by reversing
   the order of the keys given above to stretch things. The same can be
   done with the hash functions by hashing various subsets of the input
   data to produce multiple outputs.  But keep in mind that it is
   impossible to get more bits of "randomness" out than are put in.

   An example of using a strong mixing function would be to reconsider
   the case of a string of 308 bits each of which is biased 99% towards
   zero.  The parity technique given in Section 5.2.1 above reduced this
   to one bit with only a 1/1000 deviance from being equally likely a
   zero or one.  But, applying the equation for information given in
   Section 2, this 308 bit sequence has 5 bits of information in it.
   Thus hashing it with SHS or MD5 and taking the bottom 5 bits of the
   result would yield 5 unbiased random bits as opposed to the single
   bit given by calculating the parity of the string.

6.1.3 Diffie-Hellman as a Mixing Function

   Diffie-Hellman exponential key exchange is a technique that yields a
   shared secret between two parties that can be made computationally
   infeasible for a third party to determine even if they can observe
   all the messages between the two communicating parties.  This shared
   secret is a mixture of initial quantities generated by each of them
   [D-H].  If these initial quantities are random, then the shared
   secret contains the combined randomness of them both, assuming they
   are uncorrelated.

6.1.4 Using a Mixing Function to Stretch Random Bits

   While it is not necessary for a mixing function to produce the same
   or fewer bits than its inputs, mixing bits cannot "stretch" the
   amount of random unpredictability present in the inputs.  Thus four
   inputs of 32 bits each where there is 12 bits worth of
   unpredicatability (such as 4,096 equally probable values) in each
   input cannot produce more than 48 bits worth of unpredictable output.
   The output can be expanded to hundreds or thousands of bits by, for
   example, mixing with successive integers, but the clever adversary's



Eastlake, Crocker & Schiller                                   [Page 17]

RFC 1750        Randomness Recommendations for Security    December 1994


   search space is still 2^48 possibilities.  Furthermore, mixing to
   fewer bits than are input will tend to strengthen the randomness of
   the output the way using Exclusive Or to produce one bit from two did
   above.

   The last table in Section 6.1.1 shows that mixing a random bit with a
   constant bit with Exclusive Or will produce a random bit.  While this
   is true, it does not provide a way to "stretch" one random bit into
   more than one.  If, for example, a random bit is mixed with a 0 and
   then with a 1, this produces a two bit sequence but it will always be
   either 01 or 10.  Since there are only two possible values, there is
   still only the one bit of original randomness.

6.1.5 Other Factors in Choosing a Mixing Function

   For local use, DES has the advantages that it has been widely tested
   for flaws, is widely documented, and is widely implemented with
   hardware and software implementations available all over the world
   including source code available by anonymous FTP.  The SHS and MD*
   family are younger algorithms which have been less tested but there
   is no particular reason to believe they are flawed.  Both MD5 and SHS
   were derived from the earlier MD4 algorithm.  They all have source
   code available by anonymous FTP [SHS, MD2, MD4, MD5].

   DES and SHS have been vouched for the the US National Security Agency
   (NSA) on the basis of criteria that primarily remain secret.  While
   this is the cause of much speculation and doubt, investigation of DES
   over the years has indicated that NSA involvement in modifications to
   its design, which originated with IBM, was primarily to strengthen
   it.  No concealed or special weakness has been found in DES.  It is
   almost certain that the NSA modification to MD4 to produce the SHS
   similarly strengthened the algorithm, possibly against threats not
   yet known in the public cryptographic community.

   DES, SHS, MD4, and MD5 are royalty free for all purposes.  MD2 has
   been freely licensed only for non-profit use in connection with
   Privacy Enhanced Mail [PEM].  Between the MD* algorithms, some people
   believe that, as with "Goldilocks and the Three Bears", MD2 is strong
   but too slow, MD4 is fast but too weak, and MD5 is just right.

   Another advantage of the MD* or similar hashing algorithms over
   encryption algorithms is that they are not subject to the same
   regulations imposed by the US Government prohibiting the unlicensed
   export or import of encryption/decryption software and hardware.  The
   same should be true of DES rigged to produce an irreversible hash
   code but most DES packages are oriented to reversible encryption.





Eastlake, Crocker & Schiller                                   [Page 18]

RFC 1750        Randomness Recommendations for Security    December 1994


6.2 Non-Hardware Sources of Randomness

   The best source of input for mixing would be a hardware randomness
   such as disk drive timing affected by air turbulence, audio input
   with thermal noise, or radioactive decay.  However, if that is not
   available there are other possibilities.  These include system
   clocks, system or input/output buffers, user/system/hardware/network
   serial numbers and/or addresses and timing, and user input.
   Unfortunately, any of these sources can produce limited or
   predicatable values under some circumstances.

   Some of the sources listed above would be quite strong on multi-user
   systems where, in essence, each user of the system is a source of
   randomness.  However, on a small single user system, such as a
   typical IBM PC or Apple Macintosh, it might be possible for an
   adversary to assemble a similar configuration.  This could give the
   adversary inputs to the mixing process that were sufficiently
   correlated to those used originally as to make exhaustive search
   practical.

   The use of multiple random inputs with a strong mixing function is
   recommended and can overcome weakness in any particular input.  For
   example, the timing and content of requested "random" user keystrokes
   can yield hundreds of random bits but conservative assumptions need
   to be made.  For example, assuming a few bits of randomness if the
   inter-keystroke interval is unique in the sequence up to that point
   and a similar assumption if the key hit is unique but assuming that
   no bits of randomness are present in the initial key value or if the
   timing or key value duplicate previous values.  The results of mixing
   these timings and characters typed could be further combined with
   clock values and other inputs.

   This strategy may make practical portable code to produce good random
   numbers for security even if some of the inputs are very weak on some
   of the target systems.  However, it may still fail against a high
   grade attack on small single user systems, especially if the
   adversary has ever been able to observe the generation process in the
   past.  A hardware based random source is still preferable.

6.3 Cryptographically Strong Sequences

   In cases where a series of random quantities must be generated, an
   adversary may learn some values in the sequence.  In general, they
   should not be able to predict other values from the ones that they
   know.






Eastlake, Crocker & Schiller                                   [Page 19]

RFC 1750        Randomness Recommendations for Security    December 1994


   The correct technique is to start with a strong random seed, take
   cryptographically strong steps from that seed [CRYPTO2, CRYPTO3], and
   do not reveal the complete state of the generator in the sequence
   elements.  If each value in the sequence can be calculated in a fixed
   way from the previous value, then when any value is compromised, all
   future values can be determined.  This would be the case, for
   example, if each value were a constant function of the previously
   used values, even if the function were a very strong, non-invertible
   message digest function.

   It should be noted that if your technique for generating a sequence
   of key values is fast enough, it can trivially be used as the basis
   for a confidentiality system.  If two parties use the same sequence
   generating technique and start with the same seed material, they will
   generate identical sequences.  These could, for example, be xor'ed at
   one end with data being send, encrypting it, and xor'ed with this
   data as received, decrypting it due to the reversible properties of
   the xor operation.

6.3.1 Traditional Strong Sequences

   A traditional way to achieve a strong sequence has been to have the
   values be produced by hashing the quantities produced by
   concatenating the seed with successive integers or the like and then
   mask the values obtained so as to limit the amount of generator state
   available to the adversary.

   It may also be possible to use an "encryption" algorithm with a
   random key and seed value to encrypt and feedback some or all of the
   output encrypted value into the value to be encrypted for the next
   iteration.  Appropriate feedback techniques will usually be
   recommended with the encryption algorithm.  An example is shown below
   where shifting and masking are used to combine the cypher output
   feedback.  This type of feedback is recommended by the US Government
   in connection with DES [DES MODES].
















Eastlake, Crocker & Schiller                                   [Page 20]

RFC 1750        Randomness Recommendations for Security    December 1994


      +---------------+
      |       V       |
      |  |     n      |
      +--+------------+
            |      |           +---------+
            |      +---------> |         |      +-----+
         +--+                  | Encrypt | <--- | Key |
         |           +-------- |         |      +-----+
         |           |         +---------+
         V           V
      +------------+--+
      |      V     |  |
      |       n+1     |
      +---------------+

   Note that if a shift of one is used, this is the same as the shift
   register technique described in Section 3 above but with the all
   important difference that the feedback is determined by a complex
   non-linear function of all bits rather than a simple linear or
   polynomial combination of output from a few bit position taps.

   It has been shown by Donald W. Davies that this sort of shifted
   partial output feedback significantly weakens an algorithm compared
   will feeding all of the output bits back as input.  In particular,
   for DES, repeated encrypting a full 64 bit quantity will give an
   expected repeat in about 2^63 iterations.  Feeding back anything less
   than 64 (and more than 0) bits will give an expected repeat in
   between 2**31 and 2**32 iterations!

   To predict values of a sequence from others when the sequence was
   generated by these techniques is equivalent to breaking the
   cryptosystem or inverting the "non-invertible" hashing involved with
   only partial information available.  The less information revealed
   each iteration, the harder it will be for an adversary to predict the