rfc1750.txt

bind 9.3结合mysql数据库

   sequence.  Thus it is best to use only one bit from each value.  It
   has been shown that in some cases this makes it impossible to break a
   system even when the cryptographic system is invertible and can be
   broken if all of each generated value was revealed.

6.3.2 The Blum Blum Shub Sequence Generator

   Currently the generator which has the strongest public proof of
   strength is called the Blum Blum Shub generator after its inventors
   [BBS].  It is also very simple and is based on quadratic residues.
   It's only disadvantage is that is is computationally intensive
   compared with the traditional techniques give in 6.3.1 above.  This
   is not a serious draw back if it is used for moderately infrequent
   purposes, such as generating session keys.



Eastlake, Crocker & Schiller                                   [Page 21]

RFC 1750        Randomness Recommendations for Security    December 1994


   Simply choose two large prime numbers, say p and q, which both have
   the property that you get a remainder of 3 if you divide them by 4.
   Let n = p * q.  Then you choose a random number x relatively prime to
   n.  The initial seed for the generator and the method for calculating
   subsequent values are then

                   2
        s    =  ( x  )(Mod n)
         0

                   2
        s    = ( s   )(Mod n)
         i+1      i

   You must be careful to use only a few bits from the bottom of each s.
   It is always safe to use only the lowest order bit.  If you use no
   more than the

                  log  ( log  ( s  ) )
                     2      2    i

   low order bits, then predicting any additional bits from a sequence
   generated in this manner is provable as hard as factoring n.  As long
   as the initial x is secret, you can even make n public if you want.

   An intersting characteristic of this generator is that you can
   directly calculate any of the s values.  In particular

                     i
               ( ( 2  )(Mod (( p - 1 ) * ( q - 1 )) ) )
      s  = ( s                                          )(Mod n)
       i      0

   This means that in applications where many keys are generated in this
   fashion, it is not necessary to save them all.  Each key can be
   effectively indexed and recovered from that small index and the
   initial s and n.

7. Key Generation Standards

   Several public standards are now in place for the generation of keys.
   Two of these are described below.  Both use DES but any equally
   strong or stronger mixing function could be substituted.








Eastlake, Crocker & Schiller                                   [Page 22]

RFC 1750        Randomness Recommendations for Security    December 1994


7.1 US DoD Recommendations for Password Generation

   The United States Department of Defense has specific recommendations
   for password generation [DoD].  They suggest using the US Data
   Encryption Standard [DES] in Output Feedback Mode [DES MODES] as
   follows:

        use an initialization vector determined from
             the system clock,
             system ID,
             user ID, and
             date and time;
        use a key determined from
             system interrupt registers,
             system status registers, and
             system counters; and,
        as plain text, use an external randomly generated 64 bit
        quantity such as 8 characters typed in by a system
        administrator.

   The password can then be calculated from the 64 bit "cipher text"
   generated in 64-bit Output Feedback Mode.  As many bits as are needed
   can be taken from these 64 bits and expanded into a pronounceable
   word, phrase, or other format if a human being needs to remember the
   password.

7.2 X9.17 Key Generation

   The American National Standards Institute has specified a method for
   generating a sequence of keys as follows:

        s  is the initial 64 bit seed
         0

        g  is the sequence of generated 64 bit key quantities
         n

        k is a random key reserved for generating this key sequence

        t is the time at which a key is generated to as fine a resolution
            as is available (up to 64 bits).

        DES ( K, Q ) is the DES encryption of quantity Q with key K








Eastlake, Crocker & Schiller                                   [Page 23]

RFC 1750        Randomness Recommendations for Security    December 1994


        g    = DES ( k, DES ( k, t ) .xor. s  )
         n                                  n

        s    = DES ( k, DES ( k, t ) .xor. g  )
         n+1                                n

   If g sub n is to be used as a DES key, then every eighth bit should
   be adjusted for parity for that use but the entire 64 bit unmodified
   g should be used in calculating the next s.

8. Examples of Randomness Required

   Below are two examples showing rough calculations of needed
   randomness for security.  The first is for moderate security
   passwords while the second assumes a need for a very high security
   cryptographic key.

8.1  Password Generation

   Assume that user passwords change once a year and it is desired that
   the probability that an adversary could guess the password for a
   particular account be less than one in a thousand.  Further assume
   that sending a password to the system is the only way to try a
   password.  Then the crucial question is how often an adversary can
   try possibilities.  Assume that delays have been introduced into a
   system so that, at most, an adversary can make one password try every
   six seconds.  That's 600 per hour or about 15,000 per day or about
   5,000,000 tries in a year.  Assuming any sort of monitoring, it is
   unlikely someone could actually try continuously for a year.  In
   fact, even if log files are only checked monthly, 500,000 tries is
   more plausible before the attack is noticed and steps taken to change
   passwords and make it harder to try more passwords.

   To have a one in a thousand chance of guessing the password in
   500,000 tries implies a universe of at least 500,000,000 passwords or
   about 2^29.  Thus 29 bits of randomness are needed. This can probably
   be achieved using the US DoD recommended inputs for password
   generation as it has 8 inputs which probably average over 5 bits of
   randomness each (see section 7.1).  Using a list of 1000 words, the
   password could be expressed as a three word phrase (1,000,000,000
   possibilities) or, using case insensitive letters and digits, six
   would suffice ((26+10)^6 = 2,176,782,336 possibilities).

   For a higher security password, the number of bits required goes up.
   To decrease the probability by 1,000 requires increasing the universe
   of passwords by the same factor which adds about 10 bits.  Thus to
   have only a one in a million chance of a password being guessed under
   the above scenario would require 39 bits of randomness and a password



Eastlake, Crocker & Schiller                                   [Page 24]

RFC 1750        Randomness Recommendations for Security    December 1994


   that was a four word phrase from a 1000 word list or eight
   letters/digits.  To go to a one in 10^9 chance, 49 bits of randomness
   are needed implying a five word phrase or ten letter/digit password.

   In a real system, of course, there are also other factors.  For
   example, the larger and harder to remember passwords are, the more
   likely users are to write them down resulting in an additional risk
   of compromise.

8.2 A Very High Security Cryptographic Key

   Assume that a very high security key is needed for symmetric
   encryption / decryption between two parties.  Assume an adversary can
   observe communications and knows the algorithm being used.  Within
   the field of random possibilities, the adversary can try key values
   in hopes of finding the one in use.  Assume further that brute force
   trial of keys is the best the adversary can do.

8.2.1 Effort per Key Trial

   How much effort will it take to try each key?  For very high security
   applications it is best to assume a low value of effort.  Even if it
   would clearly take tens of thousands of computer cycles or more to
   try a single key, there may be some pattern that enables huge blocks
   of key values to be tested with much less effort per key.  Thus it is
   probably best to assume no more than a couple hundred cycles per key.
   (There is no clear lower bound on this as computers operate in
   parallel on a number of bits and a poor encryption algorithm could
   allow many keys or even groups of keys to be tested in parallel.
   However, we need to assume some value and can hope that a reasonably
   strong algorithm has been chosen for our hypothetical high security
   task.)

   If the adversary can command a highly parallel processor or a large
   network of work stations, 2*10^10 cycles per second is probably a
   minimum assumption for availability today.  Looking forward just a
   couple years, there should be at least an order of magnitude
   improvement.  Thus assuming 10^9 keys could be checked per second or
   3.6*10^11 per hour or 6*10^13 per week or 2.4*10^14 per month is
   reasonable.  This implies a need for a minimum of 51 bits of
   randomness in keys to be sure they cannot be found in a month.  Even
   then it is possible that, a few years from now, a highly determined
   and resourceful adversary could break the key in 2 weeks (on average
   they need try only half the keys).







Eastlake, Crocker & Schiller                                   [Page 25]

RFC 1750        Randomness Recommendations for Security    December 1994


8.2.2 Meet in the Middle Attacks

   If chosen or known plain text and the resulting encrypted text are
   available, a "meet in the middle" attack is possible if the structure
   of the encryption algorithm allows it.  (In a known plain text
   attack, the adversary knows all or part of the messages being
   encrypted, possibly some standard header or trailer fields.  In a
   chosen plain text attack, the adversary can force some chosen plain
   text to be encrypted, possibly by "leaking" an exciting text that
   would then be sent by the adversary over an encrypted channel.)

   An oversimplified explanation of the meet in the middle attack is as
   follows: the adversary can half-encrypt the known or chosen plain
   text with all possible first half-keys, sort the output, then half-
   decrypt the encoded text with all the second half-keys.  If a match
   is found, the full key can be assembled from the halves and used to
   decrypt other parts of the message or other messages.  At its best,
   this type of attack can halve the exponent of the work required by
   the adversary while adding a large but roughly constant factor of
   effort.  To be assured of safety against this, a doubling of the
   amount of randomness in the key to a minimum of 102 bits is required.

   The meet in the middle attack assumes that the cryptographic
   algorithm can be decomposed in this way but we can not rule that out
   without a deep knowledge of the algorithm.  Even if a basic algorithm
   is not subject to a meet in the middle attack, an attempt to produce
   a stronger algorithm by applying the basic algorithm twice (or two
   different algorithms sequentially) with different keys may gain less
   added security than would be expected.  Such a composite algorithm
   would be subject to a meet in the middle attack.

   Enormous resources may be required to mount a meet in the middle
   attack but they are probably within the range of the national
   security services of a major nation.  Essentially all nations spy on
   other nations government traffic and several nations are believed to
   spy on commercial traffic for economic advantage.

8.2.3 Other Considerations

   Since we have not even conside