1 .TH IPSEC_PRNG 3 "1 April 2002"
2 .\" RCSID $Id: prng.3,v 1.1 2004/03/15 20:35:26 as Exp $
4 ipsec prng_init \- initialize IPsec pseudorandom-number generator
6 ipsec prng_bytes \- get bytes from IPsec pseudorandom-number generator
8 ipsec prng_final \- close down IPsec pseudorandom-number generator
10 .B "#include <freeswan.h>
12 .B "void prng_init(struct prng *prng,"
14 .B "const unsigned char *key, size_t keylen);"
16 .B "void prng_bytes(struct prng *prng, char *dst,"
20 .B "unsigned long prng_count(struct prng *prng);"
22 .B "void prng_final(struct prng *prng);"
25 initializes a crypto-quality pseudo-random-number generator from a key;
27 obtains pseudo-random bytes from it;
29 reports the number of bytes extracted from it to date;
32 It is the user's responsibility to initialize a PRNG before using it,
33 and not to use it again after it is closed down.
42 whose length is given by
44 The user must allocate the
48 There is no particular constraint on the length of the key,
49 although a key longer than 256 bytes is unnecessary because
50 only the first 256 would be used.
51 Initialization requires on the order of 3000 integer operations,
52 independent of key length.
57 pseudo-random bytes from the PRNG and puts them in
60 on the order of 10 integer operations per byte.
63 reports the number of bytes obtained from the PRNG
64 since it was (last) initialized.
68 zeroing its internal memory,
69 obliterating all trace of the state used to generate its previous output.
70 This requires on the order of 250 integer operations.
74 header file supplies the definition of the
77 Examination of its innards is discouraged, as they may change.
80 used by these functions is currently identical to that of RC4(TM).
81 This algorithm is cryptographically strong,
82 sufficiently unpredictable that even a hostile observer will
83 have difficulty determining the next byte of output from past history,
84 provided it is initialized from a reasonably large key composed of
85 highly random bytes (see
87 The usual run of software pseudo-random-number generators
92 cryptographically strong.
94 The well-known attacks against RC4(TM),
95 e.g. as found in 802.11b's WEP encryption system,
96 apply only if multiple PRNGs are initialized with closely-related keys
97 (e.g., using a counter appended to a base key).
98 If such keys are used, the first few hundred pseudo-random bytes
99 from each PRNG should be discarded,
100 to give the PRNGs a chance to randomize their innards properly.
101 No useful attacks are known if the key is well randomized to begin with.
106 \fIApplied Cryptography\fR, 2nd ed., 1996, ISBN 0-471-11709-9,
109 Written for the FreeS/WAN project by Henry Spencer.
111 If an attempt is made to obtain more than 4e9 bytes
112 between initializations,
113 the PRNG will continue to work but
117 Fixing this would require a longer integer type and does
118 not seem worth the trouble,
119 since you should probably re-initialize before then anyway...
121 ``RC4'' is a trademark of RSA Data Security, Inc.