At 02:50 PM 9/20/95 -0700, you wrote:
In this sense, NSA ought to be *encouraging* Intel and IBM and Motorola to put "generate random bits" instructions into their instruction sets...
Intel produces a random generator (in a chip package) that is used in STU-II..'s. You can't buy such devices, random sources good enough to be used for initialization for military grade cryptography are Controlled Cryptographic Items. One would think that the NSA is attempting to exploit the lack of availability of random initialization values against their targets. The question becomes one of whether or not the general populace (of the U.S.) is considered a potential target, or simply casualties of the situation in undeclared hostilities. As a minimum one could infer that the availability of random numbers is considered quite important for NSA secure communications. I used to work at a company that subscribed to NSA (National Standards Association) which provided government and other standards on microfiche and/or hardcopy. There was an interval before Reagan took office when the NSA provided all of their unclassified standards into general availability, an era of open- ness that came to an end with the Star Wars era. One of those standards was for random data sources. The only recent standards that come to mind are the X.509 stuff for session key generation, FIPS PUB 140-1 which describes randomizer tests, and the recent FIPS PUB for a password generator. These three use block ciphers to produce psuedo-random output. If NSA requires real stochastic results for military crypto, what would we as casual cryptographers feel comfortable with? The Netscape episode shows the comfort level needs improving. How good is good enough?