Adding Fortuna as a new prng

[Zhanna Tsitkova]

Hello,
Internally we have discussed adding Fortuna as an alternative PRNG to krb5 at 1.9 timeframe.  Generally Yarrow is considered a preferred algorithm for short-living applications, while long-runners, such as  KDC, might take an advantage of Fortuna design as it works faster after the initialization  is completed.

There are few questions to the community:

1. Code borrowing. At the moment we  know about two open source implementations of Fortuna in C. One of them is from libTomCrypt project and another one circulates under "Copyright (c) Marko Kreen" license. The opinion was expressed that even though libTomCrypt  license does not have any restrictions, it is somewhat faceless, and consequently might be  an issue for the lawyers. So, perhaps, Marko Kreen's implementation is a better bid.

2. Fortuna requires SHA256. At the moment SHA2 is not part of Kerberos crypto-system. If Kerberos is built with OpenSSL or NSS cryptography, is it OK to use crypto primitives from these providers to implement Fortuna and do not support Fortuna PRNG for the library built with the built-in crypto backend?

3. Fortuna and Yarrow living together. Some use-cases indicate that Kerberos library might show better performance if both PRNG  implementations are available at run-time. (For example, some lightweight client shares libraries with the server: the former works faster with Yarrow, the latter - with Fortuna). So, Fortuna and Yarrow should co-exist and PRNG selection should be a configurable, and pluggable, feature. This is the plan for the future.  As the first step in Fortuna direction, however, we suggest to take an approach of one-PRNG-implementation-per-library.

Looking forward to your valuable comments and suggestions.

Thanks,
Zhanna

Zhanna Tsitkova
tsitkova at mit.edu