Skip to main content
SpringerLink
Log in

An Analysis of NIST SP 800-90A

  • Conference paper
  • First Online:
Advances in Cryptology – EUROCRYPT 2019 (EUROCRYPT 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11477))

Abstract

We investigate the security properties of the three deterministic random bit generator (DRBG) mechanisms in NIST SP 800-90A [2]. The standard received considerable negative attention due to the controversy surrounding the now retracted \(\mathsf{{DualEC\text {-}DRBG}}\), which appeared in earlier versions. Perhaps because of the attention paid to the DualEC, the other algorithms in the standard have received surprisingly patchy analysis to date, despite widespread deployment. This paper addresses a number of these gaps in analysis, with a particular focus on \(\mathsf{{HASH\text {-}DRBG}}\) and \(\mathsf{{HMAC\text {-}DRBG}}\). We uncover a mix of positive and less positive results. On the positive side, we prove (with a caveat) the robustness [13] of \(\mathsf{{HASH\text {-}DRBG}}\) and \(\mathsf{{HMAC\text {-}DRBG}}\) in the random oracle model (ROM). Regarding the caveat, we show that if an optional input is omitted, then – contrary to claims in the standard—\(\mathsf{{HMAC\text {-}DRBG}}\) does not even achieve the (weaker) property of forward security. We then conduct a more informal and practice-oriented exploration of flexibility in the standard. Specifically, we argue that these DRBGs have the property that partial state leakage may lead security to break down in unexpected ways. We highlight implementation choices allowed by the overly flexible standard that exacerbate both the likelihood, and impact, of such attacks. While our attacks are theoretical, an analysis of two open source implementations of \(\mathsf{{CTR\text {-}DRBG}}\) shows that these potentially problematic implementation choices are made in the real world.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Either a live entropy source as approved in NIST SP 800-90B [37] or a (truly) random bit generator as per NIST SP 800-90C [3].

  2. 2.

    In contrast, robustness [13] requires that a PRNG is secure when reseeded with a set of entropy samples which collectively has \(\gamma ^*\)-bits of entropy. Looking ahead to Sect. 5, we analyze \(\mathsf{{HASH\text {-}DRBG}}\) with respect to this stronger notion.

  3. 3.

    We do not directly analyze \(\mathsf{{setup}}\), \(\mathsf{{refresh}}\) and \(\mathsf{{CTR\text {-}DRBG}}\_\mathsf{{df}}\) in this work, and so defer their presentation to the full version.

  4. 4.

    NIST SP 800-90B [37] defines the entropy estimate of sample I as \({\mathrm {H}_\infty }({I})\), rather than this conditioned on other samples and associated data. However, since the tests in NIST SP 800-90B estimate entropy using multiple samples drawn from the source, it seems reasonable to assume the conditional entropy condition is satisfied also.

  5. 5.

    This is similar to an observation by Bernstein [5] criticizing the inefficiency of \(\mathsf{{CTR\text {-}DRBG}}\)’s \(\mathsf{{update}}\) function which appeared concurrently to the production of the first draft of this work. We stress that our modelling of the attack scenario, and systematic treatment of how the issue affects each of the NIST DRBGs, is novel.

  6. 6.

    Indeed, NIST SP 800-90A says: “For large generate requests, \(\mathsf{{CTR\text {-}DRBG}}\) produces outputs at the same speed as the underlying block cipher algorithm encrypts data”, highlighting the efficiency of this approach.

  7. 7.

    Here we assume the attacker learns a full block and knows its index. This seems reasonable; for example, a TLS client or server random will contain at least one whole block and 12 bytes of a second block (if 4 bytes of timestamp are used). These values would be generated early in a call to the DRBG, and so have a low index j. Both assumptions can be relaxed at the cost of the attacker performing more work to brute-force any missing bits and/or the index.

  8. 8.

    Here we mean the working state of the PRNG, as opposed to the ‘intermediate’ states considered in the previous section.

References

  1. Abdalla, M., Belaïd, S., Pointcheval, D., Ruhault, S., Vergnaud, D.: Robust pseudo-random number generators with input secure against side-channel attacks. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 635–654. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28166-7_31

    Chapter  Google Scholar 

  2. Barker, E., Kelsey, J.: NIST SP 800-90A Rev. 1 Recommendation for random number generation using deterministic random bit generators (2015)

    Google Scholar 

  3. Barker, E., Kelsey, J.: Draft NIST SP 800-90C. Recommendation for random bit generator (RBG) constructions (2012)

    Google Scholar 

  4. Bernstein, D.J.: Cache-timing attacks on AES (2005). https://cr.yp.to/antiforgery/cachetiming-20050414.pdf

  5. Bernstein, D.J.: Fast-key-erasure random-number-generators (2017). https://blog.cr.yp.to/20170723-random.html

  6. Bernstein, D.J., et al.: Factoring RSA keys from certified smart cards: Coppersmith in the wild. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 341–360. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42045-0_18

    Chapter  Google Scholar 

  7. Bogdanov, A.: Improved side-channel collision attacks on AES. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 84–95. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77360-3_6

    Chapter  Google Scholar 

  8. Butcher, S., Follath, J., García, A.A.: mbed TLS (2015–2018). https://tls.mbed.org/

  9. Campagna, M.J.: Security bounds for the NIST codebook-based deterministic random bit generator. ePrint (2006)

    Google Scholar 

  10. Checkoway, S., et al.: On the practical exploitability of dual EC in TLS implementations. In: USENIX (2014)

    Google Scholar 

  11. Cornejo, M., Ruhault, S.: Characterization of real-life PRNGs under partial state corruption. In: ACM CCS (2014)

    Google Scholar 

  12. Dodis, Y., Gennaro, R., Håstad, J., Krawczyk, H., Rabin, T.: Randomness extraction and key derivation using the CBC, cascade and HMAC modes. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 494–510. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_30

    Chapter  Google Scholar 

  13. Dodis, Y., Pointcheval, D., Ruhault, S., Vergniaud, D., Wichs, D.: Security analysis of pseudo-random number generators with input:/dev/random is not robust. In: ACM CCS (2013)

    Google Scholar 

  14. Dodis, Y., Ristenpart, T., Steinberger, J.P., Tessaro, S.: To hash or not to hash again? (In)differentiability results for H2 and HMAC. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 348–366. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_21

    Chapter  MATH  Google Scholar 

  15. Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: FOCS (2008)

    Google Scholar 

  16. FIPS PUB 140-2. Security Requirements for Cryptographic Modules (2001)

    Google Scholar 

  17. Gaži, P., Tessaro, S.: Provably robust sponge-based PRNGs and KDFs. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 87–116. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_4

    Chapter  Google Scholar 

  18. Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: detection of widespread weak keys in network devices. In: USENIX (2012)

    Google Scholar 

  19. Hirose, S.: Security analysis of DRBG using HMAC in NIST SP 800-90. In: Chung, K.-I., Sohn, K., Yung, M. (eds.) WISA 2008. LNCS, vol. 5379, pp. 278–291. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00306-6_21

    Chapter  Google Scholar 

  20. Kan, W.: Analysis of underlying assumptions in NIST DRBGs (2007)

    Google Scholar 

  21. Katherine, Q.Y., Green, M., Sanguansin, N., Beringer, L., Petcher, A., Appel, A.W.: Verified correctness and security of mbedTLS HMAC-DRBG. In: ACM CCS (2017)

    Google Scholar 

  22. Kocher, P., Jaffe, J., Jun, B., Rohatgi, P.: Introduction to differential power analysis. JCEN 1, 5–27 (2011)

    Google Scholar 

  23. Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_34

    Chapter  Google Scholar 

  24. Krawczyk, H., Eronen, P.: HMAC-based extract-and-expand key derivation function (HKDF) (2010)

    Google Scholar 

  25. Mangard, S.: A simple power-analysis (SPA) attack on implementations of the AES key expansion. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 343–358. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36552-4_24

    Chapter  Google Scholar 

  26. Micali, S., Reyzin, L.: Physically observable cryptography. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 278–296. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_16

    Chapter  MATH  Google Scholar 

  27. Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006). https://doi.org/10.1007/11605805_1

    Chapter  Google Scholar 

  28. Percival, C.: Cache missing for fun and profit (2005)

    Google Scholar 

  29. Perlroth, N.: Government announces steps to restore confidence on encryption standards (2013)

    Google Scholar 

  30. The OpenSSL Project: OpenSSL (1998–2018). https://www.openssl.org/

  31. Ristenpart, T., Shacham, H., Shrimpton, T.: Careful with composition: limitations of the indifferentiability framework. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 487–506. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_27

    Chapter  Google Scholar 

  32. Ristenpart, T., Yilek, S.: When good randomness goes bad: virtual machine reset vulnerabilities and hedging deployed cryptography. In: NDSS (2010)

    Google Scholar 

  33. Ruhault, S.: SoK: security models for pseudo-random number generators. IACR Trans. Symmetric Cryptol. 2017, 506–544 (2017)

    Google Scholar 

  34. Shrimpton, T., Terashima, R.S.: A provable-security analysis of Intel’s secure key RNG. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 77–100. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_4

    Chapter  Google Scholar 

  35. Shrimpton, T., Terashima, R.S.: Salvaging weak security bounds for blockcipher-based constructions. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 429–454. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_16

    Chapter  Google Scholar 

  36. Shumow, D., Ferguson, N.: On the possibility of a back door in the NIST SP800-90 Dual EC PRNG (2007)

    Google Scholar 

  37. Turan, M.S., Barker, E., Kelsey, J., McKay, K.A., Baish, M.L., Boyle, M.: SP 800-90B. Recommendation for the entropy sources used for random bit generation (2012)

    Google Scholar 

  38. Vassilev, A., May, W.: Annex C: approved random number generators for FIPS PUB 140-2, security requirements for cryptographic modules (2016)

    Google Scholar 

  39. Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S.: When private keys are public: results from the 2008 Debian OpenSSL vulnerability. In: ACM SIGCOMM (2009)

    Google Scholar 

Download references

Acknowledgements

The authors thank Kenny Paterson and the anonymous reviewers for their insightful comments which greatly improved the paper. The first author is supported by the EPSRC and the UK government as part of the Centre for Doctoral Training in Cyber Security at Royal Holloway, University of London (EP/K035584/1); much of this work was completed during an internship at Microsoft Research.

Author information

Authors and Affiliations

  1. Royal Holloway, University of London, Egham, UK

    Joanne Woodage

  2. Microsoft Research, Redmond, USA

    Dan Shumow

Authors
  1. Joanne Woodage
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dan Shumow
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Joanne Woodage .

Editor information

Editors and Affiliations

  1. Technion, Haifa, Israel

    Yuval Ishai

  2. COSIC Group, KU Leuven, Heverlee, Belgium

    Vincent Rijmen

Rights and permissions

Reprints and permissions

Copyright information

© 2019 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Woodage, J., Shumow, D. (2019). An Analysis of NIST SP 800-90A. In: Ishai, Y., Rijmen, V. (eds) Advances in Cryptology – EUROCRYPT 2019. EUROCRYPT 2019. Lecture Notes in Computer Science(), vol 11477. Springer, Cham. https://doi.org/10.1007/978-3-030-17656-3_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-17656-3_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-17655-6

  • Online ISBN: 978-3-030-17656-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation