Abstract
We investigate the security properties of the three deterministic random bit generator (DRBG) mechanisms in NIST SP 800-90A [2]. The standard received considerable negative attention due to the controversy surrounding the now retracted \(\mathsf{{DualEC\text {-}DRBG}}\), which appeared in earlier versions. Perhaps because of the attention paid to the DualEC, the other algorithms in the standard have received surprisingly patchy analysis to date, despite widespread deployment. This paper addresses a number of these gaps in analysis, with a particular focus on \(\mathsf{{HASH\text {-}DRBG}}\) and \(\mathsf{{HMAC\text {-}DRBG}}\). We uncover a mix of positive and less positive results. On the positive side, we prove (with a caveat) the robustness [13] of \(\mathsf{{HASH\text {-}DRBG}}\) and \(\mathsf{{HMAC\text {-}DRBG}}\) in the random oracle model (ROM). Regarding the caveat, we show that if an optional input is omitted, then – contrary to claims in the standard—\(\mathsf{{HMAC\text {-}DRBG}}\) does not even achieve the (weaker) property of forward security. We then conduct a more informal and practice-oriented exploration of flexibility in the standard. Specifically, we argue that these DRBGs have the property that partial state leakage may lead security to break down in unexpected ways. We highlight implementation choices allowed by the overly flexible standard that exacerbate both the likelihood, and impact, of such attacks. While our attacks are theoretical, an analysis of two open source implementations of \(\mathsf{{CTR\text {-}DRBG}}\) shows that these potentially problematic implementation choices are made in the real world.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
We do not directly analyze \(\mathsf{{setup}}\), \(\mathsf{{refresh}}\) and \(\mathsf{{CTR\text {-}DRBG}}\_\mathsf{{df}}\) in this work, and so defer their presentation to the full version.
- 4.
NIST SP 800-90B [37] defines the entropy estimate of sample I as \({\mathrm {H}_\infty }({I})\), rather than this conditioned on other samples and associated data. However, since the tests in NIST SP 800-90B estimate entropy using multiple samples drawn from the source, it seems reasonable to assume the conditional entropy condition is satisfied also.
- 5.
This is similar to an observation by Bernstein [5] criticizing the inefficiency of \(\mathsf{{CTR\text {-}DRBG}}\)’s \(\mathsf{{update}}\) function which appeared concurrently to the production of the first draft of this work. We stress that our modelling of the attack scenario, and systematic treatment of how the issue affects each of the NIST DRBGs, is novel.
- 6.
Indeed, NIST SP 800-90A says: “For large generate requests, \(\mathsf{{CTR\text {-}DRBG}}\) produces outputs at the same speed as the underlying block cipher algorithm encrypts data”, highlighting the efficiency of this approach.
- 7.
Here we assume the attacker learns a full block and knows its index. This seems reasonable; for example, a TLS client or server random will contain at least one whole block and 12 bytes of a second block (if 4 bytes of timestamp are used). These values would be generated early in a call to the DRBG, and so have a low index j. Both assumptions can be relaxed at the cost of the attacker performing more work to brute-force any missing bits and/or the index.
- 8.
Here we mean the working state of the PRNG, as opposed to the ‘intermediate’ states considered in the previous section.
References
Abdalla, M., Belaïd, S., Pointcheval, D., Ruhault, S., Vergnaud, D.: Robust pseudo-random number generators with input secure against side-channel attacks. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 635–654. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28166-7_31
Barker, E., Kelsey, J.: NIST SP 800-90A Rev. 1 Recommendation for random number generation using deterministic random bit generators (2015)
Barker, E., Kelsey, J.: Draft NIST SP 800-90C. Recommendation for random bit generator (RBG) constructions (2012)
Bernstein, D.J.: Cache-timing attacks on AES (2005). https://cr.yp.to/antiforgery/cachetiming-20050414.pdf
Bernstein, D.J.: Fast-key-erasure random-number-generators (2017). https://blog.cr.yp.to/20170723-random.html
Bernstein, D.J., et al.: Factoring RSA keys from certified smart cards: Coppersmith in the wild. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 341–360. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42045-0_18
Bogdanov, A.: Improved side-channel collision attacks on AES. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 84–95. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77360-3_6
Butcher, S., Follath, J., García, A.A.: mbed TLS (2015–2018). https://tls.mbed.org/
Campagna, M.J.: Security bounds for the NIST codebook-based deterministic random bit generator. ePrint (2006)
Checkoway, S., et al.: On the practical exploitability of dual EC in TLS implementations. In: USENIX (2014)
Cornejo, M., Ruhault, S.: Characterization of real-life PRNGs under partial state corruption. In: ACM CCS (2014)
Dodis, Y., Gennaro, R., Håstad, J., Krawczyk, H., Rabin, T.: Randomness extraction and key derivation using the CBC, cascade and HMAC modes. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 494–510. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_30
Dodis, Y., Pointcheval, D., Ruhault, S., Vergniaud, D., Wichs, D.: Security analysis of pseudo-random number generators with input:/dev/random is not robust. In: ACM CCS (2013)
Dodis, Y., Ristenpart, T., Steinberger, J.P., Tessaro, S.: To hash or not to hash again? (In)differentiability results for H2 and HMAC. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 348–366. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_21
Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: FOCS (2008)
FIPS PUB 140-2. Security Requirements for Cryptographic Modules (2001)
Gaži, P., Tessaro, S.: Provably robust sponge-based PRNGs and KDFs. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 87–116. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_4
Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: detection of widespread weak keys in network devices. In: USENIX (2012)
Hirose, S.: Security analysis of DRBG using HMAC in NIST SP 800-90. In: Chung, K.-I., Sohn, K., Yung, M. (eds.) WISA 2008. LNCS, vol. 5379, pp. 278–291. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00306-6_21
Kan, W.: Analysis of underlying assumptions in NIST DRBGs (2007)
Katherine, Q.Y., Green, M., Sanguansin, N., Beringer, L., Petcher, A., Appel, A.W.: Verified correctness and security of mbedTLS HMAC-DRBG. In: ACM CCS (2017)
Kocher, P., Jaffe, J., Jun, B., Rohatgi, P.: Introduction to differential power analysis. JCEN 1, 5–27 (2011)
Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_34
Krawczyk, H., Eronen, P.: HMAC-based extract-and-expand key derivation function (HKDF) (2010)
Mangard, S.: A simple power-analysis (SPA) attack on implementations of the AES key expansion. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 343–358. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36552-4_24
Micali, S., Reyzin, L.: Physically observable cryptography. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 278–296. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_16
Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006). https://doi.org/10.1007/11605805_1
Percival, C.: Cache missing for fun and profit (2005)
Perlroth, N.: Government announces steps to restore confidence on encryption standards (2013)
The OpenSSL Project: OpenSSL (1998–2018). https://www.openssl.org/
Ristenpart, T., Shacham, H., Shrimpton, T.: Careful with composition: limitations of the indifferentiability framework. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 487–506. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_27
Ristenpart, T., Yilek, S.: When good randomness goes bad: virtual machine reset vulnerabilities and hedging deployed cryptography. In: NDSS (2010)
Ruhault, S.: SoK: security models for pseudo-random number generators. IACR Trans. Symmetric Cryptol. 2017, 506–544 (2017)
Shrimpton, T., Terashima, R.S.: A provable-security analysis of Intel’s secure key RNG. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 77–100. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_4
Shrimpton, T., Terashima, R.S.: Salvaging weak security bounds for blockcipher-based constructions. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 429–454. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_16
Shumow, D., Ferguson, N.: On the possibility of a back door in the NIST SP800-90 Dual EC PRNG (2007)
Turan, M.S., Barker, E., Kelsey, J., McKay, K.A., Baish, M.L., Boyle, M.: SP 800-90B. Recommendation for the entropy sources used for random bit generation (2012)
Vassilev, A., May, W.: Annex C: approved random number generators for FIPS PUB 140-2, security requirements for cryptographic modules (2016)
Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S.: When private keys are public: results from the 2008 Debian OpenSSL vulnerability. In: ACM SIGCOMM (2009)
Acknowledgements
The authors thank Kenny Paterson and the anonymous reviewers for their insightful comments which greatly improved the paper. The first author is supported by the EPSRC and the UK government as part of the Centre for Doctoral Training in Cyber Security at Royal Holloway, University of London (EP/K035584/1); much of this work was completed during an internship at Microsoft Research.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Woodage, J., Shumow, D. (2019). An Analysis of NIST SP 800-90A. In: Ishai, Y., Rijmen, V. (eds) Advances in Cryptology – EUROCRYPT 2019. EUROCRYPT 2019. Lecture Notes in Computer Science(), vol 11477. Springer, Cham. https://doi.org/10.1007/978-3-030-17656-3_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-17656-3_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-17655-6
Online ISBN: 978-3-030-17656-3
eBook Packages: Computer ScienceComputer Science (R0)