An Analysis of the NIST SP 800-90A Standard

We conduct a multi-faceted investigation of the security properties of the three deterministic random bit generator (DRBG) mechanisms recommended in the NIST SP 800-90A standard [4]. This standard received a considerable amount of negative attention, due to the host of controversy and problems with the now retracted DualEC-DRBG, which was included in earlier revisions. Perhaps because of the attention paid to the DualEC, the other algorithms in the standard have received surprisingly patchy analysis to date, despite widespread deployment. This paper provides an analysis of the remaining DRBG algorithms in NIST SP 800-90A. We uncover a mix of positive and less than positive results, emphasizing and addressing the gap between theoretical models, and the NIST DRBGs as specified and used. As an initial positive result, we verify claims in the standard by proving (with a few caveats) the forward security of all three DRBGs. However, digging deeper into flexibility in implementation and usage choices permitted by the standard, we uncover some undesirable properties of these standardized DRBGs. Specifically, we argue that these DRBGs have the property that leaking certain parts of the state may lead to catastrophic failure of the algorithm. Furthermore, we show that flexibility in the specification allows implementers and users of these algorithms to make choices that considerably weaken the algorithms in these scenarios.

[1]  Elaine B. Barker,et al.  Recommendation for Random Number Generation Using Deterministic Random Bit Generators , 2007 .

[2]  Shoichi Hirose Security Analysis of DRBG Using HMAC in NIST SP 800-90 , 2008, WISA.

[3]  John Kelsey,et al.  Recommendation for Random Number Generation Using Deterministic Random Bit Generators , 2014 .

[4]  Tanja Lange,et al.  On the Practical Exploitability of Dual EC in TLS Implementations , 2014, USENIX Security Symposium.

[5]  Stefan Dziembowski,et al.  Leakage-Resilient Cryptography , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[6]  David Pointcheval,et al.  Security analysis of pseudo-random number generators with input: /dev/random is not robust , 2013, CCS.

[7]  Stefan Mangard,et al.  A Simple Power-Analysis (SPA) Attack on Implementations of the AES Key Expansion , 2002, ICISC.

[8]  Mihir Bellare,et al.  New Proofs for NMAC and HMAC: Security without Collision Resistance , 2006, Journal of Cryptology.

[9]  Burton S. Kaliski,et al.  PKCS #5: Password-Based Cryptography Specification Version 2.0 , 2000, RFC.

[10]  Mihir Bellare,et al.  Increasing the Lifetime of a Key: A Comparative Analysis of the Security of Re-keying Techniques , 2000, ASIACRYPT.

[11]  Stefano Tessaro,et al.  Provably Robust Sponge-Based PRNGs and KDFs , 2016, EUROCRYPT.

[12]  John Kelsey,et al.  Recommendation for the Entropy Sources Used for Random Bit Generation , 2018 .

[13]  Krzysztof Pietrzak,et al.  The Exact PRF-Security of NMAC and HMAC , 2014, IACR Cryptol. ePrint Arch..

[14]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[15]  Hovav Shacham,et al.  Careful with Composition: Limitations of the Indifferentiability Framework , 2011, EUROCRYPT.

[16]  Matthew J. Campagna Security Bounds for the NIST Codebook-based Deterministic Random Bit Generator , 2006, IACR Cryptol. ePrint Arch..

[17]  Mihir Bellare,et al.  Code-Based Game-Playing Proofs and the Security of Triple Encryption , 2004, IACR Cryptol. ePrint Arch..

[18]  John Kelsey,et al.  Recommendation for Random Bit Generator (RBG) Constructions , 2016 .

[19]  Andrey Bogdanov,et al.  Improved Side-Channel Collision Attacks on AES , 2007, Selected Areas in Cryptography.

[20]  Elaine B. Barker,et al.  Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher , 2004 .

[21]  Hovav Shacham,et al.  When private keys are public: results from the 2008 Debian OpenSSL vulnerability , 2009, IMC '09.

[22]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[23]  Pankaj Rohatgi,et al.  Introduction to differential power analysis , 2011, Journal of Cryptographic Engineering.

[24]  Bruce Schneier,et al.  Cryptanalytic Attacks on Pseudorandom Number Generators , 1998, FSE.

[25]  Anand Desai,et al.  A Practice-Oriented Treatment of Pseudorandom Number Generators , 2002, EUROCRYPT.

[26]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[27]  Kenneth G. Paterson,et al.  Backdoors in Pseudorandom Number Generators: Possibility and Impossibility Results , 2016, CRYPTO.

[28]  John P. Steinberger,et al.  Tight Security Bounds for Key-Alternating Ciphers , 2014, EUROCRYPT.

[29]  Adi Shamir,et al.  How to Eat Your Entropy and Have it Too: Optimal Recovery Strategies for Compromised RNGs , 2017, Algorithmica.

[30]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[31]  Elaine B. Barker,et al.  The Keyed-Hash Message Authentication Code (HMAC) | NIST , 2002 .

[32]  Thomas Shrimpton,et al.  A Provable-Security Analysis of Intel's Secure Key RNG , 2015, EUROCRYPT.

[33]  Eric Wustrow,et al.  Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices , 2012, USENIX Security Symposium.

[34]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[35]  Yevgeniy Dodis,et al.  A Formal Treatment of Backdoored Pseudorandom Generators , 2015, EUROCRYPT.

[36]  Hovav Shacham,et al.  A Systematic Analysis of the Juniper Dual EC Incident , 2016, IACR Cryptol. ePrint Arch..

[37]  Wilson Kan Analysis of Underlying Assumptions in NIST DRBGs , 2007, IACR Cryptol. ePrint Arch..

[38]  Ian Goldberg,et al.  Randomness and the Netscape browser , 1996 .

[39]  Hugo Krawczyk,et al.  Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes , 2004, CRYPTO.

[40]  Thomas Ristenpart,et al.  When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography , 2010, NDSS.

[41]  Mihir Bellare,et al.  Multi-instance Security and Its Application to Password-Based Cryptography , 2012, CRYPTO.

[42]  John P. Steinberger,et al.  To Hash or Not to Hash Again? (In)differentiability Results for H2 and HMAC , 2012, IACR Cryptol. ePrint Arch..

[43]  Silvio Micali,et al.  Physically Observable Cryptography (Extended Abstract) , 2004, Theory of Cryptography Conference.

[44]  Tanja Lange,et al.  Factoring RSA keys from certified smart cards: Coppersmith in the wild , 2013, IACR Cryptol. ePrint Arch..

[45]  David Pointcheval,et al.  Robust Pseudo-Random Number Generators with Input Secure Against Side-Channel Attacks , 2015, IACR Cryptol. ePrint Arch..

[46]  Mihir Bellare,et al.  Forward-Security in Private-Key Cryptography , 2003, CT-RSA.

[47]  Shai Halevi,et al.  A model and architecture for pseudo-random generation with applications to /dev/random , 2005, CCS '05.

[48]  Thomas Shrimpton,et al.  Salvaging Weak Security Bounds for Blockcipher-Based Constructions , 2016, ASIACRYPT.

[49]  Mario Cornejo,et al.  Characterization of Real-Life PRNGs under Partial State Corruption , 2014, CCS.

[50]  Andrew W. Appel,et al.  Verified Correctness and Security of mbedTLS HMAC-DRBG , 2017, CCS.