Paper 2018/349

An Analysis of the NIST SP 800-90A Standard

Joanne Woodage and Dan Shumow

Abstract

We investigate the security properties of the three deterministic random bit generator (DRBG) mechanisms in the NIST SP 800-90A standard [2]. This standard received a considerable amount of negative attention, due to the controversy surrounding the now retracted DualEC-DRBG, which was included in earlier versions. Perhaps because of the attention paid to the DualEC, the other algorithms in the standard have received surprisingly patchy analysis to date, despite widespread deployment. This paper addresses a number of these gaps in analysis, with a particular focus on HASH-DRBG and HMAC-DRBG. We uncover a mix of positive and less positive results. On the positive side, we prove (with a caveat) the robustness [16] of HASH-DRBG and HMAC-DRBG in the random oracle model (ROM). Regarding the caveat, we show that if an optional input is omitted, then – contrary to claims in the standard — HMAC-DRBG does not even achieve the (weaker) property of forward security. We also conduct a more informal and practice-oriented exploration of flexibility in implementation choices permitted by the standard. Specifically, we argue that these DRBGs have the property that partial state leakage may lead security to break down in unexpected ways. We highlight implementation choices allowed by the overly flexible standard that exacerbate both the likelihood, and impact, of such attacks. While our attacks are theoretical, an analysis of two open source implementations of CTR-DRBG shows that potentially problematic implementation choices are made in the real world.

Metadata
Available format(s)
PDF
Publication info
Preprint.
Keywords
pseudorandom generatorsPRNGs with inputstandards
Contact author(s)
joanne woodage 2014 @ rhul ac uk
History
2019-01-21: revised
2018-04-18: received
See all versions
Short URL
https://ia.cr/2018/349
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2018/349,
      author = {Joanne Woodage and Dan Shumow},
      title = {An Analysis of the {NIST} {SP} 800-{90A} Standard},
      howpublished = {Cryptology {ePrint} Archive, Paper 2018/349},
      year = {2018},
      url = {https://eprint.iacr.org/2018/349}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.