An Analysis of NIST SP 800-90A

Abstract

We investigate the security properties of the three deterministic random bit generator (DRBG) mechanisms in NIST SP 800-90A [2]. The standard received considerable negative attention due to the controversy surrounding the now retracted \(\mathsf{{DualEC\text {-}DRBG}}\), which appeared in earlier versions. Perhaps because of the attention paid to the DualEC, the other algorithms in the standard have received surprisingly patchy analysis to date, despite widespread deployment. This paper addresses a number of these gaps in analysis, with a particular focus on \(\mathsf{{HASH\text {-}DRBG}}\) and \(\mathsf{{HMAC\text {-}DRBG}}\). We uncover a mix of positive and less positive results. On the positive side, we prove (with a caveat) the robustness [13] of \(\mathsf{{HASH\text {-}DRBG}}\) and \(\mathsf{{HMAC\text {-}DRBG}}\) in the random oracle model (ROM). Regarding the caveat, we show that if an optional input is omitted, then – contrary to claims in the standard—\(\mathsf{{HMAC\text {-}DRBG}}\) does not even achieve the (weaker) property of forward security. We then conduct a more informal and practice-oriented exploration of flexibility in the standard. Specifically, we argue that these DRBGs have the property that partial state leakage may lead security to break down in unexpected ways. We highlight implementation choices allowed by the overly flexible standard that exacerbate both the likelihood, and impact, of such attacks. While our attacks are theoretical, an analysis of two open source implementations of \(\mathsf{{CTR\text {-}DRBG}}\) shows that these potentially problematic implementation choices are made in the real world.