In the field of information security, there are many applications which use random numbers. The basis of modern cryptography is the use of openly available cryptographic algorithms that utilize secret information (such as cryptographic keys) and random elements (such as salt, nonces and padding data).
The security of modern cryptographic algorithms relies not on the algorithms themselves being secret (rather, they are published and open for public scrutiny and research), but on the properties of the associated keys and random elements, which must be truly random and not predictable in any way.
For example, a symmetric cipher algorithm, such as the Advanced Encryption Standard (AES), is designed such that, without knowledge of the cipher keys, there is no known short cut to decrypting any data encrypted with the symmetric cipher algorithm other than a brute force attack involving trying every possible key combination exhaustively. To fully achieve this objective requires that the keys are truly random, because if the keys are truly random then the key is then equally likely to be any one of the possible combinations.
There are practical difficulties in the generation of true random numbers. Methods to generate true random numbers generally rely on some natural phenomenon that gives rise to random variations. Examples include thermal noise (Johnson-Nyquist noise) in electrical conductors and radioactive decay. The problem with such true random number generators is that they can be cumbersome and the rate of production of random data can be too slow for many applications.
An alternative to a true random number generator is a pseudo-random number generator (PRNG). A PRNG has an output that appears statistically random, but in fact is completely predictable due to the fact that a PRNG employs a deterministic method or algorithm. This means that if the current state of the generator can be determined, it becomes possible to predict future and past states of the generator. There are applications where this property is not important, for example for use in simulations and statistical modeling.
However, in information security applications, it is vital that it should not be possible to predict future values of a PRNG, nor calculate previous values. A PRNG satisfying this requirement is known as a Cryptographically Secure PRNG (CSPRNG). A CSPRNG has the property that it is computationally infeasible to determine the internal state of the CSPRNG even with full knowledge of the outputs.
In order to facilitate the development CSPRNGs and techniques to generate random bits (which can be used directly or converted to random numbers) for application in information security, the US National Institute of Standards and Technology (NIST) have published NIST Special Publication 800-90A, “Recommendation for Random Number Generation using Deterministic Random Bit Generators” published January 2012 by the U.S. Department of Commerce, the contents of which are hereby incorporated by reference. NIST Special Publication 800-90A specifies recommended requirements and algorithms for Deterministic Random Bit Generators (DRBGs) which will function as CSPRNGs. The functional model of the DBRG utilizes a DBRG mechanism and a source of entropy input. A process to construct a seed for instantiation includes as inputs the entropy input, a nonce, and an optional personalization string. The entropy input may be provided by an approved entropy source. The entropy input must have an entropy that is equal to or greater than a security strength of the instantiation. NIST SP 800-90A specifies that an “Approved entropy source” is “an entropy source that has been validated as conforming to SP 800-90B.” That is, the approved entropy source is the subject of a separate recommendation, set forth in NIST SP 800-90B, “Recommendation for Entropy Sources for Random Bit Generation,” published August 2012 by the U.S. Department of Commerce, the contents of which are hereby incorporated by reference.
NIST SP 800-90B “describes the properties that an entropy source must have to make it suitable for use by cryptographic random bit generators.” An entropy source provides a source of random bitstrings.” A noise source is the “component of an entropy source that contains the non-deterministic, entropy-producing activity.”
The model of an entropy source used by NIST SP800-90B comprises a noise source that contains non-deterministic, entropy producing activity, health testing and (optional) conditioning of the digitized noise source output. The health tests form an integral part of the entropy source and are separated into startup tests, continuous tests and on-demand tests. The end goal of the testing is to gain assurance that failures or erratic/pathological behavior of the entropy source can be detected. In order to do this, a testing strategy needs to determine the likely failure modes for the entropy source, which will of course vary according to the specific type of entropy source (noise source) employed.
No particular noise source is specified for the entropy source in NIST SP 800-90B. The choice of noise source and technique to perform health testing is open to the end designer as long as the other requirements of the recommendation are satisfied.
NIST SP 800-90B is also indirectly related to other standards promoted by NIST. In particular, the cryptographic module standards promoted by NIST, such as FIPS 140-2, implicitly require other NIST approved components. The FIPS PUB 140-2, “Security Requirements for Cryptographic Modules,” is published by NIST and requires NIST approved cryptographic functions that would be understand by those in the art to include an entropy source compliant with NIST SP 800-90B.
One of the practical problems with the NIST recommendations is that it is difficult to establish a reliable and inexhaustible source of entropy in a system. There are various problems and drawbacks with applying conventional entropy sources to create an entropy source that is compliant with the NIST recommendations. One problem is guaranteeing that useful entropy can be extracted from the entropy source. Another problem is achieving a long lifetime of the entropy source at a low cost.