2

NIST has 3 validated "Recommendation for Random Number Generation Using Deterministic Random Bit Generators" (DRBG's) that are based on NIST SP 800-90A:

  1. Hash_DRBG (based on hash functions)
  2. HMAC_DRBG (Based on Hash-based message authentication code)
  3. CTR_DRBG (based on block ciphers)

If I need a 256-bit key for AES encryption, by using one of the above mentioned DRBGs and getting output from it as K, can I use K for AES encryption directly? or I must use K as an input of other algorithm that is called key generator and the output of key generator will be key?

Ali
  • 123
  • 5
  • 3
    You just want to generate the secret key? I would look into your OS's cryptographically secure random generators. –  Apr 30 '15 at 07:10

2 Answers2

8

It you need a deterministically derived key for AES, the DRBG algorithms of NIST SP 800-90A are suitable, and their output is directly usable as an AES key. An example use case is when computing an AES session key from a longer-term master key, and the nonce corresponding to that session.

AES will expand its key (128, 192 or 256-bit) to 128-bit subkeys (one more than there are rounds, thus 11, 13, or 15 subkeys), using an algorithm known as the AES key schedule, but that's considered internal to AES.

Notice that any DRBG needs a seed input, and that must be random and secret, thus best generated by a True RNG.

Update following comment: to my knowledge, NIST has no publication fully describing a particular TRNG (which they designate as nondeterministic random number generator); the closest thing (pointed by Thomas M. DuBuisson) seems to be draft NIST SP 800-90B, which gives general recommendations for (mostly: the conditioning of) entropy sources.

NIST does have publications, in particular FIPS 140-2, on how a TRNG should be tested (both during use and for certification purpose) and used; quoting that (as current in 2003):

Until such time as an Approved nondeterministic RNG standard exists, nondeterministic RNGs approved for use in classified applications may be used for key generation or to seed Approved deterministic RNGs used in key generation. Commercially available nondeterministic RNGs may be used for the purpose of generating seeds for Approved deterministic RNGs. Nondeterministic RNGs shall comply with all applicable RNG requirements of this standard.

Quoting a 2012 draft of annex of FIPS 140-2 annex C on RNGs

There are no FIPS Approved nondeterministic random number generators.

NIST maintains a list of cryptographic devices with a certificate made in relation to the aforementioned publications.

Community
  • 1
fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • is there any True RNG that NIST recommends and output of it be seed input for DRBG? – Ali May 01 '15 at 13:19
  • @Ali See NIST 800-90B – Thomas M. DuBuisson May 01 '15 at 16:46
  • 1
    @Ali Generally you should use a DRNG provided by the runtime of your application, usually something inside a crypto API. That crypto API should be using the OS to seed its DRBG. The OS has the best possible access on usual systems. If you want to be more sure you could use a FIPS compliant hardware device such as an HSM. The RdRand Intel instruction may also be used but the OS may already use it as seed. – Maarten Bodewes May 18 '15 at 23:20
0

I would prefer to use standardized (like FIPS 140-2) secure random generator, since the whole point is to secure the encryption key.

Of course, you might want to check this website for reference: http://www.cryptosys.net/rng_algorithms.html

mitkook
  • 42
  • 2
  • 2
    FIPS 140-2 does not describe the operation of the RNG, but rather their implementation in a module, with those listed in SP 800-90A being specifically approved – Richie Frame May 01 '15 at 12:01