Stephan Mueller smueller at chronox.de
Tue Feb 25 22:25:33 CET 2014


As defined in SP800-131A, the ANSI X9.31 DRNG is to be sunset by the end of 
this year for official uses, including FIPS 140-2 compliance.

I created a clean-room implementation of the DRBGs defined in SP800-90A, 
specifically the Hash DRBG, HMAC DRBG and CTR DRBG. All three DRBGs are 
implemented with a derivation function and with the support of prediction 

The implementation is available at [1]. That implementation is functionally 
complete as it implements all aspects defined by SP800-90A. [1] is a self-
contained implementation. The implementation can be integrated into libgcrypt 
with the patch libgcrypt-1.6.0-git.diff provided in the source code tree. In 
addition, a test application is provided that demonstrates the proper 
operation of all DRBGs.

The provided code is ready for testing by simply compiling the test 
application by invoking make -f Makefile.gcry -- the resulting application 
shows how the DRBG works. The aforementioned diff integrates the DRBG into 
libgcrypt. A second application is provided in tests/libgcrypt and 
demonstrates how to use the DRBG with libgcrypt.

The code [1] just needs some small refactoring to turn them into a patch for 
the request for inclusion into libgcrypt -- and asking for an official review 
:-) . For example, the GCRY_APP code needs to be removed. Also, the contents 
drbg-gcry.h needs to go into the drbg.c file. I am happy to perform the 
changes and offer ready-to-go patches. The current code, however, allows for 
easy development. But before making a full patch set, there are several issues 
that need to be clarified. All issues are marked with TODOs throughout the 
code. With the following list, all issues are extracted.

May I ask for help to clarify the following questions:

* libgcrypt does not offer a reseed API call. Wouldn't it make sense to add 
such a reseed API?

* What does the full variable used with the initialization call mean for the 

* The SP800-90A defines that a caller requesting the initialization of the 
DRBG may provide a so-called "personalization string" that is used as data 
concatenated with real seed. The DRBG code implements the proper handling of 
the personalization string. Though, the libgcrypt API initialization call does 
not allow the caller to provide such additional data.

* Similar to for initialization, SP800-90A allows the requestor of random bits 
to provide "additional information" which are to be mixed into the DRBG before 
generating the random bits. The DRBG code implements the proper handling of 
the additional information string. Though, the libgcrypt RNG gathering call 
does not allow the caller to provide such additional data.

* Into which header file should the DRBG specification flags that can be used 
with the gcry_control of GCRYCTRL_DRBG_FLAGS go? I would guess it needs to go 
into gcrypt.h.

[1] http://www.chronox.de/drbg.html

| Cui bono? |

More information about the Gcrypt-devel mailing list