Previous: , Up: Random-Number Subsystem Architecture   [Contents][Index]

17.6.2 Description of the DRBG

The core of this deterministic random number generator is implemented according to the document “NIST Recommended DRBG Based on ANSI NIST SP800-90A”. By default, this implementation uses the DRBG_NOPR_HMACSHA256 variant (HMAC DRBG with DF with SHA256, without prediction resistance.

The generator is based on contexts to utilize the same core functions for all random levels as required by the high-level interface. All random generators return their data in 128 bit blocks. If the caller requests fewer bits, the extra bits are not used. The key for each generator is only set once at the first time a generator context is used. The seed value is set along with the key and again after 1000 output blocks.

On Unix like systems the GCRY_VERY_STRONG_RANDOM and GCRY_STRONG_RANDOM generators are keyed and seeded using the rndgetentropy or rndoldlinux module. With rndoldlinux module, these generators may block until the OS kernel has collected enough entropy. When used with Microsoft Windows, the rndw32 module is used instead.

The generator used for gcry_create_nonce is keyed and seeded from the GCRY_STRONG_RANDOM generator. Thus, with rndoldlinux module, it may also block if the GCRY_STRONG_RANDOM generator has not yet been used before and thus gets initialized on the first use by gcry_create_nonce. This special treatment is justified by the weaker requirements for a nonce generator and to save precious kernel entropy for use by the “real” random generators.