SP800-90A DRBG

SP800-90A Deterministic Random Bit Generator (DRBG)

NOTE: The kernel DRBG implementation is now available upstream starting with Linux kernel 3.17. Please use the upstream Linux kernel repository to obtain the latest code. You will find current testing code for the DRBG here nonetheless.

NOTE: the libgcrypt DRBG went upstream into the libgcrypt GIT tree on Feb 22, 2016 for release with version 1.7. Please note that the gcry_control interface API has changed compared to the code offered here.

This is a clean-room implementation of the DRBG defined in SP800-90A. All three viable DRBGs defined in the standard are implemented:

HMAC: This is the leanest DRBG and compiled per default
Hash: The more complex DRBG can be enabled at compile time (kernel only)
CTR: The most complex DRBG can also be enabled at compile time (kernel only)

The DRBG implementation offers the following:

All three DRBG types are implemented with a derivation function.
All DRBG types are available with and without prediction resistance.
All SHA types of SHA-1, SHA-256, SHA-384, SHA-512 are available for the HMAC and Hash DRBGs.
All AES types of AES-128, AES-192 and AES-256 are available for the CTR DRBG.
A self test is implemented with drbg_healthcheck().
The FIPS 140-2 continuous self test is implemented.
Additional cipher primitives, such as Serpent or Twofish, can be added to the DRBG without changing the implementation. The only change necessary is to the DRBG definition given in the cores[] array.

The implementation of the DRBG available for download here integrates with the Linux kernel crypto API as well as with libgcrypt.

A test that also covers the CAVS testing framework module showing how to use the DRBG integrated with the kernel crypto API is provided in kernel/test -- a simple make compiles the kernel.

The libgcrypt version is provided in the directory libgcrypt/. The provided patch must be applied to the libgcrypt source code (currently tested with libgcrypt git development code available on 2014-03-02). In addition, the drbg.c file must be copied to the random/ directory of the libgcrypt code tree. After compiling and installing libgcrypt, the DRBG code is available. A test application in libgcrypt/test can be compiled and linked with the newly generated libgcrypt. When executing the test application, it demonstrates how the DRBG integrated with libgcrypt is invoked.

Source Code

The following source code contains the implementation of the CPU Random Number Generator.

Link	Changes
20140225	Initial version
20140226	Fix libgcrypt error reporting when changing DRBG types Fix deadlock in libgcrypt code
20140227	Add kernel/ directory which contains the consolidated kernel module that should eventually be suggested for inclusion into the kernel
20140228	Solving how personalization / additional information string can be passed through kernel crypto API. Remove of all EXPORT_SYMBOLs as all CAVS testing and normal use can go through the kernel crypto API now. See the comments in drbg.c for examples on how to use the kernel crypto API to cover all use cases of the DRBG.
20140302	Remove DRBG strength flags Add libgcrypt/ directory for consolidated libgcrypt code/patch Solving all open questions around libgcrypt and adding documentation to drbg.c Add CAVS test description / reference implementation Small bug fixes in kernel code
20140303	Kernel code: Add testmgr integration of self tests provided with patch in kernel/ directory.
20140304	Kernel: Make HMAC DRBG configurable like the other DRBG types. Kernel: Make cores[] const. libgcrypt: Make cores[] const. Kernel: Fix nasty array overflow bug in drbg_create_algs.
20140306	Kernel / libgcryt: add more sanity checks Kernel: add null test vectors to testmgr to cover all DRBG types and prevent kernel messages about untested cipher types
20140309	Kernel / libgcryt: clean up code and data structures -- thanks to Jeremy Powell and Rafael Aquini for input. Kernel: fix memory corruption bug
20140317	Kernel: Restructuring and simplification of code Kernel: full CAVS test in kernel/test/
20140319	libgcrypt: Restructuring and simplification of code libgcrypt: full CAVS test in libgcrypt/test/
20140327	libgcrypt: release v4 patches and associated tests updates kernel: release v3 patches and associated tests updates
20140429	libgcrypt: release v5 patches kernel: release v4 through v6 patches
20140603	kernel: release v7 through v9 patches kernel: update test kernel module to use the new .cra_name.
20140825	kernel / libgcrypt: test case requests bit string of random length up to 1MB kernel: DRBG is now in Linux kernel RC1 and the cryptodev-2.6 development tree -- source code in tarball is now secondary libgcrypt: backport patches from kernel DRBG code that were requested while the DRBG was added to the kernel development tree
20140907	libgcrypt: update test application to match patch set v10 sent to the libgcrypt bug tracker ID 1701

2016-02-25 smueller at chronox.de