Re: [PATCH v1] crypto: Make the DRBG compliant with NIST SP800-90A rev1
From: Stephan Müller
Date: Fri Jun 25 2021 - 09:50:30 EST
Am Freitag, 25. Juni 2021, 13:09:26 CEST schrieb Mickaël Salaün:
Hi Mickaël,
[...]
>
> > - applies an entropy_input len of 512 bits during initial seeding
> >
> > - applies a nonce of 128 bits during initial seeding
> >
> > entropy_input == <384 bits get_random_bytes> || <256 bits Jitter RNG>
>
> We think that using "<384 bits get_random_bytes> || " makes this DRBG
> non-compliant with SP800-90A rev1 because get_random_bytes doesn't use a
> vetted conditioning component (but ChaCha20 instead):
>
> SP800-90Ar1, section 8.6.5 says "A DRBG mechanism requires an approved
> randomness source during instantiation and reseeding [...]. An approved
> randomness source is an entropy source that conforms to [SP 800-90B], or
> an RBG that conforms to [SP 800-90C] − either a DRBG or an NRBG".
> The FIPS 140-2 Implementation Guidance
> (https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-p
> rogram/documents/fips140-2/fips1402ig.pdf), section 7.19 says "As of
> November 7, 2020, all newly submitted modules requiring an entropy
> evaluation must demonstrate compliance to SP 800-90B". In resolution 3 it
> says "all processing of the raw data output from the noise sources that
> happens before it is ultimately output from the entropy source *shall*
> occur within a conditioning chain". Data from get_random_bytes may come
> from multiple noise sources, but they are hashed with ChaCha20.
> In resolution 6 it says "a vetted conditioning component may optionally
> take a finite amount of supplemental data [...] in addition to the data
> from the primary noise source", which would be OK if get_random_bytes
> used a vetted algorithm, but it is not the case for now.
You cite the right references, I think the interpretation is too strict.
The specifications require that
a) The DRBG must be seeded by a 90B entropy source
b) The DRBG must be initially seeded with 256 bits of entropy plus some 128
bit nonce
We cover a) with the Jitter RNG and b) by pulling 384 bits from it.
The standard does not forbit:
c) the entropy string may contain data from another origin or it contains a
larger buffer
d) the actual entropy distribution in the entropy string being not an
equidistribution over the entire entropy string
Bullet d) implies that it is perfectly fine to have entropy distribution begin
loopsided in the entropy string.
Bullet c) implies that other data can be provided with the entropy string.
With that, to be 90A/B compliant, you interpret that the Jitter RNG provides
all entropy you need and credit the entropy from get_random_bytes with zero
bits of entropy.
Note, if you look into the implementation of the DRBG seeding, the different
input strings like entropy string or data without entropy like personalization
string are simply concatenated and handed to the DRBG. As the Jitter RNG and
get_random_bytes data is also concatenated, it follows the concepts of 90A.
If you look into the draft 90C standard, it explicitly allows concatenation of
data from an entropy source that you credit with entropy and data without
entropy - see the crediting of entropy of multiple entropy sources defined
with "Method 1" and "Method 2" in the current 90C draft.
This ultimately allows us to have an entropy string that is concatenated from
different entropy sources. If you have an entropy source that is not 90B
compliant, you have to credit it with zero bits of entropy in the entropy
analysis. Thus, only the entropy source(s) compliant to 90B must provide the
entire entropy as mandated by 90A.
After having several discussions with the Entropy Working group sponsored by
NIST that included also representatives from the NIST crypto technology group,
there was no concern regarding such approach.
This approach you see in the current DRBG seeding code is now taken for
different FIPS validations including FIPS validations that I work on as a FIPS
tester as part of my duties working for a FIPS lab. My colleagues have
reviewed the current kernel DRBG seeding strategy and approved of it for other
FIPS validations.
Ciao
Stephan