Introduction to the SP 800-90 Series - Requirements on Random Number Generation

As outlined in our previous blog post, a strong source of randomness (i.e. entropy) is vital for cryptography. It’s not enough to use a strong cryptographic algorithm if your generated keys are easy for an attacker to guess and use!

To address the problem of weak randomness in cryptography, NIST has been hard at work for over a decade on creating the SP 800-90 series of standards on implementing secure random number generators. These are the random number generation standards that the Cryptographic Module Validation Program (CMVP) uses for FIPS 140 validation.

There are currently three standards in the NIST SP 800-90 series, each with different purposes and maturity.

SP 800-90A

The first standard in this series is SP 800-90A Rev 1. - Recommendation for Random Number Generation Using Deterministic Random Bit Generators. This standard defines the FIPS 140 approved Deterministic Random Bit Generators (DRBGs). A DRBG is a deterministic algorithm. A DRBG is not a source of entropy, but it is useful for conditioning the output of entropy sources and expanding the amount of entropy received from an entropy source. DRBGs also provide an additional layer of assurance - if you have an undetected entropy source failure, the failure will be less obvious to an attacker when the output has been processed by a DRBG. DRBGs are required in FIPS 140 for all key generation.

The three approved DRBG types, as detailed in this standard, are CTR_DRBGs (using AES as a cryptographic primitive, and previously TDES), Hash_DRBGs (using SHS as a primitive), and HMAC_DRBGs (using HMAC as a primitive).

This standard is mature and has been in use for over a decade, with the most recent version published in June 2015. For the next revision of this standard (SP 800-90A Rev 2), updates are anticipated to align with the final published version of SP 800-90C. These updates are likely to include an updated definition of full entropy output, removal of algorithms that are no longer approved (TDES and SHA-1), replacement of nonces with larger entropy input requirements. Additionally, a new XOF_DRBG construction is expected, along with the addition of SHA-3, SHAKE, and Ascon options for the existing DRBGs.

SP 800-90B

The second standard in this series is SP 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation. This standard defines FIPS 140 approved entropy sources. An entropy source is an unpredictable source of randomness or noise. It is not a deterministic algorithm, and therefore the standard does not define how the entropy source should be constructed. Instead, the standard defines a series of general requirements. The entropy source is tested for compliance with these requirements during the entropy source validation process.

Because the standard requirements are general, a wide variety of entropy sources can potentially be validated. These entropy sources collect randomness from unpredictable values such as those found in hardware interactions, oscillator jitter, clock values, environmental measurements, quantum state transitions, and cache usage. However, due to the requirements of the standard, entropy sources cannot usually be validated unless they have been designed for conformance with SP 800-90B. For example, SP 800-90B requires tester access to raw noise (unconditioned output) in the entropy source. It also requires detailed rationales and models for the expected entropy rates, including the impacts to the entropy rate from every component of the entropy source. The standard also details requirements for health tests to be run on start-up, on-demand, and continuously during the entropy source’s operation. As part of validation, the entropy source outputs must also be tested against the NIST SP 800-90B statistical test suite. Validated entropy sources do not need to generate entropy at a high rate, but slower entropy sources will take longer to accumulate sufficient bits of entropy (e.g. to collect 256 bits of entropy to seed an AES-256 based CTR_DRBG).

Because of SP 800-90B’s stringent requirements, many commonly used entropy sources such as dev/random cannot be validated against this standard.

This standard was published in January 2018 and began to be integrated into FIPS 140 in 2019. There are no imminent updates to this standard, but the next revision is likely to align more closely with the requirements defined in the AIS 20/31 standards defined by Germany’s Federal Office for Information Security (BSI).

SP 800-90C

The third and final standard in this series is SP 800-90C - Recommendation for Random Bit Generator (RBG) Constructions. This standard is still a draft, and the final version has not yet been published. This standard defines RBG constructions, which are approved methods of combining an entropy source from SP 800-90B with a DRBG from SP 800-90C. In each construction, the entropy source output is used to seed (instantiate) a DRBG.

The current draft of SP 800-90C defines four RBG constructions, as detailed below.

• RBG1 is a DRBG that can only be seeded once by an external physical entropy source.
• RBG2 is intended to be the most common option. It consists of a DRBG seeded by an internal entropy source that is available on demand.
• RBG3 is a more restrictive version of RBG2 and it provides full entropy outputs from the RBG. It must oversample the collected entropy or XOR the DRBG output with additional entropy, it must use a physical (non-software) entropy source, and the DRBG must be reseeded for every RBG output.
• RBGC is a construction that allows limited chaining of RBGs on the same computing platform.

Notably, the draft only includes RBG constructions with components that are all on the same device and (if applicable) in the same virtual environment, except for the RBG1 construction that can only be seeded once. That is, SP 800-90C does not include any approved RBGs where the entropy source is outside the device and is callable on demand. So entropy as a service will not be SP 800-90C approved.

The most recent draft of this standard was published in July 2024. Once the final version is published, this standard will be adopted for FIPS 140, but a transition period of at least a year is expected.

Learn more

To learn more about the NIST’s SP 800-90 series efforts, see the NIST project page on random bit generation here.

And to learn more about how these standards have applied to FIPS 140 validations over the years, stay tuned for our next blog post in this series!