Random Number Generation
Cryptographically secure random number generators (CSPRNGs) are essential for generating keys, nonces, and other security-critical random values.
Available Random Number Generators
Deterministic Random Bit Generators
HMAC-DRBG
NIST-approved deterministic random bit generator based on HMAC.
- Hash Functions: SHA-256, SHA-512, SHA-1
- Security Level: Based on underlying hash function
- Seed Length: Varies by hash function
- Use Cases: Key generation, nonce generation, cryptographic protocols
Algorithm Details
HMAC-DRBG Features
- Deterministic: Same seed produces same output sequence
- Backtracking Resistance: Previous outputs can’t be computed from current state
- Prediction Resistance: Future outputs can’t be predicted from current state
- Reseedable: Can incorporate fresh entropy
- NIST Approved: SP 800-90A compliant
Security Properties
Entropy Requirements
- Initial Seed: Must have sufficient entropy (≥ security strength)
- Reseeding: Periodic reseeding with fresh entropy recommended
- Personalization: Optional personalization string for domain separation
- Additional Input: Optional additional input for each generation
Security Levels
| Hash Function | Security Strength | Min Entropy | Max Requests | |—————|——————-|————-|————–| | SHA-1 | 80 bits | 80 bits | 2^48 | | SHA-256 | 128 bits | 128 bits | 2^48 | | SHA-512 | 256 bits | 256 bits | 2^48 |
Use Cases
Key Generation
# Generate cryptographic keys
drbg = HMAC_DRBG(entropy_source=os.urandom(32))
aes_key = drbg.generate(32) # 256-bit AES key
hmac_key = drbg.generate(32) # HMAC key
Nonce Generation
# Generate unique nonces
drbg = HMAC_DRBG(entropy_source=secure_entropy)
nonce = drbg.generate(12) # 96-bit nonce for GCM
Protocol Randomness
# Generate protocol-specific random values
drbg = HMAC_DRBG(
entropy_source=entropy,
personalization=b"TLS_1_3_CLIENT"
)
client_random = drbg.generate(32)
Best Practices
Entropy Sources
- Use high-quality entropy sources (hardware RNG, OS entropy)
- Combine multiple entropy sources when possible
- Monitor entropy quality in production systems
- Implement entropy estimation and health checks
Seeding and Reseeding
- Reseed periodically or after generating large amounts of data
- Reseed after security events or state compromise
- Use prediction resistance when available
- Include timestamp and process ID in additional input
Implementation Security
- Clear internal state on destruction
- Protect against state disclosure attacks
- Implement proper error handling
- Use constant-time operations where applicable
Operational Considerations
- Monitor DRBG health and entropy sources
- Implement proper initialization procedures
- Handle reseeding failures gracefully
- Log security-relevant events
Comparison with System RNGs
| Source | Pros | Cons | Use Case |
|---|---|---|---|
| HMAC-DRBG | Deterministic, portable, testable | Requires entropy source | Cryptographic applications |
| OS RNG | High entropy, hardware-backed | Platform-dependent | General random values |
| Hardware RNG | True randomness, high entropy | May not be available | Seeding, high-security |
Selection Guide
For Cryptographic Applications
- Primary: HMAC-DRBG with SHA-256 or SHA-512
- Seeding: OS entropy source or hardware RNG
- Reseeding: Every 2^20 requests or 24 hours
For Non-Cryptographic Applications
- Fast Random: System PRNG (not cryptographically secure)
- Simulation: Deterministic PRNG with known seed
- Testing: HMAC-DRBG with fixed seed for reproducibility
For High-Security Applications
- FIPS Compliance: HMAC-DRBG with approved hash functions
- Prediction Resistance: Enable if supported
- Frequent Reseeding: More aggressive reseeding schedule
Standards Compliance
- NIST SP 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators
- FIPS 140-2: Federal Information Processing Standard for cryptographic modules
- Common Criteria: International standard for computer security certification
- RFC 6979: Deterministic Usage of DSA and ECDSA (uses HMAC-DRBG)