Re: [PATCH v1] crypto: Make the DRBG compliant with NIST SP800-90A rev1

From: Mickaël Salaün
Date: Fri Jun 25 2021 - 10:53:27 EST



On 25/06/2021 15:50, Stephan Müller wrote:
> Am Freitag, 25. Juni 2021, 13:09:26 CEST schrieb Mickaël Salaün:
>
> Hi Mickaël,
>
> [...]
>>
>>> - applies an entropy_input len of 512 bits during initial seeding
>>>
>>> - applies a nonce of 128 bits during initial seeding
>>>
>>> entropy_input == <384 bits get_random_bytes> || <256 bits Jitter RNG>
>>
>> We think that using "<384 bits get_random_bytes> || " makes this DRBG
>> non-compliant with SP800-90A rev1 because get_random_bytes doesn't use a
>> vetted conditioning component (but ChaCha20 instead):
>>
>> SP800-90Ar1, section 8.6.5 says "A DRBG mechanism requires an approved
>> randomness source during instantiation and reseeding [...]. An approved
>> randomness source is an entropy source that conforms to [SP 800-90B], or
>> an RBG that conforms to [SP 800-90C] − either a DRBG or an NRBG".
>> The FIPS 140-2 Implementation Guidance
>> (https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-p
>> rogram/documents/fips140-2/fips1402ig.pdf), section 7.19 says "As of
>> November 7, 2020, all newly submitted modules requiring an entropy
>> evaluation must demonstrate compliance to SP 800-90B". In resolution 3 it
>> says "all processing of the raw data output from the noise sources that
>> happens before it is ultimately output from the entropy source *shall*
>> occur within a conditioning chain". Data from get_random_bytes may come
>> from multiple noise sources, but they are hashed with ChaCha20.
>> In resolution 6 it says "a vetted conditioning component may optionally
>> take a finite amount of supplemental data [...] in addition to the data
>> from the primary noise source", which would be OK if get_random_bytes
>> used a vetted algorithm, but it is not the case for now.
>
> You cite the right references, I think the interpretation is too strict.
>
> The specifications require that
>
> a) The DRBG must be seeded by a 90B entropy source
>
> b) The DRBG must be initially seeded with 256 bits of entropy plus some 128
> bit nonce
>
> We cover a) with the Jitter RNG and b) by pulling 384 bits from it.
>
> The standard does not forbit:
>
> c) the entropy string may contain data from another origin or it contains a
> larger buffer
>
> d) the actual entropy distribution in the entropy string being not an
> equidistribution over the entire entropy string
>
> Bullet d) implies that it is perfectly fine to have entropy distribution begin
> loopsided in the entropy string.
>
> Bullet c) implies that other data can be provided with the entropy string.
>
> With that, to be 90A/B compliant, you interpret that the Jitter RNG provides
> all entropy you need and credit the entropy from get_random_bytes with zero
> bits of entropy.
>
>
> Note, if you look into the implementation of the DRBG seeding, the different
> input strings like entropy string or data without entropy like personalization
> string are simply concatenated and handed to the DRBG. As the Jitter RNG and
> get_random_bytes data is also concatenated, it follows the concepts of 90A.
>
> If you look into the draft 90C standard, it explicitly allows concatenation of
> data from an entropy source that you credit with entropy and data without
> entropy - see the crediting of entropy of multiple entropy sources defined
> with "Method 1" and "Method 2" in the current 90C draft.
>
> This ultimately allows us to have an entropy string that is concatenated from
> different entropy sources. If you have an entropy source that is not 90B
> compliant, you have to credit it with zero bits of entropy in the entropy
> analysis. Thus, only the entropy source(s) compliant to 90B must provide the
> entire entropy as mandated by 90A.

Thanks for your detailed explanation Stephan. We agree that data from
get_random_bytes is not accounted as entropy, but the question is: is it
still in line with the specification because it uses an algorithm not
compliant to SP800-90B (i.e. ChaCha20 is not a vetted conditioning
component)? Cf. IG 7.19 resolution 6 from 08/28/2020 and IG 7.20 from
05/04/2021.

>
> After having several discussions with the Entropy Working group sponsored by
> NIST that included also representatives from the NIST crypto technology group,
> there was no concern regarding such approach.
>
> This approach you see in the current DRBG seeding code is now taken for
> different FIPS validations including FIPS validations that I work on as a FIPS
> tester as part of my duties working for a FIPS lab. My colleagues have
> reviewed the current kernel DRBG seeding strategy and approved of it for other
> FIPS validations.

Good to know. We are worried that a new FIPS validation (started after
November 7, 2020) could failed because of the new SP800-90B requirement.
This issue was pointed out by a lab. It seems that the specification is
still open to different interpretations.

Regards,
Mickaël