Previous: Description of the CSPRNG, Up: Random-Number Subsystem Architecture [Contents][Index]
The core of this deterministic random number generator is implemented according to the document “NIST Recommended DRBG Based on ANSI NIST SP800-90A”. By default, this implementation uses the DRBG_NOPR_HMACSHA256 variant (HMAC DRBG with DF with SHA256, without prediction resistance.
The generator is based on contexts to utilize the same core functions for all random levels as required by the high-level interface. All random generators return their data in 128 bit blocks. If the caller requests fewer bits, the extra bits are not used. The key for each generator is only set once at the first time a generator context is used. The seed value is set along with the key and again after 1000 output blocks.
On Unix like systems the GCRY_VERY_STRONG_RANDOM
and
GCRY_STRONG_RANDOM
generators are keyed and seeded using the
rndgetentropy or rndoldlinux module. With rndoldlinux module, these
generators may block until the OS kernel has collected enough entropy.
When used with Microsoft Windows, the rndw32 module is used instead.
The generator used for gcry_create_nonce
is keyed and seeded
from the GCRY_STRONG_RANDOM
generator. Thus, with rndoldlinux
module, it may also block if the GCRY_STRONG_RANDOM
generator
has not yet been used before and thus gets initialized on the first
use by gcry_create_nonce
. This special treatment is justified
by the weaker requirements for a nonce generator and to save precious
kernel entropy for use by the “real” random generators.