NIST SP 800-90A: DRBG Standards
Understand the NIST DRBG framework — instantiation, reseeding, prediction resistance, and security strengths.
Why Deterministic RBGs Are Needed
Cryptographic operations need high-quality random numbers: key generation, nonces, IVs, salts, and session tokens. True random number generators (TRNGs) harvest entropy from physical sources (hardware noise, interrupts, thermal noise) but are slow and not always available — especially in virtual machines or early boot. Deterministic Random Bit Generators (DRBGs) solve this: seed a DRBG with a small amount of true entropy and use a cryptographic algorithm to stretch it into a large stream of pseudorandom bits that are computationally indistinguishable from true random. NIST SP 800-90A defines three approved DRBG mechanisms used in virtually all modern cryptographic implementations.
DRBG Lifecycle: Instantiate, Generate, Reseed
A DRBG operates through three fundamental operations. Instantiate: initialize the DRBG internal state using entropy_input (from an entropy source), a nonce (a one-time value ensuring uniqueness), and optionally a personalization_string (application-specific context). Generate: produce the requested number of pseudorandom bits and update internal state to prevent backtracking. Reseed: inject fresh entropy into the DRBG state to provide prediction resistance — after reseeding, even an adversary who knew the previous state cannot predict future outputs. NIST specifies maximum generate intervals (reseed_interval): 2^48 requests before mandatory reseeding for all three DRBG types.
All lessons in this course
- NIST SP 800-90A: DRBG Standards
- Hash-DRBG, HMAC-DRBG, and CTR-DRBG Internals
- The Dual EC DRBG Backdoor Incident
- Testing and Validating RNG Implementations