Previous: CSPRNG Description, Up: Random-Number Subsystem Architecture [Contents][Index]
The core of this deterministic random number generator is implemented according to the document “NIST Recommended DRBG Based on ANSI NIST SP800-90A”. By default, this implementation uses the DRBG_NOPR_HMACSHA256 variant (HMAC DRBG with DF with SHA256, without prediction resistance.
The generator is based on contexts to utilize the same core functions for all random levels as required by the high-level interface. All random generators return their data in 128 bit blocks. If the caller requests fewer bits, the extra bits are not used. The key for each generator is only set once at the first time a generator context is used. The seed value is set along with the key and again after 1000 output blocks.
On Unix like systems the
GCRY_STRONG_RANDOM generators are keyed and seeded using the
rndgetentropy or rndoldlinux module. With rndoldlinux module, these
generators may block until the OS kernel has collected enough entropy.
When used with Microsoft Windows, the rndw32 module is used instead.
The generator used for
gcry_create_nonce is keyed and seeded
GCRY_STRONG_RANDOM generator. Thus, with rndoldlinux
module, it may also block if the
has not yet been used before and thus gets initialized on the first
gcry_create_nonce. This special treatment is justified
by the weaker requirements for a nonce generator and to save precious
kernel entropy for use by the “real” random generators.