Contents

Nist Sp 800 90aEdit

NIST SP 800-90A is a key guidance document from the National Institute of Standards and Technology that defines how cryptographically strong randomness should be produced in modern information systems. It sits at the core of how many government and private-sector systems generate keys, initialization vectors, and other critical values that rely on unpredictability. The document sits within the broader SP 800-90 family, which also covers entropy sources and broader construction guidance. In practical terms, it provides formal requirements for deterministic random bit generators, or DRBGs, and the way they should be seeded, reseeded, and tested to ensure a reliable supply of high-quality random bits for cryptographic operations. The standard is commonly cited in connection with FIPS 140-2-validated cryptographic modules and interacts with related NIST guidance on entropy sources and DRBG construction, namely NIST SP 800-90B and NIST SP 800-90C.

The central aim of NIST SP 800-90A is to codify predictable, auditable, and interoperable methods for producing randomness in a way that remains robust against practical attack scenarios. It emphasizes the use of well-vetted cryptographic primitives and a disciplined approach to seeding and reseeding, so that the output of a DRBG remains unpredictable even if parts of the system are later compromised. The standard is widely referenced not only in federal information processing contexts but also by private firms that seek to align their security practices with established benchmarks. In doing so, it helps ensure that different systems can interoperate when exchanging cryptographic material and that vendors can demonstrate a minimum level of cryptographic rigor.

Overview and scope

NIST SP 800-90A specifies three main constructs for cryptographically secure generation of random bits, each built on a different underlying primitive. The document also sets requirements for entropy inputs, personalization strings, instantiation, reseeding, and output generation. The DRBGs covered are designed to provide a long sequence of bits that are computationally infeasible to predict, given only viewing part of the sequence. In practice, this means that keys generated for protocols such as TLS and various digital signatures can be created with a high level of confidence in their unpredictability. The standard also describes how DRBGs should behave when confronted with poor entropy or environmental disturbances, and it references the role of entropy sources in feeding the DRBGs, as described in the companion guidance NIST SP 800-90B.

The three DRBG constructions are the Hash DRBG, the HMAC DRBG, and the CTR DRBG. Each uses a different cryptographic mechanism to transform internal state and entropy into a stream of random bits. When used properly, these DRBGs can provide strong security assurances while remaining efficient for real-world deployments. The document also contemplates integration with hardware and software modules, and it aligns with broader cryptographic practice by requiring that implementations be subjected to appropriate testing and validation as part of a risk-managed security program. See Deterministic Random Bit Generator for a compact reference to the general concept.

DRBG architectures

Hash DRBG

The Hash DRBG relies on a cryptographic hash function to condense input material into a pseudorandom stream. The construction leverages the diffusion properties and preimage resistance of a hash function to obscure relationships between the seed, internal state, and produced output. Hash DRBGs are valued for their simplicity and for leveraging widely trusted hash primitives. They are used in environments where a strong hash function with well-understood properties forms the backbone of the randomness mechanism. For a concrete cryptographic primitive, see Hash DRBG.

HMAC DRBG

The HMAC DRBG builds on the HMAC construction, combining a secret key with a hash function in a way that yields strong unpredictability guarantees even if some components are partially compromised. The HMAC DRBG is often favored for its well-understood security properties and compatibility with standard hash functions. The HMAC-based approach has a long track record in various security protocols and cryptographic modules. See HMAC DRBG for more detail on this construction.

CTR DRBG

The CTR DRBG uses a block cipher in counter mode to generate a stream of bits from a secret state. By advancing a counter and encrypting it with a known key, this DRBG can produce high-rate output suitable for performance-critical applications. The CTR DRBG is commonly implemented with a widely trusted block cipher such as AES and is a workhorse in many security infrastructures. See CTR DRBG for more on this mode of operation and its security considerations.

Entropy sources and seed management

A core premise of SP 800-90A is that high-quality randomness starts with high-quality entropy inputs. The standard does not rely solely on a DRBG in isolation; it assumes a properly provisioned entropy source and a robust seed lifecycle. That lifecycle includes initial instantiation with entropy input and personalization data, periodic reseeding to refresh internal state, and ongoing health checks to detect degradation in entropy quality. The companion guidance NIST SP 800-90B focuses on entropy sources, their evaluation, and practical considerations for real-world deployments, including hardware randomness sources and environmental factors that can influence entropy generation. The interplay between entropy sources and DRBGs is essential to maintaining long-term security, especially in systems that must guard against sophisticated adversaries.

In modern deployments, IT security teams often consider the balance between software-based DRBGs and hardware-assisted randomness. Hardware-based entropy sources can provide resilient seeds, while software DRBGs offer flexibility and portability. The combination of the two, when properly engineered, aims to reduce reliance on any single source of entropy and to minimize the risk of seed reuse or entropy depletion. In practice, many cryptographic modules that comply with SP 800-90A also align with FIPS 140-2 requirements for validated randomness sources and module integrity.

Security properties and implementation considerations

The security properties described in SP 800-90A center on unpredictability, forward security (the idea that future outputs should not compromise past outputs), and resistance to state compromise extensions. Implementations are designed to ensure that an adversary who observes outputs or partial state cannot feasibly deduce future bits. The standard also details considerations for validation, testing, and evidence that can demonstrate conformance to the specified properties. In addition to the internal state management of DRBGs, attention is given to reseed intervals, entropy estimates, and the potential need for multiple reseed events within a given period.

From a policy standpoint, the right approach to cryptographic security often emphasizes risk management and vendor accountability. Advocates of standardized approaches argue that open, auditable standards like SP 800-90A promote interoperability, reduce the likelihood of insecure bespoke RNG implementations, and provide a framework for certified modules. Critics sometimes caution that overly prescriptive standards can slow innovation or create compliance overhead for smaller firms. Proponents of market-driven security contend that competition and user choice—paired with rigorous testing and transparent evaluation—tend to produce more robust outcomes over time, while acknowledging that any standard must be updated to keep pace with advances in cryptography and hardware design. In either view, the reliability of randomness remains a foundational concern for key generation, digital signatures, and secure communications.

See also