RNG using AES CTR as encryption algorithm
Matt Ball
matthew.v.ball at gmail.com
Wed Sep 9 09:38:00 EDT 2009
On Tue, Sep 1, 2009 at 11:28 PM, priya yelgar wrote:
> I have implemented RNG using AES algorithm in CTR mode.
>
> To test my implementation I needed some test vectors.
>
> How ever I searched on the CSRC site, but found the test vectors for AES_CBC not for AES CTR.
>
> Please can any one tell me where to look for the test vectors to test RNG using AES CTR.
The first thing that jumps out at me is that you're looking for a
nebulous "Randon Number Generator" based on AES CTR mode (defined by
SP 800-38A), and this is cast in the context of NIST's CSRC website
(http://csrc.nist.gov/). Referencing NIST implies that you're looking
for some kind Algorithm Certificate or FIPS 140-2 certification for a
cryptographic module. If this is true, then you cannot just use 'AES
CTR' to generate FIPS-approved random numbers. Instead, you need to
use one of the approved RNG methods listed in FIPS 140-2 Annex C
"Approved Random Number Generators". This includes several RNGs,
including AES and 3DES variants based on ANSI X9.31, and SP 800-90.
The closest thing to AES CTR is the CTR_DRBG defined in SP 800-90,
which uses AES CTR for the random number generation, but also handles
important things like distilling the initial entropy pool and periodic
re-keying.
Even if you're not intending to get FIPS 140-2 certification, I still
highly recommend finding a good standard describing a 'recipe' for
generating pseudo-random numbers, and follow the requirements for
that. 'RNG using AES in CTR mode' is much different than 'Encryption
using AES in CTR mode', and needs to be carefully handled accordingly.
It's really easy to get things wrong outside of the AES CTR portion
of the problem. You need to worry about justifying a particular
entropy content of your true random source, which is then distilled
down to create your key and nonce for the AES CTR portion of the RNG.
This is not a task that is taken lightly.
My personal recommendation is to go with the CTR_DRBG as defined in SP
800-90. You can easily find open source implementations of this
algorithm, so I'm not even sure if you need to spend time implementing
it. To test it, I recommend going through the process of getting an
algorithm certificate from NIST.
Cheers!
Matt Ball, Chair, IEEE P1619 Security in Storage Working Group
Staff Engineer, Sun Microsystems, Inc.
500 Eldorado Blvd, Bldg #5 BRM05-212, Broomfield, CO 80021
Work: 303-272-7580, Cell: 303-717-2717
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list