Botan  1.11.4
Public Member Functions | Static Public Member Functions | List of all members
Botan::HMAC_RNG Class Reference

#include <hmac_rng.h>

Inheritance diagram for Botan::HMAC_RNG:
Botan::RandomNumberGenerator

Public Member Functions

void add_entropy (const byte[], size_t)
 
void add_entropy_source (EntropySource *es)
 
void clear ()
 
 HMAC_RNG (MessageAuthenticationCode *extractor, MessageAuthenticationCode *prf)
 
bool is_seeded () const
 
std::string name () const
 
byte next_byte ()
 
secure_vector< byterandom_vec (size_t bytes)
 
void randomize (byte buf[], size_t len)
 
void reseed (size_t poll_bits)
 
 ~HMAC_RNG ()
 

Static Public Member Functions

static RandomNumberGeneratormake_rng ()
 

Detailed Description

HMAC_RNG - based on the design described in "On Extract-then-Expand Key Derivation Functions and an HMAC-based KDF" by Hugo Krawczyk (henceforce, 'E-t-E')

However it actually can be parameterized with any two MAC functions, not restricted to HMAC (this variation is also described in Krawczyk's paper), for instance one could use HMAC(SHA-512) as the extractor and CMAC(AES-256) as the PRF.

Definition at line 27 of file hmac_rng.h.

Constructor & Destructor Documentation

Botan::HMAC_RNG::HMAC_RNG ( MessageAuthenticationCode extractor,
MessageAuthenticationCode prf 
)
Parameters
extractora MAC used for extracting the entropy
prfa MAC used as a PRF using HKDF construction

Definition at line 165 of file hmac_rng.cpp.

References Botan::MessageAuthenticationCode::name(), Botan::Buffered_Computation::output_length(), Botan::SymmetricAlgorithm::set_key(), and Botan::SymmetricAlgorithm::valid_keylength().

167  :
168  extractor(extractor_mac), prf(prf_mac)
169  {
170  if(!prf->valid_keylength(extractor->output_length()) ||
171  !extractor->valid_keylength(prf->output_length()))
172  throw Invalid_Argument("HMAC_RNG: Bad algo combination " +
173  extractor->name() + " and " +
174  prf->name());
175 
176  // First PRF inputs are all zero, as specified in section 2
177  K.resize(prf->output_length());
178 
179  counter = 0;
180  seeded = false;
181 
182  /*
183  Normally we want to feedback PRF output into the input to the
184  extractor function to ensure a single bad poll does not damage the
185  RNG, but obviously that is meaningless to do on the first poll.
186 
187  We will want to use the PRF before we set the first key (in
188  reseed), and it is a pain to keep track if it is set or
189  not. Since the first time it doesn't matter anyway, just set the
190  PRF key to constant zero: randomize() will not produce output
191  unless is_seeded() returns true, and that will only be the case if
192  the estimated entropy counter is high enough. That variable is only
193  set when a reseeding is performed.
194  */
195  secure_vector<byte> prf_key(extractor->output_length());
196  prf->set_key(prf_key);
197 
198  /*
199  Use PRF("Botan HMAC_RNG XTS") as the intitial XTS key.
200 
201  This will be used during the first extraction sequence; XTS values
202  after this one are generated using the PRF.
203 
204  If I understand the E-t-E paper correctly (specifically Section 4),
205  using this fixed extractor key is safe to do.
206  */
207  extractor->set_key(prf->process("Botan HMAC_RNG XTS"));
}
Botan::HMAC_RNG::~HMAC_RNG ( )

Definition at line 212 of file hmac_rng.cpp.

213  {
214  delete extractor;
215  delete prf;
216 
217  for(auto src : entropy_sources)
218  delete src;
219 
220  counter = 0;
221  }

Member Function Documentation

void Botan::HMAC_RNG::add_entropy ( const byte  in[],
size_t  length 
)
virtual

Add entropy to this RNG.

Parameters
ina byte array containg the entropy to be added
lengththe length of the byte array in

Implements Botan::RandomNumberGenerator.

Definition at line 124 of file hmac_rng.cpp.

References Botan::Buffered_Computation::update().

125  {
126  /*
127  * Simply include the data in the extractor input. During the
128  * next periodic reseed, the input will be incorporated into
129  * the state.
130  */
131  extractor->update(input, length);
132  }
void Botan::HMAC_RNG::add_entropy_source ( EntropySource source)
virtual

Add this entropy source to the RNG object

Parameters
sourcethe entropy source which will be retained and used by RNG

Implements Botan::RandomNumberGenerator.

Definition at line 137 of file hmac_rng.cpp.

138  {
139  entropy_sources.push_back(src);
140  }
void Botan::HMAC_RNG::clear ( )
virtual

Clear all internally held values of this RNG.

Implements Botan::RandomNumberGenerator.

Definition at line 145 of file hmac_rng.cpp.

References Botan::Algorithm::clear(), and Botan::zeroise().

146  {
147  extractor->clear();
148  prf->clear();
149  zeroise(K);
150  counter = 0;
151  seeded = false;
152  }
bool Botan::HMAC_RNG::is_seeded ( ) const
inlinevirtual

Check whether this RNG is seeded.

Returns
true if this RNG was already seeded, false otherwise.

Reimplemented from Botan::RandomNumberGenerator.

Definition at line 31 of file hmac_rng.h.

Referenced by randomize().

31 { return seeded; }
RandomNumberGenerator * Botan::RandomNumberGenerator::make_rng ( )
staticinherited

Create a seeded and active RNG object for general application use

Definition at line 29 of file rng.cpp.

30  {
31 #if defined(BOTAN_HAS_AUTO_SEEDING_RNG)
32  return new AutoSeeded_RNG;
33 #endif
34 
35  throw Algorithm_Not_Found("RandomNumberGenerator::make_rng - no RNG found");
36  }
std::string Botan::HMAC_RNG::name ( ) const
virtual

Return the name of this object

Implements Botan::RandomNumberGenerator.

Definition at line 157 of file hmac_rng.cpp.

References Botan::MessageAuthenticationCode::name().

Referenced by randomize().

158  {
159  return "HMAC_RNG(" + extractor->name() + "," + prf->name() + ")";
160  }
byte Botan::RandomNumberGenerator::next_byte ( )
inherited

Return a random byte

Returns
random byte

Definition at line 19 of file rng.cpp.

References Botan::RandomNumberGenerator::randomize().

Referenced by Botan::random_prime().

20  {
21  byte out;
22  this->randomize(&out, 1);
23  return out;
24  }
secure_vector<byte> Botan::RandomNumberGenerator::random_vec ( size_t  bytes)
inlineinherited

Return a random vector

Parameters
bytesnumber of bytes in the result
Returns
randomized vector of length bytes

Definition at line 40 of file rng.h.

Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), Botan::CryptoBox::encrypt(), Botan::KeyPair::encryption_consistency_check(), Botan::generate_bcrypt(), Botan::OctetString::OctetString(), Botan::BigInt::randomize(), Botan::TLS::Session_Manager_SQLite::Session_Manager_SQLite(), and Botan::KeyPair::signature_consistency_check().

41  {
42  secure_vector<byte> output(bytes);
43  randomize(&output[0], output.size());
44  return output;
45  }
void Botan::HMAC_RNG::randomize ( byte  output[],
size_t  length 
)
virtual

Randomize a byte array.

Parameters
outputthe byte array to hold the random output.
lengththe length of the byte array output.

Implements Botan::RandomNumberGenerator.

Definition at line 35 of file hmac_rng.cpp.

References Botan::copy_mem(), is_seeded(), name(), and reseed().

36  {
37  if(!is_seeded())
38  throw PRNG_Unseeded(name());
39 
40  /*
41  HMAC KDF as described in E-t-E, using a CTXinfo of "rng"
42  */
43  while(length)
44  {
45  hmac_prf(prf, K, counter, "rng");
46 
47  const size_t copied = std::min<size_t>(K.size() / 2, length);
48 
49  copy_mem(out, &K[0], copied);
50  out += copied;
51  length -= copied;
52 
53  if(counter % 1024 == 0)
54  reseed(128);
55  }
56  }
void Botan::HMAC_RNG::reseed ( size_t  bits_to_collect)
virtual

Seed this RNG using the entropy sources it contains.

Parameters
bits_to_collectis the number of bits of entropy to attempt to gather from the entropy sources

Implements Botan::RandomNumberGenerator.

Definition at line 61 of file hmac_rng.cpp.

References Botan::Entropy_Accumulator::bits_collected(), Botan::Buffered_Computation::final(), Botan::Entropy_Accumulator::polling_goal_achieved(), Botan::SymmetricAlgorithm::set_key(), Botan::Buffered_Computation::update(), and Botan::zeroise().

Referenced by randomize().

62  {
63  /*
64  Using the terminology of E-t-E, XTR is the MAC function (normally
65  HMAC) seeded with XTS (below) and we form SKM, the key material, by
66  polling as many sources as we think needed to reach our polling
67  goal. We then also include feedback of the current PRK so that
68  a bad poll doesn't wipe us out.
69  */
70 
71  Entropy_Accumulator_BufferedComputation accum(*extractor, poll_bits);
72 
73  if(!entropy_sources.empty())
74  {
75  size_t poll_attempt = 0;
76 
77  while(!accum.polling_goal_achieved() && poll_attempt < poll_bits)
78  {
79  const size_t src_idx = poll_attempt % entropy_sources.size();
80  entropy_sources[src_idx]->poll(accum);
81  ++poll_attempt;
82  }
83  }
84 
85  /*
86  * It is necessary to feed forward poll data. Otherwise, a good poll
87  * (collecting a large amount of conditional entropy) followed by a
88  * bad one (collecting little) would be unsafe. Do this by
89  * generating new PRF outputs using the previous key and feeding
90  * them into the extractor function.
91  *
92  * Cycle the RNG once (CTXinfo="rng"), then generate a new PRF
93  * output using the CTXinfo "reseed". Provide these values as input
94  * to the extractor function.
95  */
96  hmac_prf(prf, K, counter, "rng");
97  extractor->update(K); // K is the CTXinfo=rng PRF output
98 
99  hmac_prf(prf, K, counter, "reseed");
100  extractor->update(K); // K is the CTXinfo=reseed PRF output
101 
102  /* Now derive the new PRK using everything that has been fed into
103  the extractor, and set the PRF key to that */
104  prf->set_key(extractor->final());
105 
106  // Now generate a new PRF output to use as the XTS extractor salt
107  hmac_prf(prf, K, counter, "xts");
108  extractor->set_key(K);
109 
110  // Reset state
111  zeroise(K);
112 
113  /*
114  * Consider ourselves seeded once we've collected an estimated 128 bits of
115  * entropy in a single poll.
116  */
117  if(seeded == false && accum.bits_collected() >= 128)
118  seeded = true;
119  }
The documentation for this class was generated from the following files:
Generated on Wed May 1 2013 08:42:20 for Botan by   doxygen 1.8.3.1