Is the default strength of DRBG in 3.0 FIPS provider - 1024 or 256 bits?

[visweshn92]

Assuming we build the OpenSSL3 FIPS provider with the default seeding option (i.e. OS seeding), what is the value of DRBG strength?

The code appears to pick 1024 bits (from 81aef6b of @paulidale

providers/implementations/rands/seed_src.c

static int seed_src_get_ctx_params(void *vseed, OSSL_PARAM params[])
{
    PROV_SEED_SRC *s = (PROV_SEED_SRC *)vseed;
    OSSL_PARAM *p;

    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STATE);
    if (p != NULL && !OSSL_PARAM_set_int(p, s->state))
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_STRENGTH);
    if (p != NULL && !OSSL_PARAM_set_int(p, 1024))          ====================> HERE
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_RAND_PARAM_MAX_REQUEST);
    if (p != NULL && !OSSL_PARAM_set_size_t(p, 128))
        return 0;
    return 1;
}

But the documentation appears to state 256 bits.

https://www.openssl.org/docs/man3.0/man1/openssl-rand.html

The random bytes are generated using the [RAND_bytes(3)](https://www.openssl.org/docs/man3.0/man3/RAND_bytes.html) function, which provides a security level of 256 bits,

https://www.openssl.org/docs/man3.0/man3/RAND_bytes.html

By default, the OpenSSL CSPRNG supports a security level of 256 bits, provided it was able to seed itself from a trusted entropy source. On all major platforms supported by OpenSSL (including the Unix-like platforms and Windows), OpenSSL is configured to automatically seed the CSPRNG on first use using the operating systems's random generator.

Can anyone confirm the documentation (or) point me to the correct code logic?

[t8m]

The code above provides strength of the seed source, not the DRBG itself. The number 1024 is arbitrary to not limit the strength of the whole chain. The default DRBG type fetched is the AES-256-CTR DRBG which should provide strength of 256 bits. The resulting strength of the whole chain should be the minimum of all the strengths of RBGs in the chain which is 256 bits.

[t8m]

BTW the seed source is outside the FIPS module boundary. The FIPS provider depends on external seeding for its DRBG.

[t8m]

On the next line of the code you see that the seed length - that is what is fetched from OS - is keylen + 16 = 32 + 16 = 48 bytes.

[visweshn92]

Thank you for the pointer on where exactly the strength is set and also for drbg->seedlen = keylen + 16; explains the 48 bytes (i.e. 32 + 16) fetch from OS.

Somehow the int values in seed_src.c misled me to think that is what dictates about seed sources (which by default OpenSSL picks OS entropy).

[paulidale]

SP 800-90Ar1 section 9.1 indicates that it is okay to increase the entropy required by 50% and not have a separate nonce. We do this from memory:

openssl/providers/implementations/rands/drbg.c

Lines 413 to 422 in 6042189

	/*
	* NIST SP800-90Ar1 section 9.1 says you can combine getting
	* the entropy and nonce in 1 call by increasing the entropy
	* with 50% and increasing the minimum length to accommodate
	* the length of the nonce. We do this in case a nonce is
	* required and there is no parental nonce capability.
	*/
	min_entropy += drbg->strength / 2;
	min_entropylen += drbg->min_noncelen;
	max_entropylen += drbg->max_noncelen;

The best way to check would be to strace and see how much is read.

[harshbhavsar30]

As Key Length is 32, we receive 32+16=48 as minimum entropy length. I need to change minimum entropy length.
Is it possible to set minimum and maximum entropy length for DRBG context? If Yes, please share the possible way to accomplish it.

[paulidale]

It's not, the amount of entropy required is defined by the standards.
The extra 16 bytes are for the nonce as mentioned.