Techniques to add known security strength to the RNG process

1. Use the Intel(R) DRNG hardware-generated source of random seeds

If available on your system, calling the Intel(R) DRNG functions retrieves a hardware-generated random seed value which is added to our SP800-90A-compliant DRGB. This is carried out automatically whenever any RNG function is called from our Toolkit. Even if an attacker can monitor the output from the Intel(R) DRNG calls, they cannot predict the output from our RNG functions. If not available, then it is ignored.

2. Use a seed file

Using a seedfile restores the entropy created during an earlier session and avoids any issues at startup of insufficient entropy in the pools. Use the RNG_Initialize function to specify a seedfile with a known minimum amount of entropy to initialise the PRNG. This seed file is updated automatically when used. You should call the RNG_UpdateSeedFile from time to time in your application to save any existing entropy, and use RNG_MakeSeedFile to create a new one. The security of this method is as good as the security you have over the seed file. If an attacker controls the seed file, it does not mean they control the random output data; it just means that using a seedfile does not increase the security strength of the PRNG.

3. Make the user enter random keystrokes

Use the RNG_BytesWithPrompt function when generating random data to force the user to generate entropy using random keystrokes and mouse movements. RNG_MakeSeedFile also uses such a prompt. This works provided you know the user's keyboard strokes and mouse movements are secure (e.g. are not being transmitted over a network).

4. Add your own entropy

If you have your own independent source of entropy (perhaps by monitoring the output of a radioactive isotope :-), add this "additional input" to the RNG process as a "seed" when using the RNG_KeyBytes function. If you assume zero security strength for the internally-generated entropy and you add input with, say, 128 bits of security strength, then the output from the RNG will have at least 128 bits of security strength.