PolarSSL v1.3.7
ctr_drbg.c
Go to the documentation of this file.
1 /*
2  * CTR_DRBG implementation based on AES-256 (NIST SP 800-90)
3  *
4  * Copyright (C) 2006-2014, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The NIST SP 800-90 DRBGs are described in the following publucation.
27  *
28  * http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
29  */
30 
31 #if !defined(POLARSSL_CONFIG_FILE)
32 #include "polarssl/config.h"
33 #else
34 #include POLARSSL_CONFIG_FILE
35 #endif
36 
37 #if defined(POLARSSL_CTR_DRBG_C)
38 
39 #include "polarssl/ctr_drbg.h"
40 
41 #if defined(POLARSSL_FS_IO)
42 #include <stdio.h>
43 #endif
44 
45 #if defined(POLARSSL_PLATFORM_C)
46 #include "polarssl/platform.h"
47 #else
48 #define polarssl_printf printf
49 #endif
50 
51 /*
52  * Non-public function wrapped by ctr_crbg_init(). Necessary to allow NIST
53  * tests to succeed (which require known length fixed entropy)
54  */
56  ctr_drbg_context *ctx,
57  int (*f_entropy)(void *, unsigned char *, size_t),
58  void *p_entropy,
59  const unsigned char *custom,
60  size_t len,
61  size_t entropy_len )
62 {
63  int ret;
64  unsigned char key[CTR_DRBG_KEYSIZE];
65 
66  memset( ctx, 0, sizeof(ctr_drbg_context) );
67  memset( key, 0, CTR_DRBG_KEYSIZE );
68 
69  ctx->f_entropy = f_entropy;
70  ctx->p_entropy = p_entropy;
71 
72  ctx->entropy_len = entropy_len;
74 
75  /*
76  * Initialize with an empty key
77  */
79 
80  if( ( ret = ctr_drbg_reseed( ctx, custom, len ) ) != 0 )
81  return( ret );
82 
83  return( 0 );
84 }
85 
87  int (*f_entropy)(void *, unsigned char *, size_t),
88  void *p_entropy,
89  const unsigned char *custom,
90  size_t len )
91 {
92  return( ctr_drbg_init_entropy_len( ctx, f_entropy, p_entropy, custom, len,
94 }
95 
96 void ctr_drbg_set_prediction_resistance( ctr_drbg_context *ctx, int resistance )
97 {
98  ctx->prediction_resistance = resistance;
99 }
100 
101 void ctr_drbg_set_entropy_len( ctr_drbg_context *ctx, size_t len )
102 {
103  ctx->entropy_len = len;
104 }
105 
106 void ctr_drbg_set_reseed_interval( ctr_drbg_context *ctx, int interval )
107 {
108  ctx->reseed_interval = interval;
109 }
110 
111 static int block_cipher_df( unsigned char *output,
112  const unsigned char *data, size_t data_len )
113 {
114  unsigned char buf[CTR_DRBG_MAX_SEED_INPUT + CTR_DRBG_BLOCKSIZE + 16];
115  unsigned char tmp[CTR_DRBG_SEEDLEN];
116  unsigned char key[CTR_DRBG_KEYSIZE];
117  unsigned char chain[CTR_DRBG_BLOCKSIZE];
118  unsigned char *p, *iv;
119  aes_context aes_ctx;
120 
121  int i, j;
122  size_t buf_len, use_len;
123 
124  memset( buf, 0, CTR_DRBG_MAX_SEED_INPUT + CTR_DRBG_BLOCKSIZE + 16 );
125 
126  /*
127  * Construct IV (16 bytes) and S in buffer
128  * IV = Counter (in 32-bits) padded to 16 with zeroes
129  * S = Length input string (in 32-bits) || Length of output (in 32-bits) ||
130  * data || 0x80
131  * (Total is padded to a multiple of 16-bytes with zeroes)
132  */
133  p = buf + CTR_DRBG_BLOCKSIZE;
134  *p++ = ( data_len >> 24 ) & 0xff;
135  *p++ = ( data_len >> 16 ) & 0xff;
136  *p++ = ( data_len >> 8 ) & 0xff;
137  *p++ = ( data_len ) & 0xff;
138  p += 3;
139  *p++ = CTR_DRBG_SEEDLEN;
140  memcpy( p, data, data_len );
141  p[data_len] = 0x80;
142 
143  buf_len = CTR_DRBG_BLOCKSIZE + 8 + data_len + 1;
144 
145  for( i = 0; i < CTR_DRBG_KEYSIZE; i++ )
146  key[i] = i;
147 
148  aes_setkey_enc( &aes_ctx, key, CTR_DRBG_KEYBITS );
149 
150  /*
151  * Reduce data to POLARSSL_CTR_DRBG_SEEDLEN bytes of data
152  */
153  for( j = 0; j < CTR_DRBG_SEEDLEN; j += CTR_DRBG_BLOCKSIZE )
154  {
155  p = buf;
156  memset( chain, 0, CTR_DRBG_BLOCKSIZE );
157  use_len = buf_len;
158 
159  while( use_len > 0 )
160  {
161  for( i = 0; i < CTR_DRBG_BLOCKSIZE; i++ )
162  chain[i] ^= p[i];
163  p += CTR_DRBG_BLOCKSIZE;
164  use_len -= ( use_len >= CTR_DRBG_BLOCKSIZE ) ?
165  CTR_DRBG_BLOCKSIZE : use_len;
166 
167  aes_crypt_ecb( &aes_ctx, AES_ENCRYPT, chain, chain );
168  }
169 
170  memcpy( tmp + j, chain, CTR_DRBG_BLOCKSIZE );
171 
172  /*
173  * Update IV
174  */
175  buf[3]++;
176  }
177 
178  /*
179  * Do final encryption with reduced data
180  */
181  aes_setkey_enc( &aes_ctx, tmp, CTR_DRBG_KEYBITS );
182  iv = tmp + CTR_DRBG_KEYSIZE;
183  p = output;
184 
185  for( j = 0; j < CTR_DRBG_SEEDLEN; j += CTR_DRBG_BLOCKSIZE )
186  {
187  aes_crypt_ecb( &aes_ctx, AES_ENCRYPT, iv, iv );
188  memcpy( p, iv, CTR_DRBG_BLOCKSIZE );
189  p += CTR_DRBG_BLOCKSIZE;
190  }
191 
192  return( 0 );
193 }
194 
195 static int ctr_drbg_update_internal( ctr_drbg_context *ctx,
196  const unsigned char data[CTR_DRBG_SEEDLEN] )
197 {
198  unsigned char tmp[CTR_DRBG_SEEDLEN];
199  unsigned char *p = tmp;
200  int i, j;
201 
202  memset( tmp, 0, CTR_DRBG_SEEDLEN );
203 
204  for( j = 0; j < CTR_DRBG_SEEDLEN; j += CTR_DRBG_BLOCKSIZE )
205  {
206  /*
207  * Increase counter
208  */
209  for( i = CTR_DRBG_BLOCKSIZE; i > 0; i-- )
210  if( ++ctx->counter[i - 1] != 0 )
211  break;
212 
213  /*
214  * Crypt counter block
215  */
216  aes_crypt_ecb( &ctx->aes_ctx, AES_ENCRYPT, ctx->counter, p );
217 
218  p += CTR_DRBG_BLOCKSIZE;
219  }
220 
221  for( i = 0; i < CTR_DRBG_SEEDLEN; i++ )
222  tmp[i] ^= data[i];
223 
224  /*
225  * Update key and counter
226  */
227  aes_setkey_enc( &ctx->aes_ctx, tmp, CTR_DRBG_KEYBITS );
228  memcpy( ctx->counter, tmp + CTR_DRBG_KEYSIZE, CTR_DRBG_BLOCKSIZE );
229 
230  return( 0 );
231 }
232 
234  const unsigned char *additional, size_t add_len )
235 {
236  unsigned char add_input[CTR_DRBG_SEEDLEN];
237 
238  if( add_len > 0 )
239  {
240  block_cipher_df( add_input, additional, add_len );
241  ctr_drbg_update_internal( ctx, add_input );
242  }
243 }
244 
246  const unsigned char *additional, size_t len )
247 {
248  unsigned char seed[CTR_DRBG_MAX_SEED_INPUT];
249  size_t seedlen = 0;
250 
251  if( ctx->entropy_len + len > CTR_DRBG_MAX_SEED_INPUT )
253 
254  memset( seed, 0, CTR_DRBG_MAX_SEED_INPUT );
255 
256  /*
257  * Gather entropy_len bytes of entropy to seed state
258  */
259  if( 0 != ctx->f_entropy( ctx->p_entropy, seed,
260  ctx->entropy_len ) )
261  {
263  }
264 
265  seedlen += ctx->entropy_len;
266 
267  /*
268  * Add additional data
269  */
270  if( additional && len )
271  {
272  memcpy( seed + seedlen, additional, len );
273  seedlen += len;
274  }
275 
276  /*
277  * Reduce to 384 bits
278  */
279  block_cipher_df( seed, seed, seedlen );
280 
281  /*
282  * Update state
283  */
284  ctr_drbg_update_internal( ctx, seed );
285  ctx->reseed_counter = 1;
286 
287  return( 0 );
288 }
289 
290 int ctr_drbg_random_with_add( void *p_rng,
291  unsigned char *output, size_t output_len,
292  const unsigned char *additional, size_t add_len )
293 {
294  int ret = 0;
295  ctr_drbg_context *ctx = (ctr_drbg_context *) p_rng;
296  unsigned char add_input[CTR_DRBG_SEEDLEN];
297  unsigned char *p = output;
298  unsigned char tmp[CTR_DRBG_BLOCKSIZE];
299  int i;
300  size_t use_len;
301 
302  if( output_len > CTR_DRBG_MAX_REQUEST )
304 
305  if( add_len > CTR_DRBG_MAX_INPUT )
307 
308  memset( add_input, 0, CTR_DRBG_SEEDLEN );
309 
310  if( ctx->reseed_counter > ctx->reseed_interval ||
311  ctx->prediction_resistance )
312  {
313  if( ( ret = ctr_drbg_reseed( ctx, additional, add_len ) ) != 0 )
314  return( ret );
315 
316  add_len = 0;
317  }
318 
319  if( add_len > 0 )
320  {
321  block_cipher_df( add_input, additional, add_len );
322  ctr_drbg_update_internal( ctx, add_input );
323  }
324 
325  while( output_len > 0 )
326  {
327  /*
328  * Increase counter
329  */
330  for( i = CTR_DRBG_BLOCKSIZE; i > 0; i-- )
331  if( ++ctx->counter[i - 1] != 0 )
332  break;
333 
334  /*
335  * Crypt counter block
336  */
337  aes_crypt_ecb( &ctx->aes_ctx, AES_ENCRYPT, ctx->counter, tmp );
338 
339  use_len = (output_len > CTR_DRBG_BLOCKSIZE ) ? CTR_DRBG_BLOCKSIZE :
340  output_len;
341  /*
342  * Copy random block to destination
343  */
344  memcpy( p, tmp, use_len );
345  p += use_len;
346  output_len -= use_len;
347  }
348 
349  ctr_drbg_update_internal( ctx, add_input );
350 
351  ctx->reseed_counter++;
352 
353  return( 0 );
354 }
355 
356 int ctr_drbg_random( void *p_rng, unsigned char *output, size_t output_len )
357 {
358  return ctr_drbg_random_with_add( p_rng, output, output_len, NULL, 0 );
359 }
360 
361 #if defined(POLARSSL_FS_IO)
362 int ctr_drbg_write_seed_file( ctr_drbg_context *ctx, const char *path )
363 {
365  FILE *f;
366  unsigned char buf[ CTR_DRBG_MAX_INPUT ];
367 
368  if( ( f = fopen( path, "wb" ) ) == NULL )
370 
371  if( ( ret = ctr_drbg_random( ctx, buf, CTR_DRBG_MAX_INPUT ) ) != 0 )
372  goto exit;
373 
374  if( fwrite( buf, 1, CTR_DRBG_MAX_INPUT, f ) != CTR_DRBG_MAX_INPUT )
375  {
377  goto exit;
378  }
379 
380  ret = 0;
381 
382 exit:
383  fclose( f );
384  return( ret );
385 }
386 
387 int ctr_drbg_update_seed_file( ctr_drbg_context *ctx, const char *path )
388 {
389  FILE *f;
390  size_t n;
391  unsigned char buf[ CTR_DRBG_MAX_INPUT ];
392 
393  if( ( f = fopen( path, "rb" ) ) == NULL )
395 
396  fseek( f, 0, SEEK_END );
397  n = (size_t) ftell( f );
398  fseek( f, 0, SEEK_SET );
399 
400  if( n > CTR_DRBG_MAX_INPUT )
401  {
402  fclose( f );
404  }
405 
406  if( fread( buf, 1, n, f ) != n )
407  {
408  fclose( f );
410  }
411 
412  fclose( f );
413 
414  ctr_drbg_update( ctx, buf, n );
415 
416  return( ctr_drbg_write_seed_file( ctx, path ) );
417 }
418 #endif /* POLARSSL_FS_IO */
419 
420 #if defined(POLARSSL_SELF_TEST)
421 
422 #include <stdio.h>
423 
424 static unsigned char entropy_source_pr[96] =
425  { 0xc1, 0x80, 0x81, 0xa6, 0x5d, 0x44, 0x02, 0x16,
426  0x19, 0xb3, 0xf1, 0x80, 0xb1, 0xc9, 0x20, 0x02,
427  0x6a, 0x54, 0x6f, 0x0c, 0x70, 0x81, 0x49, 0x8b,
428  0x6e, 0xa6, 0x62, 0x52, 0x6d, 0x51, 0xb1, 0xcb,
429  0x58, 0x3b, 0xfa, 0xd5, 0x37, 0x5f, 0xfb, 0xc9,
430  0xff, 0x46, 0xd2, 0x19, 0xc7, 0x22, 0x3e, 0x95,
431  0x45, 0x9d, 0x82, 0xe1, 0xe7, 0x22, 0x9f, 0x63,
432  0x31, 0x69, 0xd2, 0x6b, 0x57, 0x47, 0x4f, 0xa3,
433  0x37, 0xc9, 0x98, 0x1c, 0x0b, 0xfb, 0x91, 0x31,
434  0x4d, 0x55, 0xb9, 0xe9, 0x1c, 0x5a, 0x5e, 0xe4,
435  0x93, 0x92, 0xcf, 0xc5, 0x23, 0x12, 0xd5, 0x56,
436  0x2c, 0x4a, 0x6e, 0xff, 0xdc, 0x10, 0xd0, 0x68 };
437 
438 static unsigned char entropy_source_nopr[64] =
439  { 0x5a, 0x19, 0x4d, 0x5e, 0x2b, 0x31, 0x58, 0x14,
440  0x54, 0xde, 0xf6, 0x75, 0xfb, 0x79, 0x58, 0xfe,
441  0xc7, 0xdb, 0x87, 0x3e, 0x56, 0x89, 0xfc, 0x9d,
442  0x03, 0x21, 0x7c, 0x68, 0xd8, 0x03, 0x38, 0x20,
443  0xf9, 0xe6, 0x5e, 0x04, 0xd8, 0x56, 0xf3, 0xa9,
444  0xc4, 0x4a, 0x4c, 0xbd, 0xc1, 0xd0, 0x08, 0x46,
445  0xf5, 0x98, 0x3d, 0x77, 0x1c, 0x1b, 0x13, 0x7e,
446  0x4e, 0x0f, 0x9d, 0x8e, 0xf4, 0x09, 0xf9, 0x2e };
447 
448 static const unsigned char nonce_pers_pr[16] =
449  { 0xd2, 0x54, 0xfc, 0xff, 0x02, 0x1e, 0x69, 0xd2,
450  0x29, 0xc9, 0xcf, 0xad, 0x85, 0xfa, 0x48, 0x6c };
451 
452 static const unsigned char nonce_pers_nopr[16] =
453  { 0x1b, 0x54, 0xb8, 0xff, 0x06, 0x42, 0xbf, 0xf5,
454  0x21, 0xf1, 0x5c, 0x1c, 0x0b, 0x66, 0x5f, 0x3f };
455 
456 static const unsigned char result_pr[16] =
457  { 0x34, 0x01, 0x16, 0x56, 0xb4, 0x29, 0x00, 0x8f,
458  0x35, 0x63, 0xec, 0xb5, 0xf2, 0x59, 0x07, 0x23 };
459 
460 static const unsigned char result_nopr[16] =
461  { 0xa0, 0x54, 0x30, 0x3d, 0x8a, 0x7e, 0xa9, 0x88,
462  0x9d, 0x90, 0x3e, 0x07, 0x7c, 0x6f, 0x21, 0x8f };
463 
464 static size_t test_offset;
465 static int ctr_drbg_self_test_entropy( void *data, unsigned char *buf,
466  size_t len )
467 {
468  const unsigned char *p = data;
469  memcpy( buf, p + test_offset, len );
470  test_offset += len;
471  return( 0 );
472 }
473 
474 #define CHK( c ) if( (c) != 0 ) \
475  { \
476  if( verbose != 0 ) \
477  polarssl_printf( "failed\n" ); \
478  return( 1 ); \
479  }
480 
481 /*
482  * Checkup routine
483  */
484 int ctr_drbg_self_test( int verbose )
485 {
486  ctr_drbg_context ctx;
487  unsigned char buf[16];
488 
489  /*
490  * Based on a NIST CTR_DRBG test vector (PR = True)
491  */
492  if( verbose != 0 )
493  polarssl_printf( " CTR_DRBG (PR = TRUE) : " );
494 
495  test_offset = 0;
496  CHK( ctr_drbg_init_entropy_len( &ctx, ctr_drbg_self_test_entropy,
497  entropy_source_pr, nonce_pers_pr, 16, 32 ) );
499  CHK( ctr_drbg_random( &ctx, buf, CTR_DRBG_BLOCKSIZE ) );
500  CHK( ctr_drbg_random( &ctx, buf, CTR_DRBG_BLOCKSIZE ) );
501  CHK( memcmp( buf, result_pr, CTR_DRBG_BLOCKSIZE ) );
502 
503  if( verbose != 0 )
504  polarssl_printf( "passed\n" );
505 
506  /*
507  * Based on a NIST CTR_DRBG test vector (PR = FALSE)
508  */
509  if( verbose != 0 )
510  polarssl_printf( " CTR_DRBG (PR = FALSE): " );
511 
512  test_offset = 0;
513  CHK( ctr_drbg_init_entropy_len( &ctx, ctr_drbg_self_test_entropy,
514  entropy_source_nopr, nonce_pers_nopr, 16, 32 ) );
515  CHK( ctr_drbg_random( &ctx, buf, 16 ) );
516  CHK( ctr_drbg_reseed( &ctx, NULL, 0 ) );
517  CHK( ctr_drbg_random( &ctx, buf, 16 ) );
518  CHK( memcmp( buf, result_nopr, 16 ) );
519 
520  if( verbose != 0 )
521  polarssl_printf( "passed\n" );
522 
523  if( verbose != 0 )
524  polarssl_printf( "\n" );
525 
526  return( 0 );
527 }
528 #endif /* POLARSSL_SELF_TEST */
529 
530 #endif /* POLARSSL_CTR_DRBG_C */
#define POLARSSL_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED
The entropy source failed.
Definition: ctr_drbg.h:34
int ctr_drbg_random(void *p_rng, unsigned char *output, size_t output_len)
CTR_DRBG generate random.
void ctr_drbg_set_prediction_resistance(ctr_drbg_context *ctx, int resistance)
Enable / disable prediction resistance (Default: Off)
#define CTR_DRBG_PR_ON
Prediction resistance enabled.
Definition: ctr_drbg.h:80
#define CTR_DRBG_MAX_INPUT
Maximum number of additional input bytes.
Definition: ctr_drbg.h:66
#define CTR_DRBG_MAX_SEED_INPUT
Maximum size of (re)seed buffer.
Definition: ctr_drbg.h:74
#define CTR_DRBG_RESEED_INTERVAL
Interval before reseed is performed by default.
Definition: ctr_drbg.h:62
int reseed_counter
Definition: ctr_drbg.h:92
AES context structure.
Definition: aes.h:68
Configuration options (set of defines)
PolarSSL Platform abstraction layer.
int ctr_drbg_init_entropy_len(ctr_drbg_context *, int(*)(void *, unsigned char *, size_t), void *, const unsigned char *, size_t, size_t)
#define CTR_DRBG_KEYSIZE
Key size used by the cipher.
Definition: ctr_drbg.h:40
#define CTR_DRBG_BLOCKSIZE
Block size used by the cipher.
Definition: ctr_drbg.h:39
#define CTR_DRBG_ENTROPY_LEN
Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256)
Definition: ctr_drbg.h:55
int prediction_resistance
Definition: ctr_drbg.h:93
#define POLARSSL_ERR_CTR_DRBG_REQUEST_TOO_BIG
Too many random requested in single call.
Definition: ctr_drbg.h:35
int ctr_drbg_random_with_add(void *p_rng, unsigned char *output, size_t output_len, const unsigned char *additional, size_t add_len)
CTR_DRBG generate random with additional update input.
size_t entropy_len
Definition: ctr_drbg.h:95
#define POLARSSL_ERR_CTR_DRBG_FILE_IO_ERROR
Read/write error in file.
Definition: ctr_drbg.h:37
unsigned char counter[16]
Definition: ctr_drbg.h:91
int ctr_drbg_reseed(ctr_drbg_context *ctx, const unsigned char *additional, size_t len)
CTR_DRBG reseeding (extracts data from entropy source)
int reseed_interval
Definition: ctr_drbg.h:97
#define POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG
Input too large (Entropy + additional).
Definition: ctr_drbg.h:36
#define AES_ENCRYPT
Definition: aes.h:46
CTR_DRBG context structure.
Definition: ctr_drbg.h:89
#define CTR_DRBG_KEYBITS
Definition: ctr_drbg.h:41
void * p_entropy
Definition: ctr_drbg.h:106
#define CTR_DRBG_SEEDLEN
The seed length (counter + AES key)
Definition: ctr_drbg.h:42
void ctr_drbg_set_reseed_interval(ctr_drbg_context *ctx, int interval)
Set the reseed interval (Default: CTR_DRBG_RESEED_INTERVAL)
int ctr_drbg_update_seed_file(ctr_drbg_context *ctx, const char *path)
Read and update a seed file.
#define polarssl_printf
Definition: platform.h:109
void ctr_drbg_set_entropy_len(ctr_drbg_context *ctx, size_t len)
Set the amount of entropy grabbed on each (re)seed (Default: CTR_DRBG_ENTROPY_LEN) ...
int ctr_drbg_self_test(int verbose)
Checkup routine.
int ctr_drbg_init(ctr_drbg_context *ctx, int(*f_entropy)(void *, unsigned char *, size_t), void *p_entropy, const unsigned char *custom, size_t len)
CTR_DRBG initialization.
aes_context aes_ctx
Definition: ctr_drbg.h:99
int(* f_entropy)(void *, unsigned char *, size_t)
Definition: ctr_drbg.h:104
int ctr_drbg_write_seed_file(ctr_drbg_context *ctx, const char *path)
Write a seed file.
#define CTR_DRBG_MAX_REQUEST
Maximum number of requested bytes per call.
Definition: ctr_drbg.h:70
void ctr_drbg_update(ctr_drbg_context *ctx, const unsigned char *additional, size_t add_len)
CTR_DRBG update state.
int aes_setkey_enc(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (encryption)
int aes_crypt_ecb(aes_context *ctx, int mode, const unsigned char input[16], unsigned char output[16])
AES-ECB block encryption/decryption.
CTR_DRBG based on AES-256 (NIST SP 800-90)