Secure Password Generator Based on Pseudo Random Number Generator (PRNG)

Table of Contents

1. Introduction

This research addresses the persistent issue of password leaks and the resulting risk of personal data exposure. While website security is a factor, the inherent strength of the password itself is paramount. Common vulnerabilities include passwords based on keywords, popular phrases, user information, and password reuse. The rise of AI and large language models further empowers attackers to guess passwords more effectively.

In response, this paper proposes a secure password generator built upon a secure Pseudo Random Number Generator (PRNG). The core PRNG is constructed using cryptographic primitives like HMAC, CMAC, or KMAC to generate high-quality random numbers, which are then used to create passwords. The system allows optional user input (To-Be-Hashed Message, TBHM) to seed the process. The main contributions are:

• Construction of secure PRNGs based on HMAC, CMAC, and KMAC.
• Security analysis of generated passwords under different character sets and lengths, comparing their strength to AES-128 and AES-256.
• Empirical validation of randomness using NIST SP 800-90B, focusing on Entropy and Independent and Identically Distributed (IID) tests.

2. Literature Review

2.1. Pseudo Random Number Generator Based on Linear Congruential Generator

Common programming languages (C, Java) use Linear Congruential Generators (LCG). Given a seed $k$, the sequence is generated as: $f_0(k) \equiv a \oplus k \ (\text{mod} \ m)$ and $f_i(k) \equiv a \times f_{i-1}(k) + c \ (\text{mod} \ m)$. This method is insecure as the state can be reversed: $f_{i-1}(k) \equiv (f_i(k) - c) \times a^{-1} \ (\text{mod} \ m)$, exposing the seed and the entire sequence.

2.2. Secure Pseudo Random Number Generator

Secure PRNGs are based on cryptographic primitives as outlined in NIST SP 800-108 Rev. 1.

2.2.1. Based on HMAC

Security relies on the one-way property of hash functions (e.g., SHA2, SHA3). For a key $k$ and message $M$, the HMAC is computed as: $r_{hmac}(k, M) = h((k \oplus opad) \ || \ h((k \oplus ipad) \ || \ M))$. To generate a random bitstream of length $L$, a counter mode is used: $M_i = i \ || \ \text{KDF} \ || \ 0x00 \ || \ M \ || \ L$, producing outputs $r_{hmac,i}$.

2.2.2. Based on CMAC

Security relies on the AES block cipher in CBC mode. The message $M$ is split into blocks $M'_1, M'_2, ...$. The process iterates: $c_{i+1} = AES(k, c_i \oplus M'_{i+1})$ with $c_0 = Pad0(0)$. The final output $r_{cmac}$ is derived from the last cipher block after specific padding (Pad1).

2.2.3. Based on KMAC

Utilizes the KECCAK sponge function (the foundation of SHA-3), offering a flexible and robust MAC function suitable for generating deterministic random bits.

2.3. Methods for Validating Randomness

The paper adopts the NIST SP 800-90B framework, which is the de facto standard for validating entropy sources. It includes two critical validation suites:

• Entropy Assessment: Estimates the amount of min-entropy in the generated bitstream, indicating its unpredictability.
• IID (Independent and Identically Distributed) Testing: A suite of statistical tests (e.g., Chi-Square, Kolmogorov-Smirnov) to determine if the output bits are statistically independent and follow an identical distribution.

3. Proposed Secure Password Generator

The proposed system architecture is straightforward yet powerful:

1. Input/Seed: Accepts an optional user-provided TBHM. If provided, it is processed; otherwise, a system-generated secure seed is used.
2. Secure PRNG Core: The TBHM/seed is fed into one of the three cryptographic PRNG constructions (HMAC-based, CMAC-based, KMAC-based) to generate a cryptographically strong pseudo-random bit sequence.
3. Password Construction: The random bits are mapped onto a user-defined or system-defined character set (e.g., alphanumeric + symbols) to produce a password of the desired length.

Security Analysis: The paper argues that the security of the generated password hinges directly on the entropy of the PRNG output and the size of the character set. It performs a comparative analysis, showing that a 16-character password from a 94-character set generated by this method can offer brute-force resistance comparable to or exceeding that of AES-128 or AES-256 keys, assuming the PRNG output is truly random.

4. Experimental Results and Analysis

The experimental validation is a key strength of the paper.

• Entropy Validation: The generated random sequences from all three PRNG types (HMAC-SHA256, CMAC-AES256, KMAC256) passed the NIST SP 800-90B entropy assessment, demonstrating high min-entropy close to the ideal 1 bit per bit of output.
• IID Validation: The sequences also passed the IID test suite, confirming that the bits are statistically independent and identically distributed, with no detectable patterns or biases.
• Performance: While not the primary focus, the paper notes computational efficiency. HMAC-SHA256 and KMAC256 showed comparable speed, while CMAC-AES256 was slightly slower due to block cipher operations, but all were within practical limits for password generation.

Chart Description (Implied): A bar chart would effectively compare the min-entropy estimates (in bits per bit) for the three PRNG methods against the ideal value of 1.0. All bars would be very close to 1.0. A second chart could show the p-values from key IID tests (e.g., Chi-Square, Kolmogorov-Smirnov), with all values well above the typical significance threshold (e.g., 0.01), indicating a pass.

5. Conclusion and Future Work

The research successfully demonstrates a secure password generation framework based on cryptographic PRNGs. The proposed methods generate passwords with sufficient randomness, as rigorously validated by NIST standards. Future work directions include:

• Integrating the generator into browser extensions or password managers.
• Exploring post-quantum cryptographic algorithms (e.g., based on lattices, hashes) as the foundation for the PRNG to ensure long-term security.
• Developing a formal security proof under standard cryptographic models.

6. Original Analysis & Expert Insight

Core Insight: This paper isn't about inventing a new cryptographic primitive; it's about the disciplined application and validation of existing, vetted ones (HMAC, CMAC, KMAC) to solve the mundane but critical problem of password generation. Its real value lies in bridging the gap between theoretical cryptography and practical security hygiene, rigorously proving that its output is fit for purpose using the gold-standard NIST test suite.

Logical Flow: The argument is sound: 1) Standard LCGs are cryptographically broken. 2) Secure PRNGs built from cryptographic MACs are provably robust. 3) Therefore, passwords derived from such PRNGs inherit that robustness. 4) This claim is validated not just by theory, but by passing stringent empirical tests (NIST SP 800-90B). This end-to-end validation is what many "secure password generator" tools lack.

Strengths & Flaws:
Strengths: The methodological rigor is commendable. Using NIST SP 800-90B for validation immediately elevates its credibility, akin to how cryptographic algorithms are validated through the CAVP (Cryptographic Algorithm Validation Program). The comparison to AES key strength is a practical, relatable metric for security teams.
Flaws: The paper operates in a controlled, idealized setting. It assumes the initial seed/TBHM has sufficient entropy—a critical and often weak link in real systems. The "optional" user input is a double-edged sword; a weak, predictable user phrase (e.g., "mypassword") could undermine the entire cryptographic construction, a risk not fully quantified. Furthermore, as noted in the 2023 review "Post-Quantum Cryptography: A Ten-Year Journey" by NIST, the field is moving towards quantum-resistant algorithms. The paper's constructions, while secure against classical computers, rely on SHA2/AES, whose long-term quantum resistance is uncertain.

Actionable Insights: For security architects, this paper provides a blueprint. Do not roll your own PRNG. Use established cryptographic constructs as building blocks. More importantly, validate, validate, validate. Integrate continuous entropy validation (like the NIST tests) into your critical random number generation systems, a practice emphasized by organizations like the Linux Foundation's CCC (Common Criteria Certification) efforts. For product development, the immediate takeaway is to replace any LCG-based password generation in your systems with a KMAC or HMAC-SHA256 based generator, using a securely sourced seed. The future-proofing step is to begin prototyping with SHA-3/KECCAK-based designs (like KMAC) and monitor the evolution of NIST's post-quantum cryptography standards for eventual integration.

7. Technical Details & Mathematical Formulation

The core mathematical operations are defined in the Literature Review (Section 2). Key formulas include:

• LCG (Insecure): $f_i(k) \equiv a \times f_{i-1}(k) + c \ (\text{mod} \ m)$
• HMAC: $r_{hmac}(k, M) = h((k \oplus opad) \ || \ h((k \oplus ipad) \ || \ M))$
• HMAC in Counter Mode for PRNG: $M_i = i \ || \ \text{KDF} \ || \ 0x00 \ || \ M \ || \ L$
• CMAC (CBC-MAC) iteration: $c_{i+1} = AES(k, c_i \oplus M'_{i+1})$

The password generation maps a random integer $R$ (from the PRNG output) to a character index: $\text{index} = R \ \text{mod} \ |S|$, where $|S|$ is the size of the character set.

8. Analysis Framework & Case Example

Case Example: Evaluating a Legacy System's Password Generator
Scenario: A legacy web application uses a modified LCG for generating temporary user passwords. A security audit is required.
Framework Application:

1. Identify PRNG Type: Inspect source code. Find: seed = (a * seed + c) % m; Confirm it's an LCG variant.
2. Assess Cryptographic Security: LCG is deterministic and reversible. An attacker obtaining a few consecutive passwords could solve for the seed and predict all future passwords, violating NIST SP 800-63B guidelines on authenticator randomness.
3. Propose Remediation using Paper's Method:
   • Seed Source: Replace system time seed with a CSPRNG (e.g., /dev/urandom on Linux, CryptGenRandom on Windows).
   • Core Generator: Implement an HMAC-SHA256-based PRNG as per the paper's design.
   • Validation: Generate a large sample (1,000,000 bits) from the new generator and run the NIST STS (Statistical Test Suite) or the entropy estimators from SP 800-90B to verify randomness before deployment.

This framework shifts the evaluation from "does it look random?" to "does it pass standardized cryptographic validation?"

9. Future Applications & Development Directions

The principles extend beyond user passwords:

• API Key & Token Generation: Automatically generate cryptographically random API keys and session tokens within microservices architectures.
• Secure Default Configurations: Embed such generators in IoT devices or software installers to create unique, strong default admin passwords, mitigating widespread default credential attacks.
• Post-Quantum Evolution: The KMAC-based construction is inherently based on SHA-3 (KECCAK), which is considered quantum-resistant. This generator can be a foundation for "crypto-agile" systems. Future work should integrate PRNGs based on NIST-standardized post-quantum algorithms like CRYSTALS-Kyber or hash-based signatures, as the cryptographic community prepares for the quantum computing era.
• Integration with Password Managers & SSO: The generator could be a core component of open-source password managers or Single Sign-On (SSO) systems, providing a transparently auditable source of password randomness.

10. References

1. M. Bishop, “Computer Security: Art and Science”, Addison-Wesley, 2019.
2. NIST, “Special Publication 800-63B: Digital Identity Guidelines”, 2020.
3. NIST, “Special Publication 800-90B: Recommendation for the Entropy Sources Used for Random Bit Generation”, 2018.
4. NIST, “Special Publication 800-108 Rev. 1: Recommendation for Key Derivation Using Pseudorandom Functions”, 2022.
5. NIST, “FIPS 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions”, 2015.
6. J. Kelsey, B. Schneier, D. Wagner, “Secure Applications of Low-Entropy Keys”, Information Security Workshop, 1997.
7. M. Dworkin, “Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication”, NIST SP 800-38B, 2005.
8. NIST, “Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process”, 2022. [Online]. Available: https://csrc.nist.gov/projects/post-quantum-cryptography
9. Linux Foundation, “Common Criteria Certification and Open Source”, 2023. [Online]. Available: https://www.linuxfoundation.org/