Select language

A Secure Password Generator Based on Pseudo-Random Number Generator (PRNG)

This paper proposes a secure password generator using PRNGs based on HMAC, CMAC, or KMAC, and validates it through NIST SP 800-90B entropy and IID tests.
computationalcoin.com | PDF Size: 0.5 MB
Ukadiriaji: 4.5/5
Your rating
You have already rated this document
PDF Document Cover - A Secure Password Generator Based on Pseudorandom Number Generator (PRNG)
View PDF Document Download PDF Translate PDF
Home » Documents » A Secure Password Generator Based on Pseudo-Random Number Generator (PRNG)

Table of Contents

1. Introduction

In recent years, incidents of website account and text password leaks have been continuously reported, highlighting the critical importance of information security and password security. Beyond website vulnerabilities, the security of passwords themselves is also crucial. Common insecure password practices include keyword-based passwords, popular phrase-based passwords, user information-based passwords, and password reuse. The rapid development of artificial intelligence and large language models has further enhanced attackers' ability to guess passwords.

Although platforms employ defense measures such as one-time passwords, multi-factor authentication, and encrypted password storage, enhancing the inherent security of passwords remains crucial. This study proposes a secure password generator based on a secure pseudo-random number generator. This PRNG is constructed using Hash-based Message Authentication Code, Password-based Message Authentication Code, or KECCAK Message Authentication Code to generate cryptographically secure random numbers, which are then used to generate passwords.

The main contributions are as follows:

2. Literature Review

2.1. Pseudo-random number generator based on linear congruential generator

Many programming languages (e.g., C, Java) implement PRNGs based on linear congruential generators. Given a seed $k$, the sequence is generated as follows:

$f_0(k) \equiv a \oplus k \ (\text{mod} \ m)$

For $i \ge 1$, $f_i(k) \equiv a \times f_{i-1}(k) + c \ (\text{mod} \ m)$

However, LCG is not secure because the next state is linearly derived from the previous state ($f_{i-1}(k) \equiv (f_i(k) - c) \times a^{-1} \ (\text{mod} \ m)$), which allows an attacker to backtrack to the seed.

2.2. Secure pseudo-random number generator

2.2.1. Dangantaccen Saƙon Tabbatarwa na Hash (HMAC)

The security of HMAC relies on the one-way property of cryptographic hash functions (e.g., SHA-2, SHA-3). For a key $k$ and a message $M$, HMAC is computed as follows:

$r_{hmac}(k, M) = h((k \oplus opad) \ || \ h((k \oplus ipad) \ || \ M))$

Inda $ipad$ da $opad$ suke tsayayyun ƙa'idodin cika, $h$ aikin hash ne. Don samar da rafin bit na bazuwar mai tsayi $L$, a yi amfani da yanayin ƙidaya, a gyara saƙon don kowane toshe na fitarwa: $M_i = i \ || \ \text{KDF} \ || \ 0x00 \ || \ M \ || \ L$, wanda ke haifar da $r_{hmac,i}(k, M_i)$.

2.2.2. Dangantaccen Saƙon Tabbatarwa na Cipher (CMAC)

The security of CMAC is based on the Advanced Encryption Standard. For a key $k$ and a message $M$, it is divided into blocks $M'_i$ of length $l_a$, operating in Cipher Block Chaining mode:

$c_{i+1} = AES(k, c_i \oplus M'_{i+1})$, where $c_0 = Pad0(0)$.

The final output $r_{cmac}(k, Split(M))$ is derived from the last cipher block after specific padding (Pad1).

2.2.3. Based on KECCAK Message Authentication Code (KMAC)

KMAC yana dogara ne akan tsarin soso na SHA-3, yana da sassauci da tsaro. Ana iya amfani da shi kamar HMAC a yanayin ƙididdigewa, don samar da kwararren rafi na bitoshi, wanda ba a iya tsinkaya ba, don manufar PRNG, kamar yadda NIST SP 800-108 Rev. 1 ya bayyana.

2.3. Randomness Verification Methods

Wannan takarda ta yi amfani da tsarin NIST SP 800-90B don tabbatar da bazuwarci, tare da mai da hankali kan muhimman bangarori guda biyu:

3. Proposed Secure Password Generator Based on Secure PRNG

The proposed system architecture includes:

  1. Input: An optional user-provided "message to be hashed" along with parameters (desired password length, character set).
  2. Secure PRNG core: Kulingana na NIST SP 800-108, PRNG iliyojengwa katika hali ya kukokotoa kwa kutumia moja ya vitendakazi vitatu vya MAC (HMAC, CMAC, au KMAC). Kiini hiki kinapokea TBHM (pamoja na ufunguo wa ndani/ mbegu) ili kutoa mfuatano wa bits bandia wenye usalama wa kriptografia.
  3. Uundaji wa Nywila: Bits bandia huwekwa kwenye seti ya herufi iliyobainishwa na mtumiaji (kwa mfano, herufi na nambari + alama) ili kuunda nywila yenye urefu unaohitajika.

Security analysis compares the effective keyspace of generated passwords (based on character set size $C$ and length $L$, yielding $C^L$ possibilities) against the brute-force resistance of AES-128 ($2^{128}$) and AES-256 ($2^{256}$). For instance, a 16-character password from a 94-character set provides approximately $94^{16} \approx 2^{105}$ possibilities, which is weaker than AES-128 but still sufficiently strong for many applications.

4. Experimental Environment and Results

4.1. Experimental Setup

Experiments were conducted, generating a large number of random number sequences using the proposed PRNG based on HMAC, CMAC, and KMAC. These sequences were then tested using the NIST SP 800-90B test suite.

4.2. Randomness Verification Results

Key Findings: Experimental results show that the random numbers generated by all three proposed PRNG methods (HMAC/SHA-256, CMAC/AES-256, KMAC) successfully passed the entropy validation and IID validation tests specified in NIST SP 800-90B.

Significance: This confirms that the output sequence has high entropy and no detectable statistical dependencies or biases, meeting the core requirements for a secure random source in cryptographic generation.

4.3. Computational Efficiency Analysis

Although not the primary focus, this paper implies a trade-off. HMAC/SHA-256 and KMAC are generally highly efficient in software. CMAC/AES may have hardware acceleration advantages on specific platforms. The choice can be tailored based on the performance constraints of the deployment environment.

5. Conclusion and Future Work

This study successfully designed and validated a secure password generator framework based on cryptographically strong PRNGs (HMAC, CMAC, KMAC). The security of the generated passwords stems from the proven properties of these MAC functions and the verified high randomness of the underlying bitstream.

Future directions include:

6. Original Analysis and Expert Insights

Core Insights: Chen's work is a pragmatic, standards-compliant engineering solution to a fundamental security issue (weak password entropy). It correctly points out that the root cause of many password breaches is not just storage flaws, but also includesPredictable generation. By anchoring the solution in NIST-approved structures (HMAC, CMAC, KMAC) and a verification framework (SP 800-90B), this research avoids cryptography designed for novelty's sake and instead provides a verifiable, reliable method. This approach mirrors those found in systems like Linux's/dev/urandomThe philosophy behind mature systems like /dev/random, which aggregates entropy from system events, contrasts with the focus here: a deterministic, seedable, user-influenced process suitable for reproducible password generation.

Logical Flow: The argument is systematic: 1) Establish the problem (weak, guessable passwords). 2) Dismiss common but flawed solutions (LCG-based RNGs). 3) Propose building blocks with proven security (cryptographic MACs). 4) Assemble them according to existing standards (NIST SP 800-108 Counter Mode). 5) Validate the output against rigorous benchmarks (NIST SP 800-90B). This flow is robust, reflecting best practices in applied cryptography research, akin to the structured evaluation seen in seminal works like the CycleGAN paper, which systematically verifies image translation quality across multiple domains and metrics.

Strengths and Limitations: The main advantage lies in itsReliability. Using battle-tested cryptographic primitives and NIST guidelines can minimize risks. The optional user input is a clever feature that allows for personalization while maintaining security. However, a significant drawback isLack of direct, comparative security analysis with state-of-the-art password generators (e.g., those using Argon2 or bcrypt for key stretching in similar contexts).Comparison to AES brute-force strength is useful but oversimplified. Real-world attack vectors are often offline cracking of hashed passwords; the paper could strengthen its argument by simulating resistance against tools like Hashcat with optimized rule sets. Furthermore, while NIST tests are authoritative, they do not cover all cryptographic properties; discussing the PRNG implementation's resistance to side-channel attacks would be valuable.

Actionable insights: For security architects, this article provides a ready-made blueprint.Recommendation 1: Implement a KMAC-based variant. As a derivative of SHA-3, it is designed to resist length extension attacks that theoretically affect SHA-2-based HMAC in certain scenarios, and it represents a more future-proof choice.Recommendation 2: Integrate this generator as the core engine for enterprise password vaults or single sign-on systems that require policy-based password creation. Its deterministic nature (same TBHM + parameters = same password) can be a feature in recovery scenarios.Suggestion 3: Supplement this technical solution with user education. The generator can produce a 20-character random string, but if a user chooses a short, memorable TBHM and an 8-character length, security drops sharply. The interface must enforce reasonable defaults (e.g., minimum 12 characters, full character set) and intuitively convey entropy strength, similar to password strength indicators inspired by research from organizations like NCC Group.

7. Technical Details and Mathematical Formulas

Core security relies on the pseudorandom function property of the MAC. The PRNG in counter mode can be abstracted as:

$R_i = PRF(K, \text{Counter} \ || \ \text{Label} \ || \ 0x00 \ || \ \text{Input} \ || \ L)$

Where $PRF$ is $HMAC$, $CMAC$, or $KMAC$, $K$ is the secret key, and $R_i$ are the output blocks concatenated to form the final bitstream.

Password mapping: Given a random integer value $v$ derived from a bitstream and a character set of size $C$, the character index is selected as: $index = v \mod C$. This process is repeated $L$ times.

8. Analytical Framework and Conceptual Examples

Scenario: A web service needs to generate a high-strength random initial password for new users.

Framework Application:

  1. Parameter Selection: The service selects KMAC256 as the PRF, a system-derived cryptographic key $K_{sys}$ is securely stored, and a TBHM composed of a user's unique, immutable user ID and a timestamp.
  2. Process:
    • Input: TBHM = "USER12345@2023-10-27T10:30:00Z", length $L$ = 16, character set = 94 printable ASCII characters.
    • The PRNG core processes this input in counter mode using $K_{sys}$ to generate 128 random bits (16 characters * log2(94) ≈ 105 bits, so 128 bits provide sufficient entropy).
    • The bits are converted into a string like this:s9*!Lq9@Pz%2m#X&
  3. Security Attribute:
    • Unpredictability: Without $K_{sys}$, even if TBHM is known, the output is unpredictable.
    • Determinism: The same user will obtain the same password at the same moment, which aids in debugging.
    • High entropy: The password has approximately 105 bits of entropy, making brute-force attacks infeasible.

9. Future Applications and Development Directions

10. References

  1. M. Bellare, R. Canetti, and H. Krawczyk, "Keying Hash Functions for Message Authentication," CRYPTO 1996.
  2. NIST, "Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication," SP 800-38B.
  3. NIST, "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions," FIPS PUB 202.
  4. NIST, "Recommendation for the Entropy Sources Used for Random Bit Generation," SP 800-90B.
  5. NIST, "Recommendation for Key Derivation Using Pseudorandom Functions," SP 800-108 Rev. 1.
  6. J. Kelsey, B. Schneier, and N. Ferguson, "Yarrow-160: Notes on the Design and Analysis of the Yarrow Cryptographic Pseudorandom Number Generator," SAC 1999.
  7. J. Zhu, T. Park, P. Isola, A.A. Efros, "Unpaired Image-to-Image Translation using Cycle-Consistent Adversarial Networks," ICCV 2017. (As an example citation for rigorous methodological evaluation).
  8. NCC Group, "Password Storage Cheat Sheet," OWASP Foundation. (As a source citation for practical password policy guidance).