Are logon session LUID randomness NIST SP 800-90A compliant?

Question

I see that the last 32-bits of the logon session for each user session LUID is randomly generated. The first 32-bits seems to always be zeros. Does the randomness of the last 32-bits comply with NIST SP 800-90A?

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf

Answer 1

Hi Aaron S,

Thank you for posting in the Q&A Forums.

NIST SP 800-90A is a specification for Random Number Generators (RNGs) that provides detailed guidance on the design, implementation, and testing of RNGs. However, it is important to note that NIST SP 800-90A itself does not directly test the randomness of individual random numbers, but rather focuses on the overall performance of the random number generator and the randomness of the output sequence. Determining whether a random number complies with the NIST SP 800-90A standard actually involves evaluating the compliance of the random number generator that generated the random number and performing a series of statistical tests with the NIST-recommended random number test suite. Since these tests cannot be performed directly on individual random numbers, the entire sequence generated by the random number generator is typically evaluated. If the entire sequence passes all relevant tests, the random number generator (and the random numbers it generates) can be considered to be in compliance with the spirit of NIST SP 800-90A or related standards.

Best regards

NeuviJ

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.