View
24
Download
2
Category
Preview:
Citation preview
Random Number Generation – Lava Lamps, Clouds and the IoT
January 31st 2017Richard Moulds - Vice President Strategy, Whitewood
OWASP Meetup
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
Cryptography – the basis of digital security
Digital Certificates(authentication)
Encryption(data confidentiality)
Digital signatures(integrity and
non-repudiation)
Protect data at rest
Strong authentication
Code signing
Secure time
Secure communications
Mobile paymentsSecure
archives
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
Outsider the ‘Perimeter’Inside the ‘Perimeter’ Inside the ‘Perimeter’
keys
Crypto is all about secrets
MathDataEncrypted Data
Encryption
Math
keys
Decryption
Data
Network traffic
Backup media
Forensic requests
Portable media
Cloud storage
File shares
Outsiders can only try to guess the keys
Insiders focus on stealing the keys
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
Security assumptions rely on keys being truly random - when patterns emerge (or are engineered), keys get predictable and
crypto is weakened
All crypto security starts with random numbers
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
Hidden vulnerabilities and backdoors of choice
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
Testing for randomness
1.0
Single die Two dice Loaded dice
Probabilities of outcomes
Measuring uniformity and lack of bias is a good start…
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
Proving unpredictability is more tricky
What data looks the most unpredictable?
73141592653589793238462643383279502884197169399375896473
3.141592653589793238462643383279502884197169399375896473𝜋
For crypto we also need unpredictability, imperturbability, secrecy and reliability all of which requires knowledge of the
source of randomness, not just statistical analysis of the output
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
Finally we have a standard (nearly)
Source – Recommendation for the Entropy Sources Used for Random Bit Generation (SP800-90B 2nd draft) – NIST January 2016
“Specifying an entropy source is a complicated matter. This is partly due to confusion in the meaning of entropy, and partly due to the fact that, while other parts of an RBG design are strictly algorithmic, entropy sources depend on physical processes that may vary from one instance of a source to another”.
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
Most random numbers
come from the Operating
System
RANDOM NUMBER
GENERATOR
But software doesn’t
act randomly
Why so complicated?
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
Entropy - a long standing issue
“Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin.” (J. von Neumann, 1951)
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
Pseudo-random numbers – an oxymoron?
Crypto Application
Operating System Random
NumbersRandom SeedsEntropy
Source
Shuffling the deck Dealing the deck
Pseudo-random number
generator
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
Where does entropy come from?
App1 App2 App3
Operating System
Host System
Random Numbers
Pseudo-random number generator
HardwareCPU
TimingNetwork Timing
Hard Drive Timing
Entropy
Mouse Clicks
Camera
Antenna
Local Environment
Microphone
Keyboards
Entropy
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
But in a virtual world…
App1 App2 App3
HardwareCPU
TimingNetwork Timing
Mouse Clicks
Camera
Antenna
Local Environment
Microphone
Keyboards
Host System
Hard Drive Timing
Random Numbers
Hypervisor
Operating System Pseudo-random number generator
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
Random number generators in Linux
Delivers random numbers irrespective of how much
entropy has been captured
Delivers random numbers only if sufficient entropy has been
captured - otherwise it stops
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
Entropy sources in Linux
InterruptEntropy
Pool(1024 bits)
Main Entropy
Pool(4096 bits)
/dev/urandomPRNG
/dev/randomPRNG
Interruptevents
Disk events,keyboard clicks
and mouse movements
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
Interrupts (add_interrupt_randomness) Kernel IRQ handler adds data from each interrupt into the
Interrupt Pool One Interrupt pool per CPU to eliminate contention
− Cycle counter XOR kernel timer− IRQ number− Instruction pointer at the time the interrupt is received
Instruction PointerIRQ
4 bytes 4 bytes 8 bytes
Cycle Count & Kernel Timer
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
Interrupts (add_interrupt_randomness) Kernel IRQ handler adds data from each interrupt into the
Interrupt Pool One Interrupt pool per CPU to eliminate contention
Cycles Kernel IRQ Instruction Pointer123975895488 4294893898 14 18446744071578900000123977123888 4294893898 14 18446744071578900000123979445304 4294893898 14 18446744071578900000123983781984 4294893899 14 18446744071578900000123985083096 4294893899 14 18446744071578900000123986825584 4294893899 14 18446744071578900000123987250920 4294893899 14 18446744071578900000
4 bytes 4 bytes 8 bytes
Instruction PointerIRQCycle Count & Kernel Timer
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
Disk (add_timer_randomness) Disk events are funneled through timer randomness One Interrupt pool per CPU to eliminate contention
Kernel Timer
Cycle Counter
Device id (disk_devt)
Kernel Timer Cycles Device ID4294893055 114984099168 83888644294893055 114984867024 83888644294893055 114985479992 83888644294893055 114985942112 83888644294893060 115031476128 83888644294893060 115031907648 83888644294893060 115032263720 83888644294893060 115032643792 8388864
4 bytes 4 bytes 8 bytes
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
Enhancing system entropy
Operating System
PRNGe.g. /dev/random
Existing system entropy
Supplementary entropy
source(s)
Existing applications
‘True’ random numbers
Entropy is always additive
Goal: generate true random numbers from a PRNG
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
Supplementary sources of entropy
4 general ways to improve entropy beyond the basic kernel: Software daemons to extract better timing related entropy:
− HAVEGED – (www.issihosts.com/haveged/)− CPU Jitter RNG (www.chronox.de/jent.html)
Entropy extraction from peripheral devices (mics and cameras)− audio-entropyd & video-entropyd - (www.vanheusden.com/aed/)
Local hardware based entropy sources− Embedded CPU feature (RDRAND), USB devices, PCI cards, etc.− Wide range of noise sources – electrical, meta-stable circuits, quantum− Wiki search - “comparison of hardware random number generators”
Network based sources – “Entropy as a Service”− www.random.org (random numbers rather than entropy)− NIST (coming soon?)− Whitewood (www.getnetrandom.com)
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
Comparison of supplementary entropy sources
Jitter Daemons
Noisy sensors
Hardware RNGs
Entropy as a Service
Primary focus
Application specific
Individual machine
Individual machine
Distributed systems
Scalability Medium Poor Low - High High
Maturity Open source Niche Mature Emerging
Assurance Low Low High* High*
Visibility Low Low Low High
Control Medium Low Medium (black-box)
High (private service)
Cost Free Sensor? $0 - $10k Amortized
In a Nutshell Band Aid For the Hobbyists
“No one likes hardware”
Infrastructure of the future?
* - when new NIST standard is finalized
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
Whitewood Entropy Engine
Generates random numbers using the quantum properties of light
Quantum noise source is 100% unpredictable - independent of all external factors
Delivers extremely high performance− Output data rate of 350Mbit/s
Deployed as local source or network service
Designed to comply with NIST 800-90B/C Based on 20 years research at Los Alamos
Entropy Engine PCIe card
Quantum Random Number Generator (QRNG)
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
Summary Encryption and cryptography are the basis of trust and security
in the digital world Random numbers are critical for security but are often poorly
understood and managed Random number generators are a point of attack and
vulnerability – potentially an invisible one Modern application environments present entropy challenges
– cloud, appliance, mobile, browser, IoT Proving the operation and quality of entropy sources and
random number generators is difficult New standards such as NIST 800-90 will help Random number generation should be a critical component of
your key management strategy and datacenter infrastructure
©2016 WHITEWOOD® - ALL RIGHTS RESERVED
Thank you
richard.moulds@whitewoodencryption.com
Demo at www.whitewoodencryption.com/netrandom-demo
Recommended