Embed Size (px)
Citation preview
Randomness in Cryptography: A Deadly Pitfall
Nick Christoforidis & Konstantinos Rousis
Information Security ModuleCITY College
Part IDefining Randomness
Nikos Christoforidis
Randomness is Everywhere in CS
• On-line casinos:o Shuffle Decks, Roll Dice, Spin the Roulette Wheel
• Biologically Inspired Algorithms:o Chemotaxis in Neural Netso Mutations in Genetic Algorithmso Movement of Agents (Ants, Bees)
• Operating Systemso Lottery Scheduling
• Games & Photorealismo Realistic smoke, fire, rain, wind, blood, etc.
• Business, Malkiel 1973:o Random Walk Hypothesis for stock market
• Cryptography ...
Definition
Two major principles:• Single number selected from a set
o Each member of the set must have equal chance of selection
• Sequence of Numberso Cannot predict an element by the position of other
elements of the sequence
If principles are respected:• each bit of output carries a bit of entropy• e.g. a generated 32-bit key, needs an effort of 2^32 to be
broken.
Random Number Generator Types
• Non-deterministico Based on physical phenomena, e.g. noise of radio
frequencies, flow of liquids, internet traffic, atmospheric pressure/humidity, etc.
o Too expensive for typical users• Deterministic, or Pseudo-Random Number Generators
o An algorithm takes an input and produces a "random" output, based on the current Secret State "S".
o S is initialized by a random seed and may be reseeded periodically
o Same seed = same "random" output, hence: "Pseudo-random".
Example: Middle Square Method
Introduced by von Neumann, 1945:1. Pick an initial random number.– Square it.– Extract the middle digits, as the random output.– Repeat step (2) with the output of (3)
Example:13 -> 0169 -> 16 -> 0256 -> 25 -> 0625 -> 62 -> 3844 -> 84 -> ...
** But: **... -> 40 -> 1600 -> 60 -> 3600 -> 60 -> 3600 -> 60 -> ....
Repetition!• attacker has gained information• can mount an efficient attack• generator is compromised
Part IIAttacking PRNGs
Nikos Christoforidis
Methods of Attacking PRNGs
Direct Cryptanalytic• Attacker can distinguish outputs that are not as random as
expected.• Huge benefit to brute-force attacks: search-space is reduced
Input-Based• Known Input: attacker has to cryptanalyze• Repeated Input: attacker gains advantage• Controlled Input: best case, attacker can easily understand
the internal workings of the algorithm.State Compromise Extension• Attacker has compromised part of state S at time t
o Can guess the output at time t+x, oro Can learn previous outputs (time < t), oro Can predict all outputs (fully compromised PRNG)
ANSI X9.17• Published: 1985, FIPS (NIST) standard: 1992• Aim: produce DES keys for electronic money transaction• A 3DES key "K" was created at initialisation, then:
• Cryptanalytic and Known-Input attacks are difficult• If attacker knows K, the seed can be found with 2^11 effort
o Timestamps in msecs, for timespan of a second
o Now any other seed can be calculatedo All random outputs can be predicted
Other PRNGs
Yarrow:• Designed by Schneier, Kelsey, Ferguson• Included an Entropy Accumulator, from various sources• Enough entropy estimated ==> Reseed secret state
Fortuna:• Improved Yarrow: Entropy estimations were dismissed• Increased entropy pools to 32 and each had
o different rate of gaining entropyo different contribution to the reseed process
Mersenne-Twister• Based on Mersenne-Prime Numbers• Period of repetition: 2^19937 -1 outputs (!!!)• Very fast but becomes predictable after 624 iterations.
Part IIIReal-World Cases Attacks
Konstantinos Rousis
Netscape Navigator 1.1 - Random seed
• In 1995, Netscape incorporated on its browser support for SSL, claiming a security 128-bit strong
• SSL needed random numbers to generate secret keys• As sources of "randomness" were used:
o System's seconds and millisecondso Process ID and parent's process ID
• A number of weaknesses are apparent:o None of them is truly random (physical phenomena etc.)o Seconds will be found, as most probably the attacker is
eavesdroppingo Milliseconds are of rather inadequate entropy (1 to 1000)o Processes IDs are easily determined, as they are not
considered confidential• In the worst case for the attacker, the information entropy
used is only 47 bits, instead of 128
PlanetPoker.com - Shuffling Algorithm
• Back in 1999, a successful online poker site, Planet Poker, publicized its shuffling algorithm
• Weaknesses on terms of fairness and security came obvious:o Off-by-one error (random_number := random(51)+1;)o Random seed: system's current timestamp
• By searching an embarrassingly small space of values, the exact timestamp can be found
• In order to determine which of the possible timestamps was indeed used, only 5 cards had to be displayed
• After that, the whole shuffle is known• Fortunately, the security hole was identified by security
experts
PGP's flawed algorithm
• PGP uses a PRNG to initialize session keys, which afterwards are used to create RSA 1024-bit keys
• Versions 2.5 and 2.6 suffered from a bug in one of its PRNG's functionso Instead of XORing (^=) the new entropy bits with the
content already on accumulator, an assignment (=) was performed
• The system was not wakened enough to be compromised but the information entropy was reduced by few hundreds of bits
• Although the flaw can be considered as "just a typo", the important thing is how easily security can be undermined by a small error, even if written by security experts
Part IVSafe use of PRNGs
Konstantinos Rousis
Avoiding Common Pitfalls
• On every PRNG, 2 things are crucial: a random source and a carefully implemented algorithm
• Safe algorithms come from experience• Random sources can derive from physical phenomena or by
the use of specialized hardware chips• As end-users have none, other sources have been proposed:
o User's interaction with PC (keystrokes, mouse movement)o Timers (BIOS, operating system, software)o Hardware measurements (mic/cam input, network traffic)
• The two major concerns for all of them are availability and interoperability
• Both of them can be handled efficiently if many sources are used simultaneouslyo in this cases, an entropy accumulator is handy (see Yarrow)
Characteristics of Cryptographic-Strong PRNGS1. Resistance to data manipulation
o Even if an attacker manipulates the random sources, the output should not be predictable
– Resistance to data analysis (Kerchkoff's Principle)o An attacker should not be able to draw any conclusions
by performing analysis on input/output data– Protection of the internal state
o The internal state is secret and thus should be protected by trivial attacks (e.g. scanning OS's swap file)
– Recovery from compromised stateso Even if the state is compromised, the PRNG should be
able to reconstruct, thus protecting previous and future outputs
Conclusion
• PCs are by nature deterministic and thus real random output can not be produced
• RNGs are only feasible when physical phenomena are observed
• PRNGs are fundamental blocks of any modern cryptosystem and they should be used with extreme care
• An attacker may find shortcut-attacks via a system's PRNG• The most important things regarding a PRNG are the
algorithm itself and its random seed• Randomness can not be proven, only its absence• The punchline for randomness in cryptography is as
paranoid as everything else related to security:"You can never be sure"
Question Session
Thank you for your attention!
