a study of entropy transfers
play

A study of entropy transfers in the Linux Random Number Generator - PowerPoint PPT Presentation

Jul 26, 2023 •149 likes •483 views

A study of entropy transfers in the Linux Random Number Generator Th. Vuillemin, F . Goichon, G. Salagnac, C. Lauradoux 1 The need for random numbers Computers are built to be fully deterministic... ...but unpredictability is still required

  1. A study of entropy transfers in the Linux Random Number Generator Th. Vuillemin, F . Goichon, G. Salagnac, C. Lauradoux 1

  2. The need for random numbers Computers are built to be fully deterministic... ...but unpredictability is still required Cryptography Security Randomized algorithms Scheduling Networking 2

  3. Random numbers a an OS resource LRNG : Linux Random Number Generator Service provided by the OS kernel Shared among several (non-privileged) users ✴❞❡✈✴r❛♥❞♦♠ and ✴❞❡✈✴✉r❛♥❞♦♠ Essential for security-oriented software (SSH, SSL/TLS) Depends on system entropy Prone to entropy shortages ⇒ RNG stalls May have negative impact on application performance 3

  4. Motivating example 35 30 Request completion time (second) 25 20 15 10 5 0 0 200 400 600 800 1000 Time Response time of ✴❞❡✈✴r❛♥❞♦♠ for 1000 one-byte requests. Average 264 ms. Standard deviation 1.68 s. 4

  5. Questions What is entropy anyway ? Why does the LRNG need it ? How to explain such variability in response time ? Inria Research Report 8060 ❤tt♣✿✴✴❤❛❧✳✐♥r✐❛✳❢r✴❤❛❧✲✵✵✼✸✽✻✸✽ 5

  6. Agenda Introduction 1 Random Number Generation 2 The Linux RNG 3 Experiments 4 5 Conclusion and perspectives 6

  7. Desirable properties of “random” numbers X , Y random variables e.g. the result of rolling a die Ω sample space e.g. { 1 , 2 , 3 , 4 , 5 , 6 } X = P (Ω) event space e.g. X ∈ { 2 , 4 , 6 } ◮ { Pr ( i ) } i ∈X probability law Uniform distribution 1 ∀ x ∈ Ω Pr ( X = x ) = card (Ω) Statistical independence ∀ x , y ∈ Ω Pr ( X = x | Y = y ) = Pr ( X = x ) 7

  8. Measuring randomness Shannon Entropy � H ( X ) = − Pr ( X = i ) log 2 Pr ( X = i ) . ∀ i ∈X expresses the “amount of uncertainty” contained in X ◮ “how much information do I gain by looking at X ” Caveat Emptor Other entropy measures exist (e.g. Kolmogorov complexity) If we don’t know Pr , we cannot directly apply the formula Entropy estimation is a very active research topic 8

  9. Different types of generators A Random Number Generator is a computer program imitating the behaviour of a random variable PRNG : Pseudo Random Number Generator CSPRNG : Cryptographically Secure Random Number Gen. HRNG : Hardware Random Number Generator TRNG : True Random Number Generator 9

  10. Deterministic generators PRNG : Pseudo-Random Number Generator finite-state machine transition function : updates internal state output function : produces actual numbers seed : initial internal state ◮ (hopefully) good statistical properties CSPRNG : Cryptographically Secure PRNG ◮ A PRNG with stronger statistical properties (periodicity...) 10

  11. Security issues Threat model What if an attacker guesses the internal state ? ◮ they can predict every future output of the RNG ! Solutions choose the output function such that it’s hard to reverse ... or just don’t be deterministic 11

  12. Non-deterministic generators HRNG : Hardware Random Number Generator Based on some physical phenomenon really unpredictable, but often biased limited by the througput of the entropy source TRNG : True Random Number Generator Pseudo-Random Number Generator internal state reseeded with entropy sources 12

  13. Agenda Introduction 1 Random Number Generation 2 The Linux RNG 3 Experiments 4 5 Conclusion and perspectives 13

  14. The Linux RNG Authors Theodore Ts’o (1994–2005, 2012–now) Matt Mackall (2005–2012) TRNG architecture uses a CSPRNG to produce numbers internal state : 6Kb output function : a variant of md5 uses system events as entropy sources opportunistic reseeding hypothesis : inter-event timing is unpredictable tries to keep internal state hard to guess for an attacker tracks the entropy level of state over time 14

  15. Architecture Blocking Pool /dev/random Disque dur Input Pool Clavier /dev/urandom Non-blocking Pool Souris get_random_bytes() LRNG 15

  16. Output interfaces ✴❞❡✈✴r❛♥❞♦♠ comsumes entropy in case of shortage → requests put on hold ✴❞❡✈✴✉r❛♥❞♦♠ consumes entropy in case of shortage → PRNG ❣❡t❴r❛♥❞♦♠❴❜②t❡s✭✮ kernel function consumes entropy in case of shortage → PRNG 16

  17. Entropy pools (internal state of the PRNGs) Blocking pool 1Kb bitfield + entropy counter supplies data for ✴❞❡✈✴r❛♥❞♦♠ Non-blocking pool 1Kb bitfield + entropy counter supplies data for ✴❞❡✈✴✉r❛♥❞♦♠ and ❣❡t❴r❛♥❞♦♠❴❜②t❡s✭✮ Input pool 4Kb bitfield + entropy counter supplies data for the two other pools refilled by opportunistically sampling entropy sources 17

  18. Entropy sources Callback functions exported by the LRNG to harvest entropy : ❛❞❞❴❞✐s❦❴r❛♥❞♦♠♥❡ss✭✮ Hard drive events ❛❞❞❴✐♥♣✉t❴r❛♥❞♦♠♥❡ss✭✮ UI events : keyboard, mouse, trackpad ❛❞❞❴✐♥t❡rr✉♣t❴r❛♥❞♦♠♥❡ss✭✮ Other hardware events : USB, device drivers ❛❞❞❴♥❡t✇♦r❦❴r❛♥❞♦♠♥❡ss✭✮ removed, deemed too vulnerable 18

  19. Architecture Blocking Pool /dev/random Disque dur Input Pool Clavier /dev/urandom Non-blocking Pool Souris get_random_bytes() LRNG 19

  20. The need for entropy estimation What if an attacker controls all the callbacks ? What if hardware events happen to be predictable ? Not all system events carry uncertainty Let’s try to assess randomness ◮ We need an entropy estimator ! 20

  21. The LRNG entropy estimator : detecting regularities δ i = t i − t i − 1 δ 2 = δ i − δ i − 1 i δ 3 δ 2 i − δ 2 = i i − 1 ∆ i = min ( | δ i | , | δ 2 i | , | δ 3 i | )  0 if ∆ i < 2  if ∆ i ≥ 2 12 H i = 11 ⌊ log 2 (∆ i ) ⌋ otherwise  21

  22. Example ❚✐♠❡ ✶✵✵✹ ✶✵✶✷ ✶✵✷✹ ✶✵✷✺ ✶✵✸✵ ✶✵✹✶ ✶st ❞✐❢❢ ✽ ✶✷ ✶ ✺ ✶✶ ✷♥❞ ❞✐❢❢ ✹ ✶✶ ✹ ✻ ✸r❞ ❞✐❢❢ ✼ ✼ ✷ H ( 1041 ) = 1, H ( 1030 ) = 2, H ( 1025 ) = 0 22

  23. Agenda Introduction 1 Random Number Generation 2 The Linux RNG 3 Experiments 4 5 Conclusion and perspectives 23

  24. Architecture Blocking Pool /dev/random Disque dur Input Pool Clavier /dev/urandom Non-blocking Pool Souris get_random_bytes() LRNG 24

  25. Experimental setup Prototype use a kernel debugger ? → would kill timing use ♣r✐♥t❦✭✮ ? → would generate disk events ! ◮ instrument the LRNG itself (callbacks + output functions) use the netpoll API to send out UDP packets Studied scenarios Desktop workstation : web surfing, word processing File server : large file transfer Computation : CPU-intensive program only each experiment : one hour long 25

  26. Entropy harvesting disk 34% mouse generic_input 2% 35% 28% keyboard (a) Workstation 100% 100% (b) File server (c) Computation 26

  27. Entropy extraction 48% ❣❡t❴r❛♥❞♦♠❴❜②t❡s✭✮ ✴❞❡✈✴✉r❛♥❞♦♠ 52% (d) Workstation 20% 100% 80% (e) File server (f) Computation 27

  28. Entropy consumers : Workstation [K] ❧♦❛❞❴❡❧❢❴❜✐♥❛r②✭✮ 26% [U] svn [U] chromium-browse 2% 5% [U] php5 46% Others 21% 28

  29. Entropy consumers : File server 15% [K] ❧♦❛❞❴❡❧❢❴❜✐♥❛r②✭✮ [U] php5 2% [K] ✐♥❡t❴❢r❛❣❴s❡❝r❡t❴r❡❜✳✳✳ 5% 6% 72% [U] apache2 Others 29

  30. Entropy consumers : Computation 5% [K] ❧♦❛❞❴❡❧❢❴❜✐♥❛r②✭✮ 95% [K] ✐♥❡t❴❢r❛❣❴s❡❝r❡t❴r❡❜✉✐❧❞✭✮ 30

  31. Entropy level in the input pool 31

  32. Summary of experimental results only major entropy source : the hard drive ✴❞❡✈✴r❛♥❞♦♠ never used in practice blocking r❡❛❞✭✮ considered too problematic by developers doesn’t even exist in other kernels (BSD) security-oriented applications have their own CSPRNG people believe that « there will soon be entropy » (true ?) major entropy consumer : the kernel itself via ❣❡t❴r❛♥❞♦♠❴❜②t❡s✭✮ mostly for ❧♦❛❞❴❡❧❢❴❜✐♥❛r②✭✮ (i.e. ASLR) 32

  33. Conclusions and perspectives Summary Study of the architecture of the LRNG Measures of entropy transfers Study of entropy consumers see [Inria RR 8060] ❤tt♣✿✴✴❤❛❧✳✐♥r✐❛✳❢r✴❤❛❧✲✵✵✼✸✽✻✸✽ Perspectives Port experiments to diskless devices Android phone, set-top box, SSD-based laptop Entropy will be scarce Come up with new sources of entropy in the system portability ? availability ? 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of a discrete random variable. Properties: H(x) &gt;= 0 Entropy Entropy Lesser the probability for an event, larger the entropy.

471 views • 21 slides
Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S) Entropy is o8en related to disorder but not strictly correct Entropy is a measure

351 views • 8 slides
Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Entropy Entropy Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1 Entropy Entropy and Information Joint Entropy Frank Keller Conditional Entropy School of Informatics University of Edinburgh

81 views • 4 slides
Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Outline Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the Technion) Huffman coding Arithmetic coding Lempel-Ziv coding 2 Entropy Definitions Alphabet : A finite set containing at least

402 views • 10 slides
Intergenerational transfers of infant mortality in historical contexts: a comparative study of

Intergenerational transfers of infant mortality in historical contexts: a comparative study of

Intergenerational transfers of infant mortality in historical contexts: a comparative study of five European populations Luciana Quaranta 1 , Gran Brostrm 2 , Ingrid van Dijk 3 , Robyn Donrovich 4 , Sren Edvinsson 2 , Elisabeth Engberg 2 ,

451 views • 20 slides
Informational Study: Increased Capabilities for Transfers of Low Carbon Electricity between the

Informational Study: Increased Capabilities for Transfers of Low Carbon Electricity between the

Informational Study: Increased Capabilities for Transfers of Low Carbon Electricity between the Pacific Northwest and California Ebrahim Rahimi Lead Engineer, Regional Transmission - North 2018-2019 Transmission Planning Process Stakeholder

814 views • 67 slides
PRACTITIONERS DEEDS AND TRANSFERS UNDER THE RPA Fraud in conveyances and transfers of property

PRACTITIONERS DEEDS AND TRANSFERS UNDER THE RPA Fraud in conveyances and transfers of property

TIPS FOR PRACTITIONERS DEEDS AND TRANSFERS UNDER THE RPA Fraud in conveyances and transfers of property under the rpo is increasing and attorneys should be cautious in reviewing deeds and transfers which constitute the title to a property

403 views • 39 slides
The economic and legal aspects of g p transfers of players Results of the study Didier

The economic and legal aspects of g p transfers of players Results of the study Didier

The economic and legal aspects of g p transfers of players Results of the study Didier PRIMAULT and Christophe LEPETIT Friday, 8 th March Sport Directors meeting Dublin Sport Directors meeting, Dublin Objectives and scope of the study

728 views • 39 slides
Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically

Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically

Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically - defined thermodynamic quantity that helps to account for the flow of energy through a thermodynamic process. 2 What is

467 views • 13 slides
Committee to Study Rates and Transfers/Public Enterprises Department of Environmental Quality

Committee to Study Rates and Transfers/Public Enterprises Department of Environmental Quality

September 26, 2018 Committee to Study Rates and Transfers/Public Enterprises Department of Environmental Quality Division of Water Infrastructure SWIA Master Plan Vision The state will best be able to meet its water infrastructure needs by

395 views • 13 slides
Study that Evaluates Interface Design using Gaze Entropy Yejin Lee a , Hyun-Chul Lee b a SA

Study that Evaluates Interface Design using Gaze Entropy Yejin Lee a , Hyun-Chul Lee b a SA

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 Study that Evaluates Interface Design using Gaze Entropy Yejin Lee a , Hyun-Chul Lee b a SA Monitoring and Mitigation Research Team, KAERI, 34057, Daejeon, S.

72 views • 4 slides
E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION

E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION

E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION Entropy measures exponential complexity in a topological dynamical system: topological entropy very crude, entropy function on invariant

556 views • 23 slides
Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute

Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute

Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute of Communication Engineering National Taipei University Chapter Outline Chap. 2 Entropy, Relative Entropy, and Mutual Information 2.1 Entropy 2.2

752 views • 51 slides
Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of

Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of

Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of bits actually required to store data. Entropy is sometimes called a measure of surprise A highly predictable sequence contains little actual

293 views • 16 slides
ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF

ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF

ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF CHEMISTRY AND BIOCHEMISTRY, BYU, PROVO, UT 84602, POPOVIC.PASA@GMAIL.COM Thermodynamic entropy - S (J/K) At T=0K ideal crystal imperfect

560 views • 21 slides
Infotheory for Statistics and Learning Lecture 1 Entropy Relative entropy Mutual

Infotheory for Statistics and Learning Lecture 1 Entropy Relative entropy Mutual

Infotheory for Statistics and Learning Lecture 1 Entropy Relative entropy Mutual information f -divergence Mikael Skoglund 1/16 Entropy Over ( R , B ) , consider a discrete RV X with all probability in a countable set X B ,

538 views • 8 slides
More Graphics and Objects Rose-Hulman Institute of Technology Computer Science and Software

More Graphics and Objects Rose-Hulman Institute of Technology Computer Science and Software

More Graphics and Objects Rose-Hulman Institute of Technology Computer Science and Software Engineering Check out 06-MoreGraphicsAndObjects from SVN. Get help if youre stuck. No quiz today. Announcements Sunday sessions: new poll on

275 views • 11 slides
Group Keys Mathy Vanhoef - imec-DistriNet, KU Leuven @vanhoefm Observation General Wi-Fi

Group Keys Mathy Vanhoef - imec-DistriNet, KU Leuven @vanhoefm Observation General Wi-Fi

Predicting and Abusing WPA2/802.11 Group Keys Mathy Vanhoef - imec-DistriNet, KU Leuven @vanhoefm Observation General Wi-Fi crypto is widely studied Predictable pre-shared Recover pre-shared key &amp; dictionary attack key(s) protecting

534 views • 51 slides
Lecture 20 Random Samples 0/ 13 One of the most important concepts in statistics is that of a

Lecture 20 Random Samples 0/ 13 One of the most important concepts in statistics is that of a

Lecture 20 Random Samples 0/ 13 One of the most important concepts in statistics is that of a random sample. The definition of a random sample is rather abstract. However it is critical to understand the idea behind the definition, so we

266 views • 14 slides
Pseudorandom Algorithms Derek Soeder Christopher Abad Gabriel Acevedo

Pseudorandom Algorithms Derek Soeder Christopher Abad Gabriel Acevedo

Black-Box Assessment of Pseudorandom Algorithms Derek Soeder Christopher Abad Gabriel Acevedo dsoeder@cylance.com cabad@cylance.com gacevedo@cylance.com Agenda About PRNGs PRNGs by Example Attack Methodology

574 views • 29 slides
STA 326 2.0 Programming and Data Analysis with R Generating Random Numbers Using the Inverse

STA 326 2.0 Programming and Data Analysis with R Generating Random Numbers Using the Inverse

STA 326 2.0 Programming and Data Analysis with R Generating Random Numbers Using the Inverse Transform Method Prepared by Dr Thiyanga Talagala 1. Probability distribution functions in R to generate random num- bers rbeta beta

281 views • 12 slides
Student Responsibilities Mat 2170 Week 9 Reading: Textbook, Sections 6.1 6.3 Objects and

Student Responsibilities Mat 2170 Week 9 Reading: Textbook, Sections 6.1 6.3 Objects and

Student Responsibilities Mat 2170 Week 9 Reading: Textbook, Sections 6.1 6.3 Objects and Classes Lab 9 Attendance Spring 2014 1 2 Recall: Writing Methods Notes About Using Methods A method invocation or call uses its name

318 views • 7 slides
Extending Ant Steve Loughran stevel@apache.org About the speaker Research on deployment at HP

Extending Ant Steve Loughran stevel@apache.org About the speaker Research on deployment at HP

Extending Ant Steve Loughran stevel@apache.org About the speaker Research on deployment at HP Laboratories: http://smartfrog.org/ Ant team member Shipping in May/June: Ant in Action ! http://antbook.org/ http://smartfrog.org/ Today s

516 views • 37 slides
Chapter 7: Sampling In this chapter we will cover: 1. Samples and Populations ( 7.1, 7.2 Rice)

Chapter 7: Sampling In this chapter we will cover: 1. Samples and Populations ( 7.1, 7.2 Rice)

Chapter 7: Sampling In this chapter we will cover: 1. Samples and Populations ( 7.1, 7.2 Rice) 2. Simple random sampling ( 7.3 Rice) 3. Confidence intervals for means, proportions and variances ( 7.3 Rice) Samples and Populations

514 views • 13 slides

More recommend