analysis of the linux random number generator
play

Analysis of the Linux Random Number Generator Patrick Lacharme, - PowerPoint PPT Presentation

Aug 14, 2022 •116 likes •681 views

Analysis of the Linux Random Number Generator Patrick Lacharme, Andrea R ock, Vincent Stubel, Marion Videau October 23, 2009 - Rennes Outline Random Number Generators The Linux Random Number Generator Building Blocks Entropy Estimation

  1. Analysis of the Linux Random Number Generator Patrick Lacharme, Andrea R¨ ock, Vincent Stubel, Marion Videau October 23, 2009 - Rennes

  2. Outline Random Number Generators The Linux Random Number Generator Building Blocks ◮ Entropy Estimation ◮ Mixing Function ◮ Output Function Security Discussion Conclusion

  3. Part 1 Random Number Generators

  4. Random Numbers in Computer Science Where do we need random numbers ? ◮ Simulation of randomness, e.g. Monte Carlo method ◮ Key generation (session key, main key) ◮ Protocols ◮ IV, Nonce generation ◮ Online gambling How can we generate them ? ◮ True Random Number Generators (TRNG) ◮ Pseudo Random Number Generators (PRNG) ◮ PRNG with entropy input 1/40

  5. True Random Number Generators (TRNG) : Properties : ◮ Based on physical effects ◮ Needs often post-processing ◮ Often slow ◮ Needs often extra hardware 2/40

  6. True Random Number Generators (TRNG) : Properties : ◮ Based on physical effects ◮ Needs often post-processing ◮ Often slow ◮ Needs often extra hardware Applications ◮ High security keys ◮ One-Time Pad 2/40

  7. True Random Number Generators (TRNG) : Properties : ◮ Based on physical effects ◮ Needs often post-processing ◮ Often slow ◮ Needs often extra hardware Applications ◮ High security keys ◮ One-Time Pad Examples : ◮ Coin flipping, dice ◮ Radioactive decay ◮ Thermal noise in Zener diodes ◮ Quantum random number generator 2/40

  8. Pseudo Random Number Generators (PRNG) Properties : ◮ Based on a short seed and a completely deterministic algorithm ◮ Allows theoretical analysis ◮ Can be fast ◮ Entropy not bigger than size of seed 3/40

  9. Pseudo Random Number Generators (PRNG) Properties : ◮ Based on a short seed and a completely deterministic algorithm ◮ Allows theoretical analysis ◮ Can be fast ◮ Entropy not bigger than size of seed Applications : ◮ Monte Carlo method ◮ Stream cipher 3/40

  10. Pseudo Random Number Generators (PRNG) Properties : ◮ Based on a short seed and a completely deterministic algorithm ◮ Allows theoretical analysis ◮ Can be fast ◮ Entropy not bigger than size of seed Applications : ◮ Monte Carlo method ◮ Stream cipher Examples : ◮ Linear congruential generators ◮ Blum Blum Shub generator ◮ Block cipher in counter mode ◮ Dedicated stream cipher (eSTREAM project) 3/40

  11. PRNG with Entropy Input Properties : ◮ Based on hard to predict events (entropy input) ◮ Apply deterministic algorithms ◮ Few examples of theoretical models [Barak Halevi 2005] 4/40

  12. PRNG with Entropy Input Properties : ◮ Based on hard to predict events (entropy input) ◮ Apply deterministic algorithms ◮ Few examples of theoretical models [Barak Halevi 2005] Applications : ◮ Fast creation of unpredictable keys ◮ When no additional hardware is available 4/40

  13. PRNG with Entropy Input Properties : ◮ Based on hard to predict events (entropy input) ◮ Apply deterministic algorithms ◮ Few examples of theoretical models [Barak Halevi 2005] Applications : ◮ Fast creation of unpredictable keys ◮ When no additional hardware is available Examples : ◮ Linux RNG : /dev/random ◮ Yarrow, Fortuna ◮ HAVEGE 4/40

  14. Model of a PRNG with Entropy Input entropy sources entropy deterministic extraction: output internal state RNG (re)seeding 5/40

  15. Model of a PRNG with Entropy Input entropy sources entropy deterministic extraction: output internal state RNG (re)seeding Resilience/Pseudorandom Security : The output looks random without knowledge of internal state ◮ Direct attacks : an attacker has no control on entropy inputs ◮ Known input attacks : an attacker knows a part of the entropy inputs ◮ Chosen input attacks : an attacker is able to chose a part of entropy inputs 5/40

  16. Cryptanalytic Attacks - After Compromised State Compromised state : The internal state is compromise if an attacker is able to recover a part of the internal state (for whatever reasons) [Kelsey et al. 1998] Forward security/Backtracking resistance : ◮ Earlier output looks random with knowledge of current state Backward security/Prediction resistance : ◮ Future output looks random with knowledge of current state ◮ Backward security requires frequent reseeding of the current state 6/40

  17. Same Remarks about Entropy (1) (Shannon’s) entropy is a measure of unpredictability : Average number of binary questions to guess a value Shannon’s Entropy for a probability distribution p 1 , p 2 , . . . , p n : n � H = − p i log 2 p i ≤ log 2 ( n ) i =1 Min-entropy is a worst case entropy : � � H min = − log 2 1 ≤ i ≤ n ( p i ) max ≤ H 7/40

  18. Same Remarks about Entropy (2) Collecting k bits of entropy : After processing the unknown data into a known state S 1 , an observer would have to try on average 2 k times to guess the new value of the state. Transferring k bits of entropy from state S 1 to state S 2 : After generating data from the unknowing state S 1 and mixing it into the known state S 2 an adversary would have to try on average 2 k times to guess the new value of state S 2 . By learning the generated data from S 1 an observer would increase his chance by the factor 2 k of guessing the value of S 1 . 8/40

  19. Model of [Barak Halevi 2005] State of size m Extractor for a family H of probability distributions, such that for any distribution D ∈ H and any y ∈ { 0 , 1 } m : 2 − m (1 − 2 − m ) ≤ Pr [ extr ( X D ) = y )] ≤ 2 − m (1 + 2 − m ) G is a cryptographic PRNG producing 2 m bits Supposes regular input with given minimal entropy Proven security in theory, hard to use in practice 9/40

  20. Part 2 The Linux Random Number Generator

  21. The Linux Random Number Generator Part of the Linux kernel since 1994 From Theodore Ts’o and Matt Mackall Only definition in the code (with comments) : ◮ About 1700 lines ◮ Underly changes ( www.linuxhq.com/kernel/file/drivers/char/random.c ) ◮ We refer to kernel version 2.6.30.7 Pseudo Random Number Generator (PRNG) with entropy input 10/40

  22. Analysis Previous Analysis : ◮ [Barak Halevi 2005] : Almost no mentioning of the Linux RNG ◮ [Gutterman Pinkas Reinman 2006] : They show some weaknesses of the generator which are now corrected Why a new analysis : ◮ As part of the Linux kernel, the RNG is widely used ◮ The implementation has changed in the meantime ◮ Want to give more details 11/40

  23. General Two different versions : ◮ /dev/random : Limits the number of generated bits by the estimated entropy ◮ /dev/urandom : Generates as many bits as the user asks for Two asynchronous procedures : ◮ The entropy accumulation ◮ The random number generation 12/40

  24. Structure entropy sources entropy estimation entropy counter entropy mixing counter blocking mixing output /dev/random pool input pool output nonblocking mixing output /dev/urandom pool entropy counter transfer entropy extraction random number generation Size of input pool : 128 32-bit words Size of blocking/unblocking pool : 32 32-bit words 13/40

  25. Functionality (1) Entropy input : Entropy sources : ◮ User input like keyboard and mouse movements ◮ Disk timing ◮ Interrupt timing Each event contains 3 values : ◮ A number specific to the event ◮ Cycle count ◮ Jiffies count (count of time ticks of system timer interrupt) 14/40

  26. Functionality (2) Entropy accumulation : Independent to the output generation Algorithm : ◮ Estimate entropy ◮ Mix data into input pool ◮ Increase entropy count Must be fast 15/40

  27. Functionality (3) Output generation Generates data in 80 bit steps Algorithm to generate n bytes : ◮ If not enough entropy in the pool ask input pool for n bytes ◮ If necessary, input pool generates data and mixes it into the corresponding output pool ◮ Generate random number from output pool Differences between the two version : ◮ /dev/random : Stops and waits if entropy count of its pool is 0 ◮ /dev/urandom : Leaves ≥ 128 bits of entropy in the input pool 16/40

  28. Functionality (4) Initialization : Boot process does not contain much entropy Script recommended that ◮ At shutdown : Generate data from /dev/urandom and save it ◮ At startup : Write to /dev/urandom the saved data This mixes the same data into the blocking and nonblocking pool without increasing the entropy count Problem for Live CD versions 17/40

  29. Part 3 Building Blocks

  30. The Entropy Estimation Crucial point for /dev/random Must be fast (after interrupts) Uses the jiffies differences to previous event Separate differences for user input, interrupts and disks Estimator has no direct connection to Shannon’s entropy 18/40

  31. The Entropy Estimation - The Estimator Let t A ( n ) denote the jiffies of the n ’th event of source A ∆ A t A ( n ) − t A ( n − 1) 1 ( n ) = ∆ A ∆ A 1 ( n ) − ∆ A 2 ( n ) = 1 ( n − 1) ∆ A ∆ A 2 ( n ) − ∆ A 3 ( n ) = 2 ( n − 1) � � ∆ A ( n ) | ∆ A 1 ( n ) | , | ∆ A 2 ( n ) | , | ∆ A = min 3 ( n ) | Estimated Entropy : ˆ H A ( n ) = ˆ ∆ A 1 ( n ) , ∆ A 1 ( n − 1) , ∆ A � � H 1 ( n − 2)  if ∆ A ( n ) = 0 0    ˆ H A ( n ) = if ∆ A ( n ) ≥ 2 12 11  ∆ A ( n ) � � �� log 2 otherwise   19/40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A study of entropy transfers in the Linux Random Number Generator Th. Vuillemin, F . Goichon, G.

A study of entropy transfers in the Linux Random Number Generator Th. Vuillemin, F . Goichon, G.

A study of entropy transfers in the Linux Random Number Generator Th. Vuillemin, F . Goichon, G. Salagnac, C. Lauradoux 1 The need for random numbers Computers are built to be fully deterministic... ...but unpredictability is still required

483 views • 33 slides
Vacuum fluctuations Secure heterodyne-based quantum random number quantum random number

Vacuum fluctuations Secure heterodyne-based quantum random number quantum random number

Vacuum fluctuations Secure heterodyne-based quantum random number quantum random number generator with non-iid generator at 17 Gbps samples Tobias Gehring et al. Marco Avesani et al. 1 The need for random numbers Alice quantum Rx laser

346 views • 32 slides
How to Make a Lumpy Random Number Generator Michael A. Covington University of Georgia and

How to Make a Lumpy Random Number Generator Michael A. Covington University of Georgia and

How to Make a Lumpy Random Number Generator Michael A. Covington University of Georgia and CORAID, Inc. International Workshop on Plan 9 Athens, Georgia October 23, 2009 How would you make a random number generator with a preference

237 views • 20 slides
Links visited in class Googled the number 48271: found Lehmer random number generator,

Links visited in class Googled the number 48271: found Lehmer random number generator,

3.6 Central Limit Theorem Links visited in class Googled the number 48271: found Lehmer random number generator, random.org, random.org/decimal-fractions/, generated 100 random decimal fractions, nsm.buffalo.edu/~hassard/459/py,

203 views • 4 slides
KISS: A Bit Too Simple Greg Rose ggr@qualcomm.com Outline KISS random number generator

KISS: A Bit Too Simple Greg Rose ggr@qualcomm.com Outline KISS random number generator

KISS: A Bit Too Simple Greg Rose ggr@qualcomm.com Outline KISS random number generator Subgenerators Efficient attack New KISS and attack Conclusion PAGE 2 One approach to PRNG security "A random number generator

643 views • 25 slides
KISS: A Bit Too Simple Greg Rose ggr@qualcomm.com Outline q KISS random number generator

KISS: A Bit Too Simple Greg Rose ggr@qualcomm.com Outline q KISS random number generator

KISS: A Bit Too Simple Greg Rose ggr@qualcomm.com Outline q KISS random number generator q Subgenerators q Efficient attack q New KISS and attack q Conclusion PAGE 2 One approach to PRNG security "A random number

594 views • 26 slides
Random numbers We have seen that in many applications we need random number generators For

Random numbers We have seen that in many applications we need random number generators For

Random numbers We have seen that in many applications we need random number generators For example we sue random number generator to obtain session keys; to avoid key guessing If an adversary sees a sequence of session keys He/she

426 views • 16 slides
A Highly-Portable True Random Number Generator based on Coherent Sampling 2019 International

A Highly-Portable True Random Number Generator based on Coherent Sampling 2019 International

A Highly-Portable True Random Number Generator based on Coherent Sampling 2019 International Conference on Field-Programmable Logic and Applications Adriaan Peetermans, Vladimir Ro zi c and Ingrid Verbauwhede September 10, 2019 Random

370 views • 35 slides
Chapter Secure Random Number Generator Jean-Louis Roch, Grenoble University, M2-SCCI/SECR Anyone

Chapter Secure Random Number Generator Jean-Louis Roch, Grenoble University, M2-SCCI/SECR Anyone

Chapter Secure Random Number Generator Jean-Louis Roch, Grenoble University, M2-SCCI/SECR Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin. -- John Von Neumann, 1951 References: NIST

599 views • 22 slides
Random Number Generator using FPGA David P erez Mart nez Centro de Investigaci on en

Random Number Generator using FPGA David P erez Mart nez Centro de Investigaci on en

Random Number Generator using FPGA David P erez Mart nez Centro de Investigaci on en Computaci on - IPN Introduction A field-programmable gate array (FPGA) is an integrated circuit designed to be configured by a customer.

256 views • 9 slides
A Magnetic Tunnel Junction Based True Random Number Generator with Conditional Perturb and

A Magnetic Tunnel Junction Based True Random Number Generator with Conditional Perturb and

A Magnetic Tunnel Junction Based True Random Number Generator with Conditional Perturb and Real-Time Output Probability Tracking Won Ho Choi*, Yang Lv*, Jongyeon Kim, Abhishek Deshpande, Gyuseong Kang, Jian-Ping Wang, and Chris H. Kim *equal

590 views • 18 slides
Quam Bene Non Quantum Identifying Bias in a Commercial Quantum Random Number Generator Darren

Quam Bene Non Quantum Identifying Bias in a Commercial Quantum Random Number Generator Darren

The UKs European university Real World Crypto 2018 Quam Bene Non Quantum Identifying Bias in a Commercial Quantum Random Number Generator Darren Hurley-Smith & Julio Hernandez-Castro Index Introduction Related works Aims Experimental

563 views • 11 slides
Cryptographic Secure Pseudo-Random Bits Generation : The Blum-Blum-Shub Generator Pascal Junod

Cryptographic Secure Pseudo-Random Bits Generation : The Blum-Blum-Shub Generator Pascal Junod

Cryptographic Secure Pseudo-Random Bits Generation : The Blum-Blum-Shub Generator Pascal Junod August 1999 Contents 1 Introduction 3 2 Concept of Pseudo-Random Bit Generator 4 3 The Blum-Blum-Shub Generator 7 3.1 Some number-theoretic

481 views • 21 slides
Post-processing functions for a biased physical random number generator Patrick Lacharme

Post-processing functions for a biased physical random number generator Patrick Lacharme

Overview Statistical model Linear corrector Non linear corrector Systematic construction Conclusion Post-processing functions for a biased physical random number generator Patrick Lacharme Universit de Toulon, Institut de Mathmatique

282 views • 27 slides
SP 800-90C: Random Bit Generator Constructions Elaine Barker NIST May 2, 2016 2 Purpose of

SP 800-90C: Random Bit Generator Constructions Elaine Barker NIST May 2, 2016 2 Purpose of

SP 800-90C: Random Bit Generator Constructions Elaine Barker NIST May 2, 2016 2 Purpose of 800-90C: To construct RBGs from approved entropy sources (see SP 800-90B) and DRBG mechanisms (see SP 800-90A) o DRBGs (a.k.a. pseudorandom number

330 views • 20 slides
Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number

Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number

Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number is a number chosen as if by chance from some specified distribution such that selection of a large set of these numbers reproduces the underlying

720 views • 12 slides
Chapter 7. Sampling Chapter 7. Sampling methods? methods? Two types of sampling methods Two

Chapter 7. Sampling Chapter 7. Sampling methods? methods? Two types of sampling methods Two

What are the two types of sampling What are the two types of sampling Chapter 7. Sampling Chapter 7. Sampling methods? methods? Two types of sampling methods Two types of sampling methods Probability sampling: selection of random

280 views • 4 slides
Online aggrega*on & Sampling from Joins CompSci 590.02

Online aggrega*on & Sampling from Joins CompSci 590.02

Online aggrega*on & Sampling from Joins CompSci 590.02 Instructor: Ashwin Machanavajjhala Outline Online Aggrega*on Ripple Joins On the

414 views • 23 slides
Introduction to MATLAB Chapter 1 Attaway MATLAB 4E Introduction to MATLAB Very powerful

Introduction to MATLAB Chapter 1 Attaway MATLAB 4E Introduction to MATLAB Very powerful

Introduction to MATLAB Chapter 1 Attaway MATLAB 4E Introduction to MATLAB Very powerful software package Many mathematical and graphical applications Has programming constructs Also has many built-in functions Can use interactively

2k views • 29 slides
Michael J. Conroy Background and motivation (brief) Background and motivation (brief)

Michael J. Conroy Background and motivation (brief) Background and motivation (brief)

Michael J. Conroy Background and motivation (brief) Background and motivation (brief) ASDP and other approaches for optimal ASDP and other approaches for optimal harvest management Use of heuristic methods for harvest

761 views • 73 slides
Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random numbers? Lifes most important questions are, for the most part, nothing but probability problems. Pierre-Simon de Laplace 2 Why random numbers?

684 views • 55 slides
Parallel Data Generation for Performance Analysis of Large, Complex RDBMS Tilmann Rabl and Meikel

Parallel Data Generation for Performance Analysis of Large, Complex RDBMS Tilmann Rabl and Meikel

Parallel Data Generation for Performance Analysis of Large, Complex RDBMS Tilmann Rabl and Meikel Poess Presented by Mohammad Sadoghi Agenda Motivation Data generation for DBMS benchmarking Classification of data dependencies

459 views • 29 slides
Introduction to Political Research Session 11-Probability Sampling Lecturer: Prof. A.

Introduction to Political Research Session 11-Probability Sampling Lecturer: Prof. A.

POLI 343 Introduction to Political Research Session 11-Probability Sampling Lecturer: Prof. A. Essuman-Johnson, Dept. of Political Science Contact Information: aessuman-johnson@ug.edu.gh College of Education School of Continuing and Distance

771 views • 32 slides
SAMPLING Week 6 Slides ScWk 240 1 Purpose of Sampling Why sampling? - to

SAMPLING Week 6 Slides ScWk 240 1 Purpose of Sampling Why sampling? - to

SAMPLING Week 6 Slides ScWk 240 1 Purpose of Sampling Why sampling? - to study the whole popula5on? A major reason studying samples rather than the

288 views • 16 slides

More recommend