because use urandom isn t everything a deep dive into
play

Because "use urandom" isnt everything: a deep dive into - PowerPoint PPT Presentation

Oct 28, 2022 •155 likes •375 views

Because "use urandom" isnt everything: a deep dive into CSPRNGs in Operating Systems & Programming Languages Aaron Zauner azet@azet.org lambda.co.at: Highly-Available, Scalable & Secure Distributed Systems SHA2017 -

  1. Because "use urandom" isn’t everything: a deep dive into CSPRNGs in Operating Systems & Programming Languages Aaron Zauner azet@azet.org lambda.co.at: Highly-Available, Scalable & Secure Distributed Systems SHA2017 - 06/08/2017

  3. Why do we need Random Numbers? ◮ randomize stuff in your operating system / language ◮ man rand ◮ Python: os.urandom ◮ TLS session cookies ◮ Key generation (e.g. RSA / Diffie-Hellman) ◮ TCP SYN cookies ◮ Bash: ${RANDOM} :) SHA2017 - 06/08/2017 Because "use urandom" isn’t everything: a deep dive into CSPRNGs in Operating Systems & Programming Languages Aaron Zauner 1/1

  4. CSPRNG i ◮ “Cryptographically Secure Pseudo Random Number Generator” ◮ aka “RNG”, “Random number generator”.. ◮ Crypto nerds tend to call them “CSPRNGs” you may call them RNG or whatever, I don’t care that much as long as it’s secure! SHA2017 - 06/08/2017 Because "use urandom" isn’t everything: a deep dive into CSPRNGs in Operating Systems & Programming Languages Aaron Zauner 2/1

  5. CSPRNG ii ◮ Widely implemented in OS kernels ◮ Linux: /dev/urandom 1. manpage man random has been wrong for years 2. many myths about kernel entropy ◮ FreeBSD: /dev/*random 1. 2. Replace the RC4 algorithm for generating in-kernel secure random numbers with Chacha20. Keep the API, though, as that is what the other *BSD’s have done. Use the boot-time entropy stash (if present) to bootstrap the in-kernel entropy source. (https:/ /svnweb.freebsd.org/base?view=revision&revision=317015 - Sun Apr 16 09:11:02 2017 UTC) ◮ Windows: RtlGenRandom() ◮ ..and in programming languages ◮ (i.e. Python os.urandom , PHP rand() ,..) ◮ some had really bad bugs for a long time (i.e. debian predictable SSH keys: CVE-2008-0166) ◮ many use the kernel provided CSPRNG, others use OpenSSL or custom RNGs - which is BAD ! ◮ OpenSSL provides a user-space RNG many link to or make use of (don’t!) ◮ Whoops: CVE-2017-11671: GCC generates incorrect code for RDRAND/RDSEED intrinsics (recent) SHA2017 - 06/08/2017 Because "use urandom" isn’t everything: a deep dive into CSPRNGs in Operating Systems & Programming Languages Aaron Zauner 3/1

  6. Some History ◮ the /dev/random and /dev/urandom devices used to be really old code (mid-90ties) originated from Ted Tso and a few others ◮ the manpage for them was wrong until fixed in late last december! ◮ you don’t have to worry about kernel entropy - this is a myth ! ◮ HAVEGE won’t save you! it can make things worse (See: https:/ /blog.cr.yp.to/20140205-entropy.html) SHA2017 - 06/08/2017 Because "use urandom" isn’t everything: a deep dive into CSPRNGs in Operating Systems & Programming Languages Aaron Zauner 4/1

  7. Old Linux Kernel implementation 0.x>4.x ◮ mixing different pools of interrupts ◮ quite complicated to understand even for well versed C programmers ◮ it worked without larger incidents - probably pure luck and researchers unable to read char device code ◮ old design described well here: ◮ Blog Post: https:/ /pthree.org/2014/07/21/the-linux-random-number-generator/ ◮ Academic: https:/ /eprint.iacr.org/2012/251.pdf SHA2017 - 06/08/2017 Because "use urandom" isn’t everything: a deep dive into CSPRNGs in Operating Systems & Programming Languages Aaron Zauner 5/1

  8. curiosities in ( drivers/char/random.c ) Splevin ARX (thx to Jason Donenfeld of Wireguard) ◮ fast_mix implemented by George Splevin - never explained and no crypto experience - homebrewed ARX ◮ that code is still around - even in the upstream kernel git repo: ◮ Code here: https:/ /tinyurl.com/fastmix SHA2017 - 06/08/2017 Because "use urandom" isn’t everything: a deep dive into CSPRNGs in Operating Systems & Programming Languages Aaron Zauner 6/1

  9. Current implementation i ◮ after long discussions and advice by crytographers the old design in random.c was changed in 4.2 ◮ based on the old pools, AES-NI (if available - modern Intel/AMD CPUs have those), ChaCha20 XOR RdSEED (via Google’s BoringSSL / Adam Langley - https:/ /marc.info/?l=linux-crypto-vger&m=146584488030185&w=2) ◮ neat design, backtracking resistant, pretty fast, too: azet@nd01 ~ % dd if=/dev/urandom of=/dev/null bs=1M count=1024 1024+0 records in 1024+0 records out 1073741824 bytes (1.1 GB) copied, 11.8289 s, 90.8 MB/s SHA2017 - 06/08/2017 Because "use urandom" isn’t everything: a deep dive into CSPRNGs in Operating Systems & Programming Languages Aaron Zauner 7/1

  10. Current implementation ii ◮ major work overhauling crypto-code in the kernel started with Linux 4.2 ◮ Backtracking protection (https:/ /marc.info/?l=linux-crypto-vger&m=146583297126471&w=2) ◮ Ted Tso (Jun 13, 2016): With /dev/urandom we were always emitting more bytes than we had entropy available, because not blocking was considered more important. Previously we were relying on the security of SHA-1. With AES CTR-DRBG, you rely on the security with AES. (https:/ /marc.info/?l=linux-crypto-vger&m=146584488030185&w=2) ◮ Doesn’t track entropy anymore because the “CRNG” (terminology,..) is faster (https:/ /marc.info/?l=linux-crypto-vger&m=146458684806389&w=2) SHA2017 - 06/08/2017 Because "use urandom" isn’t everything: a deep dive into CSPRNGs in Operating Systems & Programming Languages Aaron Zauner 8/1

  11. Current implementation iii ◮ random: replace urandom pool with a CRNG (https:/ /marc.info/?l=linux-crypto-vger&m=146217043829396&w=2) ◮ Nikos Mavrogiannopoulos (https:/ /marc.info/?l=linux-crypto-vger&m=146229250001030&w=2): I know, and I share this opinion. To their defense they will have to provide a call which doesn‚t make applications fail in the following scenario: 1. crypto/ssl libraries are compiled to use getrandom() because it is available in libc and and in kernel 2. everything works fine 3. the administrator downgrades the kernel to a version without getrandom() because his network card works better with that version 4. Mayhem as applications fail SHA2017 - 06/08/2017 Because "use urandom" isn’t everything: a deep dive into CSPRNGs in Operating Systems & Programming Languages Aaron Zauner 9/1

  12. Current implementation iv ◮ random: make /dev/urandom scalable for silly userspace programs (https:/ /marc.info/?l=linux-crypto-vger&m=146583311726544&w=2): On a system with a 4 socket (NUMA) system where a large number of application threads were all trying to read from /dev/urandom, this can result in the system spending 80% of its time contending on the global urandom spinlock. The application should have used its own PRNG, but let‚s try to help it from running, lemming-like, straight over the locking cliff. SHA2017 - 06/08/2017 Because "use urandom" isn’t everything: a deep dive into CSPRNGs in Operating Systems & Programming Languages Aaron Zauner 10/1

  13. Current implementation v ◮ Myths and lies in man 4 random finally corrected: https:/ /bugzilla.kernel.org/show_bug.cgi?id=71211&utm_content=buffer1d02b ◮ this took years of convincing the original upstream authors etc. ◮ had a huge impact on use of RNGs in programming languages etc. SHA2017 - 06/08/2017 Because "use urandom" isn’t everything: a deep dive into CSPRNGs in Operating Systems & Programming Languages Aaron Zauner 11/1

  14. Language issues: Ruby ◮ using OpenSSL RNG designed for fast TLS use, not general purpose ◮ multiple security engineers and cryptographers tried to convince them to switch to /dev/urandom ◮ took more than a year but finally they implemented a similar design to libsodium (I’ve made a T -Shirt!) ◮ SecureRandom without OpenSSL (or compatible alternatives) is nonsense. ◮ Please don't rude. ◮ Legendary bug: https:/ /bugs.ruby-lang.org/issues/9569 ◮ Tony Arcieri (@bascule) wrote a wrapper for the time being: https:/ /github.com/cryptosphere/sysrandom SHA2017 - 06/08/2017 Because "use urandom" isn’t everything: a deep dive into CSPRNGs in Operating Systems & Programming Languages Aaron Zauner 12/1

  15. Language issues: Node.js ◮ similar story to Ruby ◮ lots of input from normal users (useless) ◮ https:/ /github.com/nodejs/node/issues/5798 (endless thread) ◮ Latest comment: ‘Note that OpenSSL has just landed a commit to use DRGB with AES-CTR of NIST SP 800-90A as openssl/openssl@75e2c87. We can use it with the os-specific seeding source (e.g. /dev/urandom) by a default define flag of OPENSSL_RAND_SEED_OS. I think it is best for us to wait for the next release of OpenSSL-1.1.1. “ SHA2017 - 06/08/2017 Because "use urandom" isn’t everything: a deep dive into CSPRNGs in Operating Systems & Programming Languages Aaron Zauner 13/1

  16. Language issues: Erlang ◮ same as Ruby and Node.js ◮ https:/ /github.com/erlang/otp/blob/maint/lib/crypto/c_src/crypto.c SHA2017 - 06/08/2017 Because "use urandom" isn’t everything: a deep dive into CSPRNGs in Operating Systems & Programming Languages Aaron Zauner 14/1

  17. Python imrprovement ◮ warns if there’re insecure values: https:/ /bugs.python.org/issue27292 SHA2017 - 06/08/2017 Because "use urandom" isn’t everything: a deep dive into CSPRNGs in Operating Systems & Programming Languages Aaron Zauner 15/1

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Because "use urandom" isnt everything: a deep dive into CSPRNGs in Operating Systems

Because "use urandom" isnt everything: a deep dive into CSPRNGs in Operating Systems

Because "use urandom" isnt everything: a deep dive into CSPRNGs in Operating Systems & Programming Languages Aaron Zauner azet@azet.org lambda.co.at: Highly-Available, Scalable & Secure Distributed Systems hack.lu 2017 -

486 views • 19 slides
DEEP DIVE DEEP DIVE INT INTO O SEO SEO Private and Confidential. Property of Whereoware, LLC.

DEEP DIVE DEEP DIVE INT INTO O SEO SEO Private and Confidential. Property of Whereoware, LLC.

DEEP DIVE DEEP DIVE INT INTO O SEO SEO Private and Confidential. Property of Whereoware, LLC. MEET THE SPEAKERS TEYA TUCCIO-FLICK CHRISTINA DAVES Partner, Search and Analytics Founder Whereoware PR for Anyone DEEP DIVE INTO SEO 2

729 views • 54 slides
DataPower DataPower-MQ Integration MQ Integration Deep Dive Deep Dive Robin Wiley (Robin

DataPower DataPower-MQ Integration MQ Integration Deep Dive Deep Dive Robin Wiley (Robin

DataPower DataPower-MQ Integration MQ Integration Deep Dive Deep Dive Robin Wiley (Robin Wiley Training) Capitalware's MQ Technical Conference v2.0.1.6 Your Presenter: Robin Wiley Senior Instructor, IBM Messaging Products MQ

457 views • 35 slides
RTGEN (AGC) & ICCP Deep Dive February 23, 2012 Shari Brown and Matt Beck CBA Project Staff

RTGEN (AGC) & ICCP Deep Dive February 23, 2012 Shari Brown and Matt Beck CBA Project Staff

RTGEN (AGC) & ICCP Deep Dive February 23, 2012 Shari Brown and Matt Beck CBA Project Staff Section 1 INTRODUCTION: RTGEN (AGC) AND ICCP DISCUSSION TOPICS 3 RTGEN (AGC) and ICCP Deep Dive for CBA This Deep Dive will provide details for

784 views • 27 slides
A Deep Dive into the Dark Web Coen Schuijt UvA OS3 February 5 th , 2019 February 5 th , 2019

A Deep Dive into the Dark Web Coen Schuijt UvA OS3 February 5 th , 2019 February 5 th , 2019

A Deep Dive into the Dark Web Coen Schuijt UvA OS3 February 5 th , 2019 February 5 th , 2019 Coen Schuijt (UvA OS3) A Deep Dive into the Dark Web 1 / 28 Outline 1 Introduction Related work Research Questions 2 Methodologies Surface

473 views • 28 slides
Next Generation ACO Model Open Door Forum: Financial Deep Dive March 31, 2015 Agenda

Next Generation ACO Model Open Door Forum: Financial Deep Dive March 31, 2015 Agenda

Next Generation ACO Model Open Door Forum: Financial Deep Dive March 31, 2015 Agenda Preliminary Financial Timeline Financial Model Deep Dive Benchmark Prospective Benchmark Example Example Discount Calculations Risk

917 views • 28 slides
A Deep Dive into the kude@ga.co Shi Oku

A Deep Dive into the kude@ga.co Shi Oku

Stes Bais sen.bais@ga.co Kut el A Deep Dive into the kude@ga.co Shi Oku Interprocedural

1.48k views • 91 slides
Interactive Deep-dive : Visualizing Terrorism Data Ella Kim, Leah Kim Project Idea Evolution of

Interactive Deep-dive : Visualizing Terrorism Data Ella Kim, Leah Kim Project Idea Evolution of

Interactive Deep-dive : Visualizing Terrorism Data Ella Kim, Leah Kim Project Idea Evolution of terrorism in the Middle East + Interactive Data Visualization + Interactive Data Deep Dive Prior Work Static visualization No interactivity

242 views • 6 slides
2019 System Goals Deep-Dive Data Carmelo Barbaro Executive Director, Poverty Lab Urban Labs,

2019 System Goals Deep-Dive Data Carmelo Barbaro Executive Director, Poverty Lab Urban Labs,

2019 System Goals Deep-Dive Data Carmelo Barbaro Executive Director, Poverty Lab Urban Labs, University of Chicago Data Deep Dive System Goal 2: Reduce the time people remain homeless. System Goal 3: Homeless dedicated units should all be

419 views • 13 slides
Using the Assessment Findings to Dive Headfirst into the Deep End St. Louis City May 11, 2015

Using the Assessment Findings to Dive Headfirst into the Deep End St. Louis City May 11, 2015

NO PLACE FOR KIDS Using the Assessment Findings to Dive Headfirst into the Deep End St. Louis City May 11, 2015 Prepared with Support From: Juvenile Justice Strategy Group INTERVIEWS & SURVEYS DATA ANALYSES

593 views • 42 slides
Demystifying the transition Deep Dive of the Transitional Provisions Trademarks Branch

Demystifying the transition Deep Dive of the Transitional Provisions Trademarks Branch

Demystifying the transition Deep Dive of the Transitional Provisions Trademarks Branch Canadian Intellectual Property Office IPIC Conference October 12, 2018 Fairmont Chateau Laurier, Ottawa, Ontario (Source: Brand Canada) Building a

769 views • 43 slides
2019 CoC System Goals Deep-Dive for r Goal 1 Laura Bass, Director of Programs, Facing Forward to

2019 CoC System Goals Deep-Dive for r Goal 1 Laura Bass, Director of Programs, Facing Forward to

2019 CoC System Goals Deep-Dive for r Goal 1 Laura Bass, Director of Programs, Facing Forward to End Homelessness Carmelo Barbaro, Executive Director, Poverty Lab, University of Chicago 2019 CoC System Goals Deep-Dive for Goal 1 Goal 1

285 views • 7 slides
offMetro Deep Dive and Strategic Analysis TEAM TWO FAB FOUR LAUREN BETHEA MACKENZIE

offMetro Deep Dive and Strategic Analysis TEAM TWO FAB FOUR LAUREN BETHEA MACKENZIE

offMetro Deep Dive and Strategic Analysis TEAM TWO FAB FOUR LAUREN BETHEA MACKENZIE CLAPPERTON BRITTANY NAUMAN CLARISSA TORRES Objectives: Develop Strategies to Grow Readership Based on an understanding of industry standards and

360 views • 17 slides
SCE 2018 GRC Deep Dive on SCE T estimony on Poles November 2, 2016 1 Summary Pole

SCE 2018 GRC Deep Dive on SCE T estimony on Poles November 2, 2016 1 Summary Pole

SCE 2018 GRC Deep Dive on SCE T estimony on Poles November 2, 2016 1 Summary Pole inspection, assessment, maintenance, and replacement continue to be a major focus for SCE given: Their impact on public and worker safety Their

841 views • 32 slides
Deep Dive Strengthening practice and addressing industry challenges January 29, 2018 1 Thank

Deep Dive Strengthening practice and addressing industry challenges January 29, 2018 1 Thank

Impact Measurement & Management Deep Dive Strengthening practice and addressing industry challenges January 29, 2018 1 Thank you for joining us today! Please note: All participants are muted. Use the chat function to submit

432 views • 32 slides
Concurrent & Multicore OCaml: A deep dive KC Sivaramakrishnan 1 & Stephen Dolan 1 Leo

Concurrent & Multicore OCaml: A deep dive KC Sivaramakrishnan 1 & Stephen Dolan 1 Leo

Concurrent & Multicore OCaml: A deep dive KC Sivaramakrishnan 1 & Stephen Dolan 1 Leo White 2 , Jeremy Yallop 1,3 , Armal Guneau 4 , Anil Madhavapeddy 1,3 1 2 3 4 Concurrency Parallelism Concurrency Programming technique

859 views • 52 slides
TPP As 10-second intro, my name is Sid Klein and am a member of the financial community since

TPP As 10-second intro, my name is Sid Klein and am a member of the financial community since

TPP As 10-second intro, my name is Sid Klein and am a member of the financial community since 1982. Apart from financial reports, I have also written a great deal on our political annexation, accurately forecasting since 2003 those actions and

203 views • 4 slides
Lea earnin ing En g Enric ichmen hment t & D & Dis isabil ilit ity y Ser ervic

Lea earnin ing En g Enric ichmen hment t & D & Dis isabil ilit ity y Ser ervic

Lea earnin ing En g Enric ichmen hment t & D & Dis isabil ilit ity y Ser ervic ices es Overview Intr troductions oductions Ex Expe pectations ctations Log ogistics stics First Session Tut utoring

862 views • 34 slides
Polar Knowledge Canada Collaborating for the Future Canadas Polar Agency An Integrated

Polar Knowledge Canada Collaborating for the Future Canadas Polar Agency An Integrated

Polar Knowledge Canada Collaborating for the Future Canadas Polar Agency An Integrated Research and Monitoring Plan May 10th, 2016 Yellowknife, Northwest Territories What is Polar Knowledge Canada? A innovative Government of Canada

550 views • 21 slides
COEL & ILO TVET Reform Project COEL One stop skill solution for leather sector Centre of

COEL & ILO TVET Reform Project COEL One stop skill solution for leather sector Centre of

COEL & ILO TVET Reform Project COEL One stop skill solution for leather sector Centre of Excellence for Leather Skill Bangladesh Limited ( COEL) the first legal entity of its kind in the Country. An initiative of Industry Skills Council

364 views • 24 slides
Parents Forum Presentation, 13.3.19 The Student Learning Forum currently comprises of

Parents Forum Presentation, 13.3.19 The Student Learning Forum currently comprises of

Parents Forum Presentation, 13.3.19 The Student Learning Forum currently comprises of eight Year 10 students who made successful applications as part of the schools leadership programme. These are; Ellie Jackson, Grace

399 views • 6 slides
1 Deep Reinforcement Learning Qianqian Li, Nayeon Koong, Langtian He What is deep reinforcement

1 Deep Reinforcement Learning Qianqian Li, Nayeon Koong, Langtian He What is deep reinforcement

1 Deep Reinforcement Learning Qianqian Li, Nayeon Koong, Langtian He What is deep reinforcement learning? Agent/Actor + Action + Environment + State + Reward How does reinforcement learning work?

792 views • 31 slides
Moscow Farmers Market! Who We Are Who We Are 40 year old market (est. 1977) Oldest

Moscow Farmers Market! Who We Are Who We Are 40 year old market (est. 1977) Oldest

Welcome to the Moscow Farmers Market! Who We Are Who We Are 40 year old market (est. 1977) Oldest farmers market in the State of Idaho First in Idaho to accept EBT ($9,000+ $3,796 Fresh Bucks = $13,119) First in Idaho to accept

316 views • 30 slides
Canada Outlook Jonathon Driedger Senior Market Analyst FarmLink Marketing Solutions 110-93

Canada Outlook Jonathon Driedger Senior Market Analyst FarmLink Marketing Solutions 110-93

Canada Outlook Jonathon Driedger Senior Market Analyst FarmLink Marketing Solutions 110-93 Lombard Ave. Winnipeg, Manitoba Canada R3B 3B1 Phone 1.204.612.3160 jonathon.driedger@farmlinksolutions.ca Largest Grain Marketing consulting service

439 views • 15 slides

More recommend