how not to generate random numbers
play

How not to generate random numbers Nadia Heninger University of - PowerPoint PPT Presentation

Jun 23, 2023 •133 likes •845 views

How not to generate random numbers Nadia Heninger University of Pennsylvania June 15, 2018 A crash course in cryptographic protocols AES k ( m ) A crash course in cryptographic protocols g a g b AES k ( m ) k = KDF( g ab ) k = KDF( g ab ) A

  1. How not to generate random numbers Nadia Heninger University of Pennsylvania June 15, 2018

  2. A crash course in cryptographic protocols AES k ( m )

  3. A crash course in cryptographic protocols g a g b AES k ( m ) k = KDF( g ab ) k = KDF( g ab )

  4. A crash course in cryptographic protocols g a g b RSApub B , Sign B ( g a , g b ) AES k ( m ) k = KDF( g ab ) k = KDF( g ab )

  5. A crash course in cryptographic protocols random r a , g a random r b , g b RSApub B , Sign B ( g a , g b , r a , r b ) AES k ( m ) k = KDF( g ab ) k = KDF( g ab )

  6. A crash course in cryptographic protocols random r a , g a random r b , g b RSApub B , Sign B ( g a , g b , r a , r b ) AES k ( m ) k = KDF( g ab ) k = KDF( g ab )

  7. “Any one who considers arithmetical methods of pro- ducing random digits is, of course, in a state of sin.” –John von Neumann

  8. Cryptographic pseudorandomness in theory Definition A pseudorandom generator is a polynomial-time deterministic function G mapping n -bit strings into ℓ ( n ) -bit strings for ℓ ( n ) ≥ n whose output distribution G ( U n ) is computationally indistinguishable from the uniform distribution U ℓ ( n ) . Environmental Crypto keys G entropy

  9. Cryptographic pseudorandomness in theory Definition A pseudorandom generator is a polynomial-time deterministic function G mapping n -bit strings into ℓ ( n ) -bit strings for ℓ ( n ) ≥ n whose output distribution G ( U n ) is computationally indistinguishable from the uniform distribution U ℓ ( n ) . Environmental Crypto keys G entropy Problem: Environmental entropy not uniformly distributed.

  10. Cryptographic pseudorandomness in theory Definition A pseudorandom generator is a polynomial-time deterministic function G mapping n -bit strings into ℓ ( n ) -bit strings for ℓ ( n ) ≥ n whose output distribution G ( U n ) is computationally indistinguishable from the uniform distribution U ℓ ( n ) . Environmental Crypto keys Extractor G entropy

  11. NIST SP800-90A “Random Number Generation using Deterministic Random Bit Generators”

  12. Practical Considerations with RNGs • Problem: Inputs might not be random.

  13. Practical Considerations with RNGs • Problem: I nputs might not be random. Solution: Test for randomness.

  14. Practical Considerations with RNGs • Problem: I nputs might not be random. Solution: Test for randomness. • Problem: Testing for randomness is theoretically impossible.

  15. Practical Considerations with RNGs • Problem: I nputs might not be random. Solution: Test for randomness. • Problem: Testing for randomness is theoretically impossible. Solution: ... do as well as you can?

  16. Practical Considerations with RNGs • Problem: I nputs might not be random. Solution: Test for randomness. • Problem: Testing for randomness is theoretically impossible. Solution: ... do as well as you can? • Problem: I nputs might be controlled by attacker.

  17. Practical Considerations with RNGs • Problem: I nputs might not be random. Solution: Test for randomness. • Problem: Testing for randomness is theoretically impossible. Solution: ... do as well as you can? • Problem: I nputs might be controlled by attacker. Solution: Seed from a variety of sources and hope attacker doesn ’ t control everything.

  18. Practical Considerations with RNGs • Problem: I nputs might not be random. Solution: Test for randomness. • Problem: Testing for randomness is theoretically impossible. Solution: ... do as well as you can? • Problem: I nputs might be controlled by attacker. Solution: Seed from a variety of sources and hope attacker doesn ’ t control everything. • Problem: User might request output before seeding.

  19. Practical Considerations with RNGs • Problem: I nputs might not be random. Solution: Test for randomness. • Problem: Testing for randomness is theoretically impossible. Solution: ... do as well as you can? • Problem: I nputs might be controlled by attacker. Solution: Seed from a variety of sources and hope attacker doesn ’ t control everything. • Problem: User might request output before seeding. Possible solutions: 1. Don ’ t provide output. 2. Provide output. 3. Raise an error fl ag.

  20. Disaster 1: Debian OpenSSL Luciano Bello, 2008 When Private Keys are Public: Results from the 2008 Debian OpenSSL Vulnerability Yilek, Rescorla, Shacham, Enright, Savage. (2009) Underlying cause: Failure to seed PRNG.

  21. OpenSSL PRNG • Seed: /dev/urandom , pid, time() • Update: time() (in seconds) • Mixing function: SHA-1 • Output: SHA-1 hash of state.

  22. /* state[st_idx], ..., state[(st_idx + num - 1) % STATE_SIZE] * are what we will use now, but other threads may use them * as well */ md_count[1] += (num / MD_DIGEST_LENGTH) + (num % MD_DIGEST_LENGTH > 0); if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND); EVP_MD_CTX_init(&m); for (i=0; i<num; i+=MD_DIGEST_LENGTH) { j=(num-i); j=(j > MD_DIGEST_LENGTH)?MD_DIGEST_LENGTH:j; MD_Init(&m); MD_Update(&m,local_md,MD_DIGEST_LENGTH); k=(st_idx+j)-STATE_SIZE; if (k > 0) { MD_Update(&m,&(state[st_idx]),j-k); MD_Update(&m,&(state[0]),k); } else MD_Update(&m,&(state[st_idx]),j); MD_Update(&m,buf,j); MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c)); MD_Final(&m,local_md); md_c[1]++; buf=(const char *)buf + j; for (k=0; k<j; k++) { /* Parallel threads may interfere with this, * but always each byte of the new state is * the XOR of some previous value of its * and local_md (itermediate values may be lost).

  23. List: openssl-dev Subject: Random number generator, uninitialised data and valgrind. From: Kurt Roeckx <kurt () roeckx ! be> Date: 2006-05-01 19:14:00 Hi, When debbuging applications that make use of openssl using valgrind, it can show alot of warnings about doing a conditional jump based on an unitialised value. Those unitialised values are generated in the random number generator. It’s adding an unintialiased buffer to the pool. The code in question that has the problem are the following 2 pieces of code in crypto/rand/md_rand.c: 247: MD_Update(&m,buf,j); 467: #ifndef PURIFY MD_Update(&m,buf,j); /* purify complains */ #endif ... What I currently see as best option is to actually comment out those 2 lines of code. But I have no idea what effect this really has on the RNG. The only effect I see is that the pool might receive less entropy. But on the other hand, I’m not even sure how much entropy some unitialised data has. What do you people think about removing those 2 lines of code? Kurt

  24. Defenses • Possible to automatically detect unseeded PRNGs in source code in some circumstances. [Dörre Klebanov 2016] • How to make more rigorous?

  25. Disaster 2: Shared RSA factors Mining your Ps and Qs: Widespread Weak Keys in Network Devices Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J. Alex Halderman Usenix Security 2012 Public Keys Arjen K. Lenstra, James P. Hughes, Maxime Augier, Joppe W. Bos, Thorsten Kleinjung, and Christophe Wachter Crypto 2012 Weak keys remain widespread in network devices Marcella Hastings, Joshua Fried, and Nadia Heninger IMC 2016 Underlying cause: Failure to seed PRNG.

  26. RSA and factoring Public Key Private Key ( p , q , d ≡ e − 1 mod ( p − 1 )( q − 1 )) ( N = pq , e )

  27. RSA and factoring Public Key Private Key ( p , q , d ≡ e − 1 mod ( p − 1 )( q − 1 )) ( N = pq , e ) I f two RSA moduli share a common factor, N 1 = pq 1 N 2 = pq 2

  28. RSA and factoring Public Key Private Key ( p , q , d ≡ e − 1 mod ( p − 1 )( q − 1 )) ( N = pq , e ) I f two RSA moduli share a common factor, N 1 = pq 1 N 2 = pq 2 gcd( N 1 , N 2 ) = p You can factor both keys with GCD algorithm. Time to factor Time to calculate GCD 768-bit RSA modulus: for 1024-bit RSA moduli: 15 µ s 2.5 calendar years [Kleinjung et al. 2010]

  29. Should we expect to fi nd prime collisions in the wild? Experiment: Compute GCD of each pair of M RSA moduli randomly chosen from P primes. What should happen? Nothing.

  30. Should we expect to fi nd prime collisions in the wild? Experiment: Compute GCD of each pair of M RSA moduli randomly chosen from P primes. What should happen? Nothing. Birthday bound: Prime Number Theorem: Pr[ nontrivial gcd ] ≈ 1 − e − 2 M 2 / P ∼ 10 150 512-bit primes Earth’s population #atoms in Earth #atoms in universe P[nontrivial gcd] 1 0 1 10 20 10 40 10 60 10 80 10 100 #moduli M

  31. What happened when we GCDed RSA keys in 2012? Computed private keys for • 64,081 HTTPS servers (0.50%). • 2,459 SSH servers (0.03%). • 2 PGP users (and a few hundred invalid keys).

  32. What happened when we GCDed RSA keys in 2012? Computed private keys for • 64,081 HTTPS servers (0.50%). • 2,459 SSH servers (0.03%). • 2 PGP users (and a few hundred invalid keys). What has happened since? • 103 Taiwanese citizen smart card keys [Bernstein, Chang, Cheng, Chou, Heninger, Lange, van Someren 2013] • 90 export-grade HTTPS keys. [Albrecht, Papini, Paterson, Villanueva-Polanco 2015] • 313,330 HTTPS, SSH, I MAPS, POP3S, SMTPS keys [Hastings Fried Heninger 2016] • 3,337 Tor relay RSA keys. [Kadianakis, Roberts, Roberts, Winter 2017]

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

How not to generate random numbers Nadia Heninger University of Pennsylvania May 13, 2015

How not to generate random numbers Nadia Heninger University of Pennsylvania May 13, 2015

How not to generate random numbers Nadia Heninger University of Pennsylvania May 13, 2015 Textbook RSA [Rivest Shamir Adleman 1977] Public Key Private Key N = pq modulus p , q primes e encryption d decryption exponent ( d = e 1 mod ( p

716 views • 69 slides
Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number

Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number

Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number is a number chosen as if by chance from some specified distribution such that selection of a large set of these numbers reproduces the underlying

720 views • 12 slides
STA 326 2.0 Programming and Data Analysis with R Generating Random Numbers Using the Inverse

STA 326 2.0 Programming and Data Analysis with R Generating Random Numbers Using the Inverse

STA 326 2.0 Programming and Data Analysis with R Generating Random Numbers Using the Inverse Transform Method Prepared by Dr Thiyanga Talagala 1. Probability distribution functions in R to generate random num- bers rbeta beta

281 views • 12 slides
Simulation Random numbers Random numbers Anyone who considers arithmetic methods of

Simulation Random numbers Random numbers Anyone who considers arithmetic methods of

Simulation Random numbers Random numbers Anyone who considers arithmetic methods of producing random digits is, of course, in a state of sin , John v. Neumann Only seemingly random (pseudo random numbers) are used in simulation

502 views • 32 slides
Random Numbers, Files, and Onwards Random Numbers Computers cannot produce truly random numbers.

Random Numbers, Files, and Onwards Random Numbers Computers cannot produce truly random numbers.

Random Numbers, Files, and Onwards Random Numbers Computers cannot produce truly random numbers. We make do with pseudo-random numbers, which are good enough. The pseudo-random generation algorithm is given a seed value. The same seed will always

331 views • 12 slides
Generation Stephen Booth David Henty Introduction Random numbers are frequently used in many

Generation Stephen Booth David Henty Introduction Random numbers are frequently used in many

Random Number Generation Stephen Booth David Henty Introduction Random numbers are frequently used in many types of computer simulation Frequently as part of a sampling process: Generate a representative sample of a large

311 views • 28 slides
CPSC 531: Random Numbers Jonathan Hudson Department of Computer Science University of Calgary

CPSC 531: Random Numbers Jonathan Hudson Department of Computer Science University of Calgary

CPSC 531: Random Numbers Jonathan Hudson Department of Computer Science University of Calgary http://www.ucalgary.ca/~hudsonj/531F17 Introduction In simulations, we generate random values for variables with a specified distribution

384 views • 26 slides
Generation of Non-Uniform Random Numbers Generation of Non-Uniform Random Numbers Refs: Chapter 8

Generation of Non-Uniform Random Numbers Generation of Non-Uniform Random Numbers Refs: Chapter 8

Generation of Non-Uniform Random Numbers Generation of Non-Uniform Random Numbers Refs: Chapter 8 in Law and book by Devroye (watch for typos) Acceptance-Rejection Convolution Method Composition Method Peter J. Haas Alias Method Random

228 views • 6 slides
Introduction to Programming Random numbers Mathematical libraries Waseda University

Introduction to Programming Random numbers Mathematical libraries Waseda University

Introduction to Programming Random numbers Mathematical libraries Waseda University Todays topics How to use pseudorandom numbers. #include Initialization Random integer numbers Random real numbers How to use mathematical

521 views • 14 slides
Generating random primes faster The standard algorithm to generate random primes: D. J.

Generating random primes faster The standard algorithm to generate random primes: D. J.

1 2 Generating random primes faster The standard algorithm to generate random primes: D. J. Bernstein proof.arithmetic(False) while True: pqRSA project team: p = randrange(2^(n-1),2^n) Daniel J. Bernstein p = ZZ(p) Josh Fried if

826 views • 14 slides
Random numbers are used to simulate uncertain events Some problems in science and technology are

Random numbers are used to simulate uncertain events Some problems in science and technology are

Random numbers are used to simulate uncertain events Some problems in science and technology are desrcribed by INF1100 Lectures, Chapter 8: exact mathematics, leading to precise results Random Numbers and Simple Games Examples:

361 views • 10 slides
Random Numbers Computational Randomness is Hard The best known academic computer scientist at

Random Numbers Computational Randomness is Hard The best known academic computer scientist at

Eric Roberts Handout #23 CS 106A January 22, 2010 Random Numbers Computational Randomness is Hard The best known academic computer scientist at Random Numbers Stanfordand probably in the worldis Don Knuth, who has now been retired for

56 views • 4 slides
Random numbers We have seen that in many applications we need random number generators For

Random numbers We have seen that in many applications we need random number generators For

Random numbers We have seen that in many applications we need random number generators For example we sue random number generator to obtain session keys; to avoid key guessing If an adversary sees a sequence of session keys He/she

426 views • 16 slides
The independence numbers and the chromatic numbers of random subgraphs of Knesers graphs and

The independence numbers and the chromatic numbers of random subgraphs of Knesers graphs and

The independence numbers and the chromatic numbers of random subgraphs of Knesers graphs and their generalizations Andrei Raigorodskii Moscow Institute of Physics and Technology, Yandex, Moscow, Russia Shanghai, China, 26.03.2017 A.

837 views • 56 slides
Introduction to Pseudo-Random Number Generators Nicola Gigante December 21, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante December 21, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante December 21, 2016 Why random numbers? Lifes most important questions are, for the most part, nothing but probability problems. Pierre-Simon de Laplace 2 Why random numbers?

1.37k views • 63 slides
Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random numbers? Lifes most important questions are, for the most part, nothing but probability problems. Pierre-Simon de Laplace 2 Why random numbers?

684 views • 55 slides
s r rs rrs

s r rs rrs

s r rs rrs rs s s s Pttr t ,

264 views • 11 slides
Random Number Generators: Design Principles and Statistical Testing Pierre LEcuyer Mixmax

Random Number Generators: Design Principles and Statistical Testing Pierre LEcuyer Mixmax

1 Random Number Generators: Design Principles and Statistical Testing Pierre LEcuyer Mixmax Workshop, CERN, Geneva, July 2016 2 What do we want? Sequences of numbers that look random. 2 What do we want? Sequences of numbers that look

1.31k views • 128 slides
Pseudo-Random Generators Computer programming (e.g. randomized algorithm) Elementary and

Pseudo-Random Generators Computer programming (e.g. randomized algorithm) Elementary and

Why do we need random numbers? Simulation Sampling Numerical analysis Pseudo-Random Generators Computer programming (e.g. randomized algorithm) Elementary and critical element in many cryptographic protocols Usually:

157 views • 5 slides
Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and

Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and

CSS441 Random Numbers Principles PRNGs Pseudo-Random Numbers and Stream PRNG+Block Ciphers Stream Ciphers RC4 CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven

460 views • 24 slides
Cryptographic Secure Pseudo-Random Bits Generation : The Blum-Blum-Shub Generator Pascal Junod

Cryptographic Secure Pseudo-Random Bits Generation : The Blum-Blum-Shub Generator Pascal Junod

Cryptographic Secure Pseudo-Random Bits Generation : The Blum-Blum-Shub Generator Pascal Junod August 1999 Contents 1 Introduction 3 2 Concept of Pseudo-Random Bit Generator 4 3 The Blum-Blum-Shub Generator 7 3.1 Some number-theoretic

481 views • 21 slides
Cryptography and Network Random Number Generation Security The comparatively late rise of the

Cryptography and Network Random Number Generation Security The comparatively late rise of the

4/19/2010 Chapter 7 Stream Ciphers and Cryptography and Network Random Number Generation Security The comparatively late rise of the theory of Chapter 7 probability shows how hard it is to grasp, and the many paradoxes show clearly that we, as

72 views • 4 slides
Random numbers and Monte Carlo methods Randomness What types of problems can we solve with the

Random numbers and Monte Carlo methods Randomness What types of problems can we solve with the

Random numbers and Monte Carlo methods Randomness What types of problems can we solve with the help of random numbers? We can compute (potentially) complicated averages: 1. Where does the average web surfer end up? (PageRank) 2. How

566 views • 17 slides
Predictably Random James Roper Atlassian The Perils of Psuedorandom numbers in Web Security

Predictably Random James Roper Atlassian The Perils of Psuedorandom numbers in Web Security

Predictably Random James Roper Atlassian The Perils of Psuedorandom numbers in Web Security Opinions on PRNG the problem was that it was predictable due to the seeding either not happening or the seed value being recoverable So just

461 views • 43 slides

More recommend