random number generation failures from netscape to duhk
play

Random number generation failures from Netscape to DUHK Nadia - PowerPoint PPT Presentation

Jan 09, 2024 •345 likes •1.06k views

Random number generation failures from Netscape to DUHK Nadia Heninger University of Pennsylvania June 18, 2018 A cartoon cryptographic communication protocol AES k ( m ) A cartoon cryptographic communication protocol g a g b AES k ( m ) k =

  1. Random number generation failures from Netscape to DUHK Nadia Heninger University of Pennsylvania June 18, 2018

  2. A cartoon cryptographic communication protocol AES k ( m )

  3. A cartoon cryptographic communication protocol g a g b AES k ( m ) k = KDF( g ab ) k = KDF( g ab )

  4. A cartoon cryptographic communication protocol g a g b RSApub B , Sign B ( g a , g b ) AES k ( m ) k = KDF( g ab ) k = KDF( g ab )

  5. A cartoon cryptographic communication protocol random r a , g a random r b , g b RSApub B , Sign B ( g a , g b , r a , r b ) AES k ( m ) k = KDF( g ab ) k = KDF( g ab )

  6. A cartoon cryptographic communication protocol random r a , g a random r b , g b RSApub B , Sign B ( g a , g b , r a , r b ) AES k ( m ) k = KDF( g ab ) k = KDF( g ab )

  7. “Any one who considers arithmetical methods of pro- ducing random digits is, of course, in a state of sin.” –John von Neumann

  8. Cryptographic pseudorandomness in theory Definition A pseudorandom generator is a polynomial-time deterministic function G mapping n -bit strings into ℓ ( n ) -bit strings for ℓ ( n ) ≥ n whose output distribution G ( U n ) is computationally indistinguishable from the uniform distribution U ℓ ( n ) . Environmental Crypto keys G entropy

  9. Cryptographic pseudorandomness in theory Definition A pseudorandom generator is a polynomial-time deterministic function G mapping n -bit strings into ℓ ( n ) -bit strings for ℓ ( n ) ≥ n whose output distribution G ( U n ) is computationally indistinguishable from the uniform distribution U ℓ ( n ) . Environmental Crypto keys G entropy Problem: Environmental entropy not uniformly distributed.

  10. Cryptographic pseudorandomness in theory Definition A pseudorandom generator is a polynomial-time deterministic function G mapping n -bit strings into ℓ ( n ) -bit strings for ℓ ( n ) ≥ n whose output distribution G ( U n ) is computationally indistinguishable from the uniform distribution U ℓ ( n ) . Environmental Crypto keys Extractor G entropy

  11. NIST SP800-90A “Random Number Generation using Deterministic Random Bit Generators”

  12. Practical Considerations with RNGs • Problem: Inputs might not be random.

  13. Practical Considerations with RNGs • Problem: Inputs might not be random. Solution: Test for randomness.

  14. Practical Considerations with RNGs • Problem: Inputs might not be random. Solution: Test for randomness. • Problem: Testing for randomness is theoretically impossible.

  15. Practical Considerations with RNGs • Problem: Inputs might not be random. Solution: Test for randomness. • Problem: Testing for randomness is theoretically impossible. Solution: ... do as well as you can?

  16. Practical Considerations with RNGs • Problem: Inputs might not be random. Solution: Test for randomness. • Problem: Testing for randomness is theoretically impossible. Solution: ... do as well as you can? • Problem: Inputs might be controlled by attacker.

  17. Practical Considerations with RNGs • Problem: Inputs might not be random. Solution: Test for randomness. • Problem: Testing for randomness is theoretically impossible. Solution: ... do as well as you can? • Problem: Inputs might be controlled by attacker. Solution: Seed from a variety of sources and hope attacker doesn’t control everything.

  18. Practical Considerations with RNGs • Problem: Inputs might not be random. Solution: Test for randomness. • Problem: Testing for randomness is theoretically impossible. Solution: ... do as well as you can? • Problem: Inputs might be controlled by attacker. Solution: Seed from a variety of sources and hope attacker doesn’t control everything. • Problem: How often do you reseed?

  19. Practical Considerations with RNGs • Problem: Inputs might not be random. Solution: Test for randomness. • Problem: Testing for randomness is theoretically impossible. Solution: ... do as well as you can? • Problem: Inputs might be controlled by attacker. Solution: Seed from a variety of sources and hope attacker doesn’t control everything. • Problem: How often do you reseed? Possible solutions: 1. On every new input. 2. After k inputs accumulated in input pools. 3. After ℓ blocks of outputs requested.

  20. Practical considerations with RNGs . . . that don’t make sense in theory. • Problem: User might not seed PRNG.

  21. Practical considerations with RNGs . . . that don ’ t make sense in theory. • Problem: User might not seed PRNG. Solution: Seed the PRNG.

  22. Practical considerations with RNGs . . . that don ’ t make sense in theory. • Problem: User might not seed PRNG. Solution: Seed the PRNG. • Problem: User might request output before seeding RNG.

  23. Practical considerations with RNGs . . . that don ’ t make sense in theory. • Problem: User might not seed PRNG. Solution: Seed the PRNG. • Problem: User might request output before seeding RNG. Possible solutions: 1. Don ’ t provide output. 2. Provide output. 3. Raise an error fl ag.

  24. Practical considerations with RNGs . . . that don ’ t make sense in theory. • Problem: User might not seed PRNG. Solution: Seed the PRNG. • Problem: User might request output before seeding RNG. Possible solutions: 1. Don ’ t provide output. 2. Provide output. 3. Raise an error fl ag. • Problem: RNG is seeded with low entropy inputs.

  25. Practical considerations with RNGs . . . that don ’ t make sense in theory. • Problem: User might not seed PRNG. Solution: Seed the PRNG. • Problem: User might request output before seeding RNG. Possible solutions: 1. Don ’ t provide output. 2. Provide output. 3. Raise an error fl ag. • Problem: RNG is seeded with low entropy inputs. Solution: Seed with high entropy inputs.

  26. Practical considerations with RNGs . . . that don ’ t make sense in theory. • Problem: User might not seed PRNG. Solution: Seed the PRNG. • Problem: User might request output before seeding RNG. Possible solutions: 1. Don ’ t provide output. 2. Provide output. 3. Raise an error fl ag. • Problem: RNG is seeded with low entropy inputs. Solution: Seed with high entropy inputs. • Problem: User might use fl awed or backdoored PRNG design.

  27. Practical considerations with RNGs . . . that don ’ t make sense in theory. • Problem: User might not seed PRNG. Solution: Seed the PRNG. • Problem: User might request output before seeding RNG. Possible solutions: 1. Don ’ t provide output. 2. Provide output. 3. Raise an error fl ag. • Problem: RNG is seeded with low entropy inputs. Solution: Seed with high entropy inputs. • Problem: User might use fl awed or backdoored PRNG design. Solution: Don ’ t use vulnerable designs.

  28. Disaster 1: Debian OpenSSL Luciano Bello, 2008 When Private Keys are Public: Results from the 2008 Debian OpenSSL Vulnerability Yilek, Rescorla, Shacham, Enright, Savage. (2009) Problem: User might not seed PRNG. Solution: Seed the PRNG.

  29. OpenSSL PRNG cryptographic keys SHA-1 OpenSSL PRNG pid endianness word size time Linux PRNG

  30. /* state[st_idx], ..., state[(st_idx + num - 1) % STATE_SIZE] * are what we will use now, but other threads may use them * as well */ md_count[1] += (num / MD_DIGEST_LENGTH) + (num % MD_DIGEST_LENGTH > 0); if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND); EVP_MD_CTX_init(&m); for (i=0; i<num; i+=MD_DIGEST_LENGTH) { j=(num-i); j=(j > MD_DIGEST_LENGTH)?MD_DIGEST_LENGTH:j; MD_Init(&m); MD_Update(&m,local_md,MD_DIGEST_LENGTH); k=(st_idx+j)-STATE_SIZE; if (k > 0) { MD_Update(&m,&(state[st_idx]),j-k); MD_Update(&m,&(state[0]),k); } else MD_Update(&m,&(state[st_idx]),j); MD_Update(&m,buf,j); MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c)); MD_Final(&m,local_md); md_c[1]++; buf=(const char *)buf + j; for (k=0; k<j; k++) { /* Parallel threads may interfere with this, * but always each byte of the new state is * the XOR of some previous value of its * and local_md (itermediate values may be lost).

  31. List: openssl-dev Subject: Random number generator, uninitialised data and valgrind. From: Kurt Roeckx <kurt () roeckx ! be> Date: 2006-05-01 19:14:00 Hi, When debbuging applications that make use of openssl using valgrind, it can show alot of warnings about doing a conditional jump based on an unitialised value. Those unitialised values are generated in the random number generator. It’s adding an unintialiased buffer to the pool. The code in question that has the problem are the following 2 pieces of code in crypto/rand/md_rand.c: 247: MD_Update(&m,buf,j); 467: #ifndef PURIFY MD_Update(&m,buf,j); /* purify complains */ #endif ... What I currently see as best option is to actually comment out those 2 lines of code. But I have no idea what effect this really has on the RNG. The only effect I see is that the pool might receive less entropy. But on the other hand, I’m not even sure how much entropy some unitialised data has. What do you people think about removing those 2 lines of code? Kurt

  32. Debian OpenSSL weak keys, 2006 – 2008 cryptographic keys OpenSSL PRNG pid endianness word size Estimated > 1 % of HTTPS hosts a ff ected at disclosure time.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Stochastic Simulation Random number generation Bo Friis Nielsen Applied Mathematics and Computer

Stochastic Simulation Random number generation Bo Friis Nielsen Applied Mathematics and Computer

Stochastic Simulation Random number generation Bo Friis Nielsen Applied Mathematics and Computer Science Technical University of Denmark 2800 Kgs. Lyngby Denmark Email: bfn@imm.dtu.dk Random number generation Random number generation

537 views • 38 slides
Stochastic Simulation Random number generation Bo Friis Nielsen Applied Mathematics and Computer

Stochastic Simulation Random number generation Bo Friis Nielsen Applied Mathematics and Computer

Stochastic Simulation Random number generation Bo Friis Nielsen Applied Mathematics and Computer Science Technical University of Denmark 2800 Kgs. Lyngby Denmark Email: bfn@imm.dtu.dk Random number generation Random number generation

464 views • 18 slides
Chapter 7 Random-Number Generation Banks, Carson, Nelson &amp; Nicol Discrete-Event System

Chapter 7 Random-Number Generation Banks, Carson, Nelson &amp; Nicol Discrete-Event System

Chapter 7 Random-Number Generation Banks, Carson, Nelson &amp; Nicol Discrete-Event System Simulation Purpose &amp; Overview Discuss the generation of random numbers. Introduce the subsequent testing for randomness: Frequency test

440 views • 24 slides
Random Number Generation Using Normal Numbers Michael Mascagni 1 and F . Steve Brailsford 2

Random Number Generation Using Normal Numbers Michael Mascagni 1 and F . Steve Brailsford 2

Random Number Generation Using Normal Numbers Random Number Generation Using Normal Numbers Michael Mascagni 1 and F . Steve Brailsford 2 Department of Computer Science 1 , 2 Department of Mathematics 1 Department of Scientific Computing 1

1.15k views • 104 slides
FPGA-based True Random Number Generation using Circuit

FPGA-based True Random Number Generation using Circuit

FPGA-based True Random Number Generation using Circuit Meta-stability with Adaptive Feedback Control Mehrdad Majzoobi 1 , Farinaz Koushanfar 1, and

243 views • 21 slides
Stochastic Simulation Independent, uniformly distributed RN Generation of random variables

Stochastic Simulation Independent, uniformly distributed RN Generation of random variables

Plan W1.1-2 Plan W1.1-2 Random number generation Stochastic Simulation Independent, uniformly distributed RN Generation of random variables Distribution Continuous sample space Independent Random variable Bo Friis Nielsen Model Institute

587 views • 7 slides
Random Number Generation with Multiple Streams for Sequential and Parallel Computing Pierre

Random Number Generation with Multiple Streams for Sequential and Parallel Computing Pierre

1 Random Number Generation with Multiple Streams for Sequential and Parallel Computing Pierre LEcuyer MIT, Operations Research, February 2017 2 What do we want? Sequences of numbers that look random. 2 What do we want? Sequences of

2.18k views • 138 slides
Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number

Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number

Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number is a number chosen as if by chance from some specified distribution such that selection of a large set of these numbers reproduces the underlying

720 views • 12 slides
HAVEGE HArdware Volatile Entropy Gathering and Expansion Unpredictable random number generation

HAVEGE HArdware Volatile Entropy Gathering and Expansion Unpredictable random number generation

HAVEGE HArdware Volatile Entropy Gathering and Expansion Unpredictable random number generation at user level Andr Seznec Nicolas Sendrier Andr Seznec Caps Team IRISA/INRIA Unpredictable random numbers Unpredictable =

597 views • 48 slides
Cryptography and Network Random Number Generation Security The comparatively late rise of the

Cryptography and Network Random Number Generation Security The comparatively late rise of the

4/19/2010 Chapter 7 Stream Ciphers and Cryptography and Network Random Number Generation Security The comparatively late rise of the theory of Chapter 7 probability shows how hard it is to grasp, and the many paradoxes show clearly that we, as

72 views • 4 slides
Serial and Parallel Random Number Generation Prof. Dr. Michael Mascagni Seminar f ur

Serial and Parallel Random Number Generation Prof. Dr. Michael Mascagni Seminar f ur

Serial and Parallel Random Number Generation Prof. Dr. Michael Mascagni Seminar f ur Angewandte Mathematik, ETH Z urich R aimistrasse 101, CH-8092 Z urich, Switzerland and Department of Computer Science &amp; School of

672 views • 35 slides
Solidity Pt. 2 Lessons 3-5 Libraries/OpenZeppelin, SafeMath Time Random number generation

Solidity Pt. 2 Lessons 3-5 Libraries/OpenZeppelin, SafeMath Time Random number generation

Solidity Pt. 2 Lessons 3-5 Libraries/OpenZeppelin, SafeMath Time Random number generation Transfers Tokens Comments Libraries raries OpenZeppelin repository containing source code for implementing commonly used functions in smart

489 views • 33 slides
(New) Challenges in Random Number Generation for Cryptography Viktor F ISCHER Laboratoire Hubert

(New) Challenges in Random Number Generation for Cryptography Viktor F ISCHER Laboratoire Hubert

TRNG Design Challenges RNG security evaluation Conclusions (New) Challenges in Random Number Generation for Cryptography Viktor F ISCHER Laboratoire Hubert Curien, UMR 5516 CNRS Jean Monnet University, Member of University of Lyon

685 views • 44 slides
Generation CMSC 426 - Computer Security Slides originally by Dr. Marron, modified by Robert Joyce

Generation CMSC 426 - Computer Security Slides originally by Dr. Marron, modified by Robert Joyce

Random Number Generation CMSC 426 - Computer Security Slides originally by Dr. Marron, modified by Robert Joyce Outline Properties of PRNGs LCGs Blum, Blum, Shub NIST SP 800-90A Random Number Uses Generation of symmetric

540 views • 18 slides
Generation of Non-Uniform Random Numbers Generation of Non-Uniform Random Numbers Refs: Chapter 8

Generation of Non-Uniform Random Numbers Generation of Non-Uniform Random Numbers Refs: Chapter 8

Generation of Non-Uniform Random Numbers Generation of Non-Uniform Random Numbers Refs: Chapter 8 in Law and book by Devroye (watch for typos) Acceptance-Rejection Convolution Method Composition Method Peter J. Haas Alias Method Random

228 views • 6 slides
Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017

Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017

Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017 2008: The Debian OpenSSL entropy disaster August 2008: Discovered by Luciano Bello Keys dependent only on pid and machine architecture: 294,912 keys

797 views • 53 slides
Computational Expression Random Class, Math Class, Wrapper Classes Janyl Jumadinova 30

Computational Expression Random Class, Math Class, Wrapper Classes Janyl Jumadinova 30

Computational Expression Random Class, Math Class, Wrapper Classes Janyl Jumadinova 30 September, 2019 Janyl Jumadinova Computational Expression 30 September, 2019 1 / 8 Random Class The Random class is part of the java.util package It

415 views • 15 slides
Random Numbers on GPUs W. B. Langdon Mathematical and Biological Sciences and Computing and

Random Numbers on GPUs W. B. Langdon Mathematical and Biological Sciences and Computing and

Random Numbers on GPUs W. B. Langdon Mathematical and Biological Sciences and Computing and Electronic Systems CIGPU 2008 Introduction Artificial Intelligence needs Randomisation Implementing randomisation is hard. GPU no native

618 views • 23 slides
MIPS Assembly (Random Numbers) 2 Lab Schedule Activities Assignments Due This Week Lab 10

MIPS Assembly (Random Numbers) 2 Lab Schedule Activities Assignments Due This Week Lab 10

Computer Systems and Networks ECPE 170 Jeff Shafer University of the Pacific MIPS Assembly (Random Numbers) 2 Lab Schedule Activities Assignments Due This Week Lab 10 Due by Apr 11 th 5:00am Lab work time MIPS

477 views • 5 slides
A Highly-Portable True Random Number Generator based on Coherent Sampling 2019 International

A Highly-Portable True Random Number Generator based on Coherent Sampling 2019 International

A Highly-Portable True Random Number Generator based on Coherent Sampling 2019 International Conference on Field-Programmable Logic and Applications Adriaan Peetermans, Vladimir Ro zi c and Ingrid Verbauwhede September 10, 2019 Random

370 views • 35 slides
Simulation Simulation Modeling and Performance Analysis with Discrete-Event Simulation g y Dr.

Simulation Simulation Modeling and Performance Analysis with Discrete-Event Simulation g y Dr.

Computer Science, Informatik 4 Communication and Distributed Systems Simulation Simulation Modeling and Performance Analysis with Discrete-Event Simulation g y Dr. Mesut Gne Computer Science, Informatik 4 Communication and Distributed

744 views • 35 slides
Using Blaise for Implementing a Complex Sampling Algorithm By Linda Gowen and Ed Dolbow, Westat

Using Blaise for Implementing a Complex Sampling Algorithm By Linda Gowen and Ed Dolbow, Westat

Using Blaise for Implementing a Complex Sampling Algorithm By Linda Gowen and Ed Dolbow, Westat Inc. Introduction A new in-person household survey using Blaise as the tool to perform computer aided interviewing (CAI), required a complicated

422 views • 13 slides
C Programming for Engineers Arrays &amp; Pointers ICEN 360 Spring 2017 Prof. Dola Saha 1

C Programming for Engineers Arrays &amp; Pointers ICEN 360 Spring 2017 Prof. Dola Saha 1

C Programming for Engineers Arrays &amp; Pointers ICEN 360 Spring 2017 Prof. Dola Saha 1 Classroom Assignment Matrix Addition/Subtraction two matrices should have same number of rows and columns. Addition Subtraction

478 views • 30 slides
Uniform Variate Generation Refs: Chapter 7 in Law, Pierre Lecuyer Tutorial, Winter Simulation

Uniform Variate Generation Refs: Chapter 7 in Law, Pierre Lecuyer Tutorial, Winter Simulation

Uniform Variate Generation Refs: Chapter 7 in Law, Pierre Lecuyer Tutorial, Winter Simulation Conference 2015 Peter J. Haas CS 590M: Simulation Spring Semester 2020 1 / 21 Pseudo-Random Numbers Overview Simple Congruential Generators

325 views • 21 slides

More recommend