RNGs for Resource-Constrained Devices Werner Schindler Bundesamt - - PowerPoint PPT Presentation

RNGs for Resource-Constrained Devices

Werner Schindler Bundesamt für Sicherheit in der Informationstechnik (BSI), Bonn, Germany

Bochum, November 6, 2017

Schindler November 6, 2017 Slide 2

Outline

Crypto for IoT: some general thoughts RNGs on resource-constrained devices

(focus on evaluation and design)

Physical RNGs Deterministic RNGs

Conclusions

Schindler November 6, 2017 Slide 3

Crypto for IoT

IoT devices are often resource-constrained. Cryptographic implementations then should save

resources (area, memory, energy). The saving may be limited by requirements on the execution time.

This goal may be supported by the use of

lightweight algorithms. Note: AES implementations, for instance, can be lightweight, too.

Schindler November 6, 2017 Slide 4

Crypto for IoT: General Challenges

The designer / developer should

assess the impact of successful attacks and their

benefit for potential attackers

determine an appropriate security level identify the relevant attack classes (mathematical

cryptanalysis, side-channel attacks, fault attacks, …)

prevent undesired “side effects” (attacks on weakly

secured devices shall not allow the control of more security critical components)

Schindler November 6, 2017 Slide 5

Crypto for IoT: General Challenges (II)

In particular, the designer / developer should

select appropriate cryptographic algorithms at least for (complex) long-term systems: enable

key change crypto agility

…

Schindler November 6, 2017 Slide 6

RNGs in real world devices

High-end smart cards and general purpose

hardware (PC, server etc.) normally use RNGs, which allow the broadest possible range of applications.

 Usually,

smart cards utilize physical RNGs (PTRNGs) or

deterministic RNG (DRNGs)

PCs, server etc. utilize non-physical non-

deterministic RNGs (NTRNGs) Example: /dev/random (Linux)

Schindler November 6, 2017 Slide 7

AIS 20 and AIS 31

In the German certification scheme (Common Criteria) the evaluation guidance documents AIS 20: Functionality Classes and Evaluation Methodology for Deterministic Random Number Generators AIS 31: Functionality Classes and Evaluation Methodology for Physical Random Number Generators have been effective since 1999, resp. since 2001 (mathematical-technical reference updated in 2011)

Schindler November 6, 2017 Slide 8

AIS 20 + AIS 31 Functionality classes

DRNGs PTRNGs NTRNGs NTG.1 PTG.1 PTG.3 PTG.2 DRG.1 DRG.2 DRG.4 DRG.3

Highest class: strong physical noise source with crypto- graphic postprocessing  Increasing requirements  Increasing requirements Pure PTRNGs

Schindler November 6, 2017 Slide 9

RNGs for IoT devices

Principally, supporting a broad range of

applications is a positive feature but general purpose RNGs may require substantial resources.

Question: Is it possible to tailor RNGs on resource-

constrained devices to the needs of the applications?

What would this mean for the design and the

security evaluation of RNGs?

Schindler November 6, 2017 Slide 10

Security evaluation of PTRNGs

Primary Goal: Estimate the entropy per random bit Entropy is a property of random variables but not of

random numbers. Unfortunately, general entropy estimators do not exist.

Main task: Develop, verify and analyse a stochastic

model ( entropy estimate)

Schindler November 6, 2017 Slide 11

Security evaluation of PTRNGs (II)

A trustworthy security evaluation should verify the suitability of  the RNG design  the online test, the tot test and the start-up test.

• nline test: shall detect non-tolerable weaknesses of

the random numbers. tot test (total failure test): shall consider all realistic scenarios of total failures.

Schindler November 6, 2017 Slide 12

PTRNGs on low-cost devices

Can the evaluation tasks be simplified / be

reduced for low-cost devices?

The answer is: no!  Reason: The keys of (e.g.) lightweight algorithms

may be shorter than keys of ‘normal’ cryptographic algorithms but the entropy per key bit should not be smaller. The lower bound for the entropy per random bit cannot be scaled down in a natural way.

Schindler November 6, 2017 Slide 13

PTRNGs on low-cost devices (II)

At the cost of the output rate resource-efficient

PTRNG designs might be utilized if the application permits.

Can the online test and the tot test be dropped?

Principally yes, but only at the risk of the unnoticed use

• f (very) weak random numbers! (→ risk analysis;

worst case: constant random numbers ! )

Schindler November 6, 2017 Slide 14

Security evaluations of DRNGs

The state transition function and the output function

are usually composed of cryptographic primitives.

A security evaluation of a DRNG shall verify

that the seed entropy is sufficiently large that the random numbers have appropriate

statistical properties.

which of the following security properties are fulfilled

 forward secrecy  backward secrecy  enhanced backward secrecy

Schindler November 6, 2017 Slide 15

Security evaluations of DRNGs (II)

The security properties

‘forward secrecy’, ‘backward secrecy’ ‘enhanced backward secrecy’

are deduced from the security properties of the cryptographic primitives.

Schindler November 6, 2017 Slide 16

Example 1

internal state: sn = (rn,k) sn+1 = (Enc (rn, k), k) =: (rn+1,k) Enc: block cipher (AES, Triple-DES etc.), full OFB (rn,k)

rn (Enc(rn,k), k)

k: key (to be kept secret)

(random number)

Schindler November 6, 2017 Slide 17

Example 1: a typical security proof

Assumption: The attacker knows ri ,ri+1,…,ri+j

 Task: Find ri+j+1 = Enc(ri+j,k):

Note that ri+1 = Enc(ri,k), …, ri+j = Enc(ri+j-1,k)  specific chosen-plaintext attack on Enc(,k) (for AES, for instance → forward secrecy)

 Task: Find ri-1 = Dec(ri,k) = Enc-1(ri,k):

Note that ri+j-1 = Dec(ri+j,k), …, ri= Dec(ri+1,k)  specific chosen-plaintext attack on Dec(,k) (for AES, for instance → backward secrecy)

Schindler November 6, 2017 Slide 18

DRNGs for resource-constrained devices

Natural approach:

take a general purpose DRNG replace its cryptographic primitives by

corresponding lightweight primitives (e.g., AES by Present).

This may reduce the security level of the DRNG.

This should not be critical until the security level of

the DRNG is still  the security level of the application, which uses the random numbers.

Schindler November 6, 2017 Slide 19

DRNGs for resource-constrained devices (II)

This approach allows to save resources without

affecting the security level of the consuming lightweight cipher.

However, the ‘reduced’ design may still be (too)

• costly. Are further savings possible?

Enhanced backward secrecy guarantees the

secrecy of prior random numbers even if the internal state has been compromised. Its implementation yet might be (too) costly (→ requires a one-way function).

Schindler November 6, 2017 Slide 20

If further savings are necessary …

the designer

might analyse carefully whether the enhanced

backward secrecy is actually needed by the application (← threat model).

Schindler November 6, 2017 Slide 21

Conclusion

The selection of cryptographic mechanisms and

their implementation on IoT devices should be based on a careful analysis.

The evaluation methodology for RNGs does not

become easier for resource-constraint devices.

PTRNGs: The entropy requirements can not be

• relaxed. Instead, resources may be saved at the

cost of performance.

DRNGs: may be ‘scaled down’ by substituting the

cryptographic primitives by suitable lightweight primitives.

Schindler November 6, 2017 Slide 22

Contact

Bundesamt für Sicherheit in der Informationstechnik (BSI) Werner Schindler Godesberger Allee 185-189 53175 Bonn, Germany Tel: +49 (0)228-9582-5652 Fax: +49 (0)228-10-9582-5652 Werner.Schindler@bsi.bund.de www.bsi.bund.de www.bsi-fuer-buerger.de