1 / 19

Randomness in Cryptography: A Deadly Pitfall

Randomness in Cryptography: A Deadly Pitfall. Nick Christoforidis & Konstantinos Rousis Information Security Module CITY College. Part I Defining Randomness. Nikos Christoforidis. Randomness is Everywhere in CS. On-line casinos: Shuffle Decks, Roll Dice, Spin the Roulette Wheel

caden
Download Presentation

Randomness in Cryptography: A Deadly Pitfall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Randomness in Cryptography: A Deadly Pitfall Nick Christoforidis & Konstantinos RousisInformation Security ModuleCITY College

  2. Part IDefining Randomness Nikos Christoforidis

  3. Randomness is Everywhere in CS • On-line casinos: • Shuffle Decks, Roll Dice, Spin the Roulette Wheel • Biologically Inspired Algorithms: • Chemotaxis in Neural Nets • Mutations in Genetic Algorithms • Movement of Agents (Ants, Bees) • Operating Systems • Lottery Scheduling • Games & Photorealism • Realistic smoke, fire, rain, wind, blood, etc. • Business, Malkiel 1973: • Random Walk Hypothesis for stock market • Cryptography ...

  4. Definition Two major principles: • Single number selected from a set • Each member of the set must have equal chance of selection • Sequence of Numbers • Cannot predict an element by the position of other elements of the sequence If principles are respected: • each bit of output carries a bit of entropy • e.g. a generated 32-bit key, needs an effort of 2^32 to be broken.

  5. Random Number Generator Types • Non-deterministic • Based on physical phenomena, e.g. noise of radio frequencies, flow of liquids, internet traffic, atmospheric pressure/humidity, etc. • Too expensive for typical users • Deterministic, or Pseudo-Random Number Generators • An algorithm takes an input and produces a "random" output, based on the current Secret State "S". • S is initialized by a random seed and may be reseeded periodically • Same seed = same "random" output, hence: "Pseudo-random".

  6. Example: Middle Square Method Introduced by von Neumann, 1945: • Pick an initial random number. • Square it. • Extract the middle digits, as the random output. • Repeat step (2) with the output of (3) Example:13 -> 0169 -> 16 -> 0256 -> 25 -> 0625 -> 62 -> 3844 -> 84 -> ...** But: **... -> 40 -> 1600 -> 60 -> 3600 -> 60 -> 3600 -> 60 -> ....Repetition! • attacker has gained information • can mount an efficient attack • generator is compromised

  7. Part IIAttacking PRNGs Nikos Christoforidis

  8. Methods of Attacking PRNGs Direct Cryptanalytic • Attacker can distinguish outputs that are not as random as expected. • Huge benefit to brute-force attacks: search-space is reduced Input-Based • Known Input: attacker has to cryptanalyze • Repeated Input: attacker gains advantage • Controlled Input: best case, attacker can easily understand the internal workings of the algorithm. State Compromise Extension • Attacker has compromised part of state S at time t • Can guess the output at time t+x, or • Can learn previous outputs (time < t), or • Can predict all outputs (fully compromised PRNG)

  9. ANSI X9.17 • Published: 1985, FIPS (NIST) standard: 1992 • Aim: produce DES keys for electronic money transaction • A 3DES key "K" was created at initialisation, then: • Cryptanalytic and Known-Input attacks are difficult • If attacker knows K, the seed can be found with 2^11 effort • Timestamps in msecs, for timespan of a second • Now any other seed can be calculated • All random outputs can be predicted

  10. Other PRNGs Yarrow: • Designed by Schneier, Kelsey, Ferguson • Included an Entropy Accumulator, from various sources • Enough entropy estimated ==> Reseed secret state Fortuna: • Improved Yarrow: Entropy estimations were dismissed • Increased entropy pools to 32 and each had • different rate of gaining entropy • different contribution to the reseed process Mersenne-Twister • Based on Mersenne-Prime Numbers • Period of repetition: 2^19937 -1 outputs (!!!) • Very fast but becomes predictable after 624 iterations.

  11. Part IIIReal-World Cases Attacks Konstantinos Rousis

  12. Netscape Navigator 1.1 - Random seed • In 1995, Netscape incorporated on its browser support for SSL, claiming a security 128-bit strong • SSL needed random numbers to generate secret keys • As sources of "randomness" were used: • System's seconds and milliseconds • Process ID and parent's process ID • A number of weaknesses are apparent: • None of them is truly random (physical phenomena etc.) • Seconds will be found, as most probably the attacker is eavesdropping • Milliseconds are of rather inadequate entropy (1 to 1000) • Processes IDs are easily determined, as they are not considered confidential • In the worst case for the attacker, the information entropy used is only 47 bits, instead of 128

  13. PlanetPoker.com - Shuffling Algorithm • Back in 1999, a successful online poker site, Planet Poker, publicized its shuffling algorithm  • Weaknesses on terms of fairness and security came obvious: • Off-by-one error (random_number := random(51)+1;) • Random seed: system's current timestamp • By searching an embarrassingly small space of values, the exact timestamp can be found • In order to determine which of the possible timestamps was indeed used, only 5 cards had to be displayed • After that, the whole shuffle is known • Fortunately, the security hole was identified by security experts

  14. PGP's flawed algorithm • PGP uses a PRNG to initialize session keys, which afterwards are used to create RSA 1024-bit keys • Versions 2.5 and 2.6 suffered from a bug in one of its PRNG's functions • Instead of XORing (^=) the new entropy bits with the content already on accumulator, an assignment (=) was performed • The system was not wakened enough to be compromised but the information entropy was reduced by few hundreds of bits • Although the flaw can be considered as "just a typo", the important thing is how easily security can be undermined by a small error, even if written by security experts

  15. Part IVSafe use of PRNGs Konstantinos Rousis

  16. Avoiding Common Pitfalls • On every PRNG, 2 things are crucial: a randomsource and a carefully implemented algorithm • Safe algorithms come from experience • Random sources can derive from physical phenomena or by the use of specialized hardware chips • As end-users have none, other sources have been proposed: • User's interaction with PC (keystrokes, mouse movement) • Timers (BIOS, operating system, software) • Hardware measurements (mic/cam input, network traffic) • The two major concerns for all of them are availability and interoperability  • Both of them can be handled efficiently if many sources are used simultaneously • in this cases, an entropy accumulator is handy (see Yarrow)

  17. Characteristics of Cryptographic-Strong PRNGS • Resistance to data manipulation • Even if an attacker manipulates the random sources, the output should not be predictable • Resistance to data analysis (Kerchkoff's Principle) • An attacker should not be able to draw any conclusions by performing analysis on input/output data • Protection of the internal state • The internal state is secret and thus should be protected by trivial attacks (e.g. scanning OS's swap file) • Recovery from compromised states • Even if the state is compromised, the PRNG should be able to reconstruct, thus protecting previous and future outputs

  18. Conclusion • PCs are by nature deterministic and thus real random output can not be produced • RNGs are only feasible when physical phenomena are observed • PRNGs  are fundamental blocks of any modern cryptosystem and they should be used with extreme care • An attacker may find shortcut-attacks via a system's PRNG • The most important things regarding a PRNG are the algorithm itself and its random seed • Randomness can not be proven, only its absence • The punchline for randomness in cryptography is as paranoid as everything else related to security: "You can never be sure"

  19. Question Session Thank you for your attention!

More Related