120 likes | 207 Views
Explore the practical uses of randomness in generating session IDs, keys for cryptography, temporary file names, and more. Learn about the importance of good random numbers in preventing application malfunctions and increasing security. Discover random number terminology, sources, pitfalls, and best practices to enhance application security.
E N D
Significance of Random Numbers in Application Security Richard Lewis Tech Mahindra Ltd. richardl@techmahindra.com 91-022-66882000 July 31st 2006
Practical Uses of Randomness • Session ID generation • Temporary file name generation • Key generation (cryptography) • First-time password generation • Unique filename/directory name generation • Generation of CAPTCHAs • Random colour generation for schemes, user profiles etc.
Need for Good Random Numbers • Prevents application malfunction • Application that relies on creation of several files on disk. • Increases strength of cryptographic operations • The entropy associated with the key increases • Automates otherwise manual tasks • Application can auto-generate first-time passwords instead of having users select one • Increases security of applications • Reduces guessability of session ids and other entities used by the application
Random Number Terminology • Entropy • Determines the quality of random numbers. • However, high level of entropy does not guarantee randomness. • Seed • Initialises the random number generation process. • Sequence • Significant if the sequence is pseudo-random i.e. values are recycled after a very long index.
Sources of Random Numbers • Random number generation APIs • Avoid “C” rand, rand (Windows), Perl rand, C# Random, PHP rand • Use FIPS-140 compliant random number library • Cryptographic key generation APIs • CryptGenKey for generating random numbers • Hashing data to get further random data • Network and system information APIs • Using output parameters of network functions • Extracting serial numbers from hardware devices and hashing them
Sources of Random Numbers (Contd.) • Operating system sources • Eg. dev/random • GUID generators • Keyboard strokes • Measuring time between strokes (GetTickCount) • Characters typed • Mouse movements • Co-ordinates of mouse movements on screen (Mouse and Window functions) • Screen colours • Bitmap values of random portions of the screen (Bitmap functions) • Time • Time functions
Random Number Generation Pitfalls • Using weak RNGs for critical operations • Generating cryptographic keys using linear sequential RNG (that wrap-around) • Using hard coded random number sequences • Using sequential numbers and treating them as random numbers (eg. session ids)
Random Number Pitfall – Example 1 • Consider a cryptographic system that uses 56 bit keys. • If these 56 bit keys are derived by using a fixed PRNG seeded with an 8 bit seed. • Not the 2^56 keys that may at first appear to be the case.
Random Number Pitfall – Example 2 • Application uses Ethernet address for generating random numbers. • What if… • Ethernet cards have been installed on DEC hardware within DEC?
Random Number Solution • Scenario: • User passwords are changed once a month • Probability of guessing the password < 1/1000 • Problem Statement: • What should be the length of the password? • Solution • Introduce a “wrong password” delay, say 5 seconds • In 1 minute = 12 attempts, 1 hour = 720 attempts, • In 1 day = 17K, 1 month = 0.5M attempts • Probability required is < 1/1000 • Therefore, attempts = 0.5 M X 1 K = 0.5 G • 0.5 G = 229 approximately. 30 bits of randomness are needed • 229 = 109 approximately • 26? = 109 • ? = Number of characters in password
RNG Best Practices • Use good sources of random numbers • Use FIPS 140-compliant RNG libraries, when possible • Use different seeds at different times when using RNGs. Do not use the same or blank seeds.