Kristjan Kelt. Survey of random number generators on various platforms
|
|
- Doris Mathews
- 6 years ago
- Views:
Transcription
1 Kristjan Kelt Survey of random number generators on various platforms University of Luxembourg 2013
2 Objective Investigate random number generation in several open source libraries, frameworks and applications that are based on cryptography Investigated Pure-Python ECDSA PyBitmessage BitcoinJS Bitaddress.org CryptoCat Part II (if time permits), Trusting random generators (based on Intel RDRAND)
3 Importance Good random generator is cornerstone of good cryptography Everything that must be hard to predict needs a good random source
4 Importance Example attack September 2006, buy commenting out few lines in OpenSSL library, Debian developers created a bug that rendered OpenSSL random source useless Bug was discovered May 2008 by Luciano Bello All cryptographic keys generated on Debian (or derived distributions like Ubuntu) with OpenSSL turned out to have only 15 bit entropy provided by process id) All keys generated were possible to break with brute force
5 Importance Second attack example In 2013 vulnerability in Android SecureRandom class implementation was described by Michaelis, Meyer, Schwenk Cascade of bugs reduced entropy to 31 bits making random numbers generated on Android guessable Vulnerability was previously used to steal at least 55 BTC from different wallets that used keys generated on Android
6 What is a good random number? Is 7 a good random number? What about ? Or 9?
7 What is a good random number? They all can be either good or bad random numbers depending on how they are generated
8 Entropy Entropy is just the size of the pool from where the numbers are randomly picked Entropy of 1 coin flip is 1 bit To get more entropy (in bits), we need more flips (random events) Real random numbers are hard to generate (read: slow) both for brain and computer But entropy can be mixed, combined and distilled Unfortunately entropy is also consumed fast by todays cryptographic applications
9 Benefits PRNG (Pseudo random number generator) Provides statistically good distribution Need very low entropy as a source (i.e. current time) Fast Why are PRNGs not secure? Predictability Linear dependencies
10 CSPRNG (Cryptographically Secure Pseudo Random Number Generator) Requirements Forward secrecy Backward secrecy State security Sufficiently large entropy RFC 1750 Randomness Recommendations for Security, Schiller, Crocker, Eastlake 1994 Cryptanalytic Attacks on Pseudorandom Number Generator, Schneier, Kelsey, Wagner, 1998
11 Generalized CSPRNG, with periodic reseeding Proposed in 1998 by Schneier, Kelsey, Wagner, Hall in Cryptanalytic Attacks on Pseudorandom Number Generators
12 Presentation of investigated random number generators First operation system provided generators were investigated Then platform libraries and browsers Finally libraries, frameworks and applications in question
13 Operating systems
14 Linux*** Hardware entropy source feedback in user space when available Application /dev/urandom /dev/random Saved entropy during boot Non blocking pool Blocking pool Entropy pool get_random_bytes Entropy sources *** without Intel RDRAND
15 Linux (few comments) Entropy estimator seems to be based upon Kolmogorov complexity rather than Shannon entropy (2012 Pousse, Short communication: An interpretation of the Linux entropy estimator) Analysis of the Linux Random Number Generator by Gutterman, Pinkas, Reinman 2006 The Linux Pseudorandom Number Generator Revisited by Lacharme, Röck, Strubel, Videau 2012
16 OSX Entropy sources /dev/random /dev/urandom Entropy pool (non blocking) Entropy sources Yarrow-160
17 Windows XP Application CryptGetRandom?????
18 Windows Vista & 7 Application CryptGetRandom BCryptGenRandom??????????? =
19 Windows 8 Application CryptGetRandom???? BcryptGenRandom FIPS?? NIST?? CryptographicBuffer. GenerateRandom?????????????????? =? =
20 Platform libraries
21 Python Application os.urandom (direct wrapper) random.systemrandom /dev/urandom CryptGetRandom Linux, OSX Windows *
22 OpenSSL Application RAND_bytes (OpenSSL has different engines but according to documentation seeds at least once at first call) /dev/urandom CryptGetRandom Linux, OSX Windows *
23 Browsers
24 Firefox since version 21 Application window.crypto.getrandomvalues() NIST SP Hash_DRBG (SHA256) (seed length 440 bits, reseeded after 2^48 bytes, generator is shared between threads) /dev/urandom CryptGetRandom Linux, OSX Windows *
25 Internet Explorer since version 11 Application window.crypto.getrandomvalues() BCryptGetRandom Windows 7, Windows 8
26 Webkit (Safari, Chrome, Opera, browser specific) Application window.crypto.getrandomvalues() ARC4 stream cipher based random number generator (seed length 1024 bits, reseeded after bytes, generator is shared between threads) /dev/urandom CryptGetRandom Linux, OSX Windows *
27 Libraries, frameworks and applications in question
28 CryptoCat Chat Application Salsa20/20 (seed size 256 bits, reseed never) window.crypto.getrandomvalues
29 Pure-Python ECDSA (library) Application Class PRNG Sha256 + counter util.randrange (small wrapper around os.urandom) Class SigningKey (default NIST192p) os.urandom
30 PyBitmessage (library) addressgenerator Application OpenSSL.rand (a library wrapper) OpenSSL.RAND_bytes OpenSSL library
31 BitcoinJS Library crypto.js contains Crypto.util namespace that with function randombytes that uses Math.random() Library rng.js, provides class SecureRandom on pool initialization calls window.crypto.random in case of specific browser version (this interface does not exist) Then continues to fill pool with Math.random() Finally adds current time (in ms) to the end of the pool
32 BitcoinJS Library rng.js, prototype SecureRandom When generating first random byte, creates a ARC4 generator seeded by current pool + current time Seed size is 1024 and it is calculated over potentially larger entropy pool Generator is never seeded again
33 BitcoinJS At the top of the rng.js is a suggestion to call rng_seed_time() on body.onclick and body.onkeypress As generator is never seeded again, it has effect only till first byte is generated Does not suggest mouse movements Sample user interface implementation does not follow this suggestion
34 BitcoinJS Application SecureRandom.nextBytes ARC4 (seed size 1024, from potentially larger entropy pool, never reseeded) Math.random() Mouse and keyboard Current time
35 Bitaddress.org Incorporates code from different libraries including BitcoinJS Uses similar SecureRandom class but indeed follows the suggestion to fill the pool based on random user generated events Uses mouse move event in addition Uses current time and mouse pointer coordinates (X*Y)
36 Bitaddress.org Uses seed count to collect enough entropy Seed count threshold is generated with Math.random() (from Crypto.util.randomBytes)
37 Bitaddress.org When generating random bytes, checks for existence of window.crypto.getrandomvalues When present, returns bytes using this interface instead In practice this renders seed counting useless as it does not change seed for the window.crypto.getrandomvalues
38 Bitaddress.org Application SecureRandom.nextBytes OR ARC4 (seed size 1024, from potentially larger entropy pool, never reseeded) window.crypto.getrandomvalues
39 Full Random Generation Chains Pure-Python ECDSA PyBitmessage Bitaddress.org (including parts of BitcoinJS) CryptoCat
40 Pure-Python ECDSA random generation chain Application Class SigningKey (default NIST192p) util.randrange (wrapper around os.urandom) os.urandom (direct wrapper) /dev/urandom /dev/urandom CryptGetRandom Non blocking pool Entropy pool????? Linux Entropy pool????? OSX????? Windows *
41 PyBitmessage random generation chain Application addressgenerator OpenSSL.rand (a library wrapper) OpenSSL.RAND_bytes /dev/urandom /dev/urandom CryptGetRandom Non blocking pool Entropy pool????? Linux Entropy pool????? OSX????? Windows *
42 CryptoCat random generation chain Chat Application Salsa20/20 window.crypto.getrandomvalues Firefox NIST SP Hash_DRBG (SHA256) window.crypto.getrandomvalues Webkit ARC4 /dev/urandom /dev/urandom CryptGetRandom Non blocking pool Entropy pool????? Linux Entropy pool????? OSX????? Windows *
43 Bitaddress.org random generation chain Math.random() Application ARC4 SecureRandom.nextBytes Mouse and keyboard OR Current time window.crypto.getrandomvalues Firefox NIST SP Hash_DRBG (SHA256) window.crypto.getrandomvalues Webkit ARC4 /dev/urandom /dev/urandom CryptGetRandom Non blocking pool Entropy pool????? Linux Entropy pool?????????? OSX Windows *
44 Conclusion In general most investigated projects got things right Only really problematic project is BitcoinJS that can not be used directly out of the box Bitaddress.org that extends on BitcoinJS got the things (relatively) right though
45 Conclusion continues Random number generation consist very often different linked random number generators Cryptography application writer must understand full random generation chain of target platforms
46 Questions or Part II (if time permits) Trusting Random Generators
47 Trusting Random Generators Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) Intel RDRAND instruction in Linux
48 Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) Part of NIST Special Publication A National Institute of Standards and Technology Recommendation for Random Number Generation Using Deterministic Random Bit Generators Contains 4 specifications Contains possible backdoor Showed by Dan Shumow and Niels Ferguson at the CRYPTO 2007 conference in August Still used (after 2007) by RSA security (confirmed) and possibly by Intel and Microsoft (suspected) Backdoor somewhat confirmed in 2013
49 Intel RDRAND in Linux Documentation of Linux random driver (comments of random.c) states that hardware random sources are not part of the kernel and entropy from them should be feed back into the pool externally 2011 Intel engineers approached Linux and suggested to incorporate Intel RDRAND instruction directly into Linux kernel as an architectural entropy source
50 Intel RDRAND in Linux Everything went (relatively) smoothly and patches went into kernel Fast forward to third quarter of 2013 when revelations of Dual_EC_DRBG came out Suddenly people noticed that documentation of RDRAND mentions NIST SP A But this contains also Dual_EC_DRBG But Linux uses RDRAND
51 Intel RDRAND in Linux Linus Torvalds made a statement that Kernel maintainers actually know what they are doing Output of RDRAND is mixed into entropy pool before it is returned to the user Theodore Ts said "I am so glad I resisted pressure from Intel engineers to let /dev/random rely only on the RDRAND instruction.
52 Intel RDRAND in Linux (change history) void get_random_bytes(void *buf, int nbytes) { - extract_entropy(&nonblocking_pool, buf, nbytes, 0, 0); + char *p = buf; + + while (nbytes) { + unsigned long v; + int chunk = min(nbytes, (int)sizeof(unsigned long)); + + if (!arch_get_random_long(&v)) + break; + + memcpy(buf, &v, chunk); + p += chunk; + nbytes -= chunk; + } + + extract_entropy(&nonblocking_pool, p, nbytes, 0, 0); } EXPORT_SYMBOL(get_random_bytes); author Linus Torvalds <torvalds@linux-foundation.org> :29:07 (GMT) committer Linus Torvalds <torvalds@linux-foundation.org> :29:07 (GMT)
53 Intel RDRAND in Linux (change history) static void add_timer_randomness(struct timer_rand_state *state, unsigned num) { struct { - cycles_t cycles; long jiffies; + unsigned cycles; unsigned num; } sample; long delta, delta2, -637,7 static void add_timer_randomness(struct timer_rand_state *state, unsigned num) goto out; sample.jiffies = jiffies; - sample.cycles = get_cycles(); + + /* Use arch random value, fall back to cycles */ + if (!arch_get_random_int(&sample.cycles)) + sample.cycles = get_cycles(); + sample.num = num; mix_pool_bytes(&input_pool, &sample, sizeof(sample)); author Linus Torvalds <torvalds@linux-foundation.org> :36:22 (GMT) committer H. Peter Anvin <hpa@linux.intel.com> :49:45 (GMT)
54 Intel RDRAND in Linux (change history) Function add_input_randomness is called by add_input_randomness add_disk_randomness
55 Intel RDRAND in Linux (change history) static void init_std_data(struct entropy_store *r) { + int i; ktime_t now; unsigned long -974,6 static void init_std_data(struct entropy_store *r) now = ktime_get_real(); mix_pool_bytes(r, &now, sizeof(now)); + for (i = r->poolinfo->poolwords; i; i--) { + if (!arch_get_random_long(&flags)) + break; + mix_pool_bytes(r, &flags, sizeof(flags)); + } mix_pool_bytes(r, utsname(), sizeof(*(utsname()))); } author Theodore Ts'o <tytso@mit.edu> :28:01 (GMT) committer H. Peter Anvin <hpa@linux.intel.com> :18:21 (GMT)
56 Intel RDRAND in Linux (change history) static void init_std_data(struct entropy_store *r) { + int i; ktime_t now; unsigned long -974,6 static void init_std_data(struct entropy_store *r) now = ktime_get_real(); mix_pool_bytes(r, &now, sizeof(now)); + for (i = r->poolinfo->poolbytes; i > 0; i -= sizeof flags) { + if (!arch_get_random_long(&flags)) + break; + mix_pool_bytes(r, &flags, sizeof(flags)); + } mix_pool_bytes(r, utsname(), sizeof(*(utsname()))); } author Linus Torvalds <torvalds@linux-foundation.org> :23:09 (GMT) committer Linus Torvalds <torvalds@linux-foundation.org> :23:09 (GMT)
57 Intel RDRAND in Linux (change history) If the CPU supports a hardware random number generator, use it in xfer_secondary_pool(), where it will significantly improve things and where we can afford it. Also, remove the use of the arch-specific rng in add_timer_randomness(), since the call is significantly slower than get_cycles(), and we're much better off using it in xfer_secondary_pool() anyway. author Theodore Ts'o <tytso@mit.edu> :21:01 (GMT) committer Theodore Ts'o <tytso@mit.edu> :17:46 (GMT)
58 Intel RDRAND in Linux (change history) Mix in any architectural randomness in extract_buf() instead of xfer_secondary_buf(). This allows us to mix in more architectural randomness, and it also makes xfer_secondary_buf() faster, moving a tiny bit of additional CPU overhead to process which is extracting the randomness. author H. Peter Anvin <hpa@linux.intel.com> :26:08 (GMT) committer Theodore Ts'o <tytso@mit.edu> :37:20 (GMT)
59 Intel RDRAND in Linux (change history) static void extract_buf(struct entropy_store *r, u8 *out) { [...] + /* + * If we have a architectural hardware random number + * generator, mix that in, too. + */ + for (i = 0; i < LONGS(EXTRACT_SIZE); i++) { + unsigned long v; + if (!arch_get_random_long(&v)) + break; + hash.l[i] ^= v; + } + + memcpy(out, &hash, EXTRACT_SIZE); + memset(&hash, 0, sizeof(hash)); } Code of the previous slide author H. Peter Anvin <hpa@linux.intel.com> :26:08 (GMT) committer Theodore Ts'o <tytso@mit.edu> :37:20 (GMT)
60 Possible attack of Intel RDRAND in Linux Taylor Hornby At the first sight there is no problem as RANDOM xor INDEPENDENTLY_BIASED = RANDOM What if RDRAND is used as a marker to activate malicious behavior of the CPU? Then when it sees the RDRAND followed by XOR, it could bias the RDRAND output according to the second input of the XOR (in this case the state of the entropy buffer)
61 Intel RDRAND in Linux (change history, current fix of the previous problem) Previously if CPU chip had a built-in random number generator (i.e., RDRAND on newer x86 chips), we mixed it in at the very end of extract_buf() using an XOR operation. We now mix it in right after the calculate a hash across the entire pool. [ ] author Theodore Ts'o <tytso@mit.edu> :06:02 (GMT) committer Theodore Ts'o <tytso@mit.edu> :32:13 (GMT)
62 Conclusion Random number generator in the CPU can not be trusted
Randomness generation
Daniel J. Bernstein, Tanja Lange May 16, 2014 RDRAND: Just use it! David Johnston, 2012 (emphasis added): That s exactly why we put the new random number generator in our processors. To solve the chronic
More informationSecurity of Pseudo-Random Number Generators With Input
Security of Pseudo-Random Number Generators With Input Damien Vergnaud École normale supérieure INRIA PSL wr0ng April, 30th 2017 (with Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault & Daniel Wichs)
More informationCryptography for Software and Web Developers
Cryptography for Software and Web Developers Part 4: randomness, hashing, tokens Hanno Böck 2014-05-28 1 / 13 Bad random numbers Random fails Example: Factoring RSA keys Good / bad randomness In security
More informationCSC 580 Cryptography and Computer Security
CSC 580 Cryptography and Computer Security Random Bit Generators (Sections 8.1-8.3) February 20, 2018 Overview Today: HW 4 solution discussion Pseudorandom generation - concepts and simple techniques Reminder:
More informationDocumentation and Analysis of the Linux Random Number Generator. Version: 2.3
Documentation and Analysis of the Linux Random Number Generator Version: 2.3 Document history Version Date Editor Description 0.1 2017-01-26 Stephan Müller Chapters 2 and 3 completed 0.2 2017-04-01 Stephan
More informationHOWTO: A Simple Random Number Generator for the ATmega1280 Microcontroller under C and TinyOS
HOWTO: A Simple Random Number Generator for the ATmega1280 Microcontroller under C and TinyOS Patrik Fimml Martin Perner Bernhard Petschina May 21, 2015 (v2.0) Contents 1 Introduction 1 1.1 True randomness
More informationRandom number generation
Cryptographic Protocols (EIT ICT MSc) Dr. Levente Buttyán associate professor BME Hálózati Rendszerek és Szolgáltatások Tanszék Lab of Cryptography and System Security (CrySyS) buttyan@hit.bme.hu, buttyan@crysys.hu
More informationBasic principles of pseudo-random number generators
Basic principles of pseudo-random number generators Faculty of Informatics, Masaryk University Outline PRNGs True-randomness and pseudo-randomness Linear feedback shift registers Cryptographically secure
More informationCSC 482/582: Computer Security. Applying Cryptography
Applying Cryptography Topics 1. Applications of Randomness 2. Defining and Evaluating Randomness 3. Pseudo-Random Number Generators (PRNGs) 4. Cryptographically Secure PRNGs (CSPRNGs) 5. Attacks on PRNGs
More informationSoftware Security: Misc and Principles
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Misc and Principles Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationLinux Random Number Generator A New Approach
Linux Random Number Generator A New Approach Stephan Müller September 17, 2017 Abstract The venerable Linux /dev/random served users of cryptographic mechanisms well for a long time.
More informationSP Reviewing The Standard. Stephan Müller atsec information security GmbH
SP800-90 Reviewing The Standard Stephan Müller atsec information security GmbH Email: smueller@atsec.com 13 ICMC 2013, September 24-26, Gaithersburg, MD 13 Agenda Practical aspects of implementing SP800-90A
More informationAcronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector
Acronyms 3DES AES AH ANSI CBC CESG CFB CMAC CRT DoS DEA DES DoS DSA DSS ECB ECC ECDSA ESP FIPS IAB IETF IP IPsec ISO ITU ITU-T Triple DES Advanced Encryption Standard Authentication Header American National
More information/dev/random and Your FIPS Validation Can Be Friends
/dev/random and Your FIPS 140-2 Validation Can Be Friends Yes, Really Valerie Fenwick Manager, Solaris Cryptographic Technologies team Oracle May 19, 2016 Photo by CGP Grey, http://www.cgpgrey.com/ Creative
More informationCryptanalysis of the Windows Random Number Generator
Cryptanalysis of the Windows Random Number Generator Masaryk University in Brno Faculty of Informatics Jan Krhovják Presentation based on paper: Cryptanalysis of the Random Number Generator of the Windows
More informationOn the Practical Exploitability of Dual EC in TLS Implementations
On the Practical Exploitability of Dual EC in TLS Implementations Stephen Checkoway 1, Matt Fredrikson 2, Ruben Niederhagen 3, Adam Everspaugh 2 Matt Green 1, Tanja Lange 3, Tom Ristenpart 2, Dan Bernstein
More informationA Systematic Analysis of the Juniper Dual EC Incident Stephen Checkoway
A Systematic Analysis of the Juniper Dual EC Incident Stephen Checkoway With Jacob Maskiewicz, Christina Garman, Joshua Fried, Shaanan Cohney, Matthew Green, Nadia Heninger, Ralf-Philipp Weinmann, Eric
More informationAttack on Sun s MIDP Reference Implementation of SSL
Attack on Sun s MIDP Reference Implementation of SSL Kent Inge Simonsen, Vebjørn Moen, and Kjell Jørgen Hole Department of Informatics, University of Bergen Pb. 7800, N-5020 Bergen, Norway {kentis,moen,kjell.hole}@ii.uib.no
More informationWheel of Fortune ANALYZING EMBEDDED OS (CS)PRNGS JOS WETZELS ALI ABBASI
Wheel of Fortune ANALYZING EMBEDDED OS (CS)PRNGS JOS WETZELS ALI ABBASI WHOIS Jos Wetzels 1,2 Researcher, MSc student samvartaka.github.io Ali Abbasi 1,3 Ph.D. candidate http://wwwhome.cs.utwente.nl/~abbasia/
More informationLecture 4: Hashes and Message Digests,
T-79.159 Cryptography and Data Security Lecture 4: Hashes and Message Digests Helsinki University of Technology mjos@tcs.hut.fi 1 Cryptographic hash functions Maps a message M (a bit string of arbitrary
More informationSoftware Security: Miscellaneous
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Miscellaneous Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationCrypto: Passwords and RNGs. CS 642 Guest Lecturer: Adam Everspaugh
Crypto: Passwords and RNGs CS 642 Guest Lecturer: Adam Everspaugh http://pages.cs.wisc.edu/~ace Topics! Password-based Crypto!! Random Number Generators Symmetric Key Encryption key generation R k Gen
More informationICMC 2017 Washington DC
ICMC 2017 Washington DC Richard Moulds General Manager, Whitewood May 19th 2017 Keys to the kingdom Keys that need to be physically protected e.g. in an HSM Keys that need to be achvely managed Keys that
More informationThere are numerous Python packages for cryptography. The most widespread is maybe pycrypto, which is however unmaintained since 2015, and has
1 There are numerous Python packages for cryptography. The most widespread is maybe pycrypto, which is however unmaintained since 2015, and has unpatched buffer-overflow vulnerabilities. New projects should
More informationCryptography. Dr. Michael Schneider Chapter 10: Pseudorandom Bit Generators and Stream Ciphers
Cryptography Dr. Michael Schneider michael.schneider@h-da.de Chapter 10: Pseudorandom Bit Generators and Stream Ciphers December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 1 1 Random and Pseudorandom
More informationPseudo-random number generators
Pseudo-random number generators -- Definition and motivation -- Classification of attacks -- Examples: DSA PRNG and Yarrow-160 (c) Levente Buttyán (buttyan@crysys.hu) Definitions a random number is a number
More informationSoftware Security (cont.): Defenses, Adv. Attacks, & More
CSE 484 / CSE M 584 (Autumn 2011) Software Security (cont.): Defenses, Adv. Attacks, & More Daniel Halperin Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationPRNGs & DES. Luke Anderson. 16 th March University Of Sydney.
PRNGs & DES Luke Anderson luke@lukeanderson.com.au 16 th March 2018 University Of Sydney Overview 1. Pseudo Random Number Generators 1.1 Sources of Entropy 1.2 Desirable PRNG Properties 1.3 Real PRNGs
More informationSecurity Applications
1. Introduction Security Applications Abhyudaya Chodisetti Paul Wang Lee Garrett Smith Cryptography applications generally involve a large amount of processing. Thus, there is the possibility that these
More informationTopics. Key Generation. Applying Cryptography
Applying Cryptography Topics 1. Key Generation 2. Randomness and Information Theory 3. PRNGs 4. Entropy Gathering 5. Key Storage 6. Cryptographic APIs Key Generation Goal: generate difficult to guess keys
More informationSYNOPSIS #include <openssl/des.h> des(3) OpenSSL des(3) void DES_random_key(DES_cblock *ret);
NAME DES_random_key, DES_set_key, DES_key_sched, DES_set_key_checked, DES_set_key_unchecked, DES_set_odd_parity, DES_is_weak_key, DES_ecb_encrypt, DES_ecb2_encrypt, DES_ecb3_encrypt, DES_ncbc_encrypt,
More informationJuniper Networks Pulse Cryptographic Module. FIPS Level 1 Security Policy Version: 1.0 Last Updated: July 19, 2013
Juniper Networks Pulse Cryptographic Module FIPS 140-2 Level 1 Security Policy Version: 1.0 Last Updated: July 19, 2013 Juniper Networks, Inc. 1194 N. Mathilda Ave Sunnyvale, CA 94089 Copyright 2013 Juniper
More informationCryptography. Summer Term 2010
Cryptography Summer Term 2010 Harald Baier Chapter 3: Pseudo Random Bit Generators and Stream Ciphers Contents Random bits and pseudo random bits Stream ciphers Harald Baier Cryptography h_da, Summer Term
More informationTest Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,
Test Conditions Closed book, closed notes, no calculator, no laptop just brains 75 minutes Steven M. Bellovin October 19, 2005 1 Form 8 questions I m not asking you to write programs or even pseudo-code
More informationA Secured Key Generation Scheme Using Enhanced Entropy
236 A Secured Key Generation Scheme Using Enhanced Entropy M.S. Irfan Ahmed Asst. Professor, VLB Engineering College, Coimbatore E.R. Naganathan Reader, Computer Science Department Alagappa University,
More information(In)Security of Java SecureRandom Implementations
(In)Security of Java SecureRandom Implementations M. Cornejo 1 S. Ruhault 2 1 École Normale Supérieure, INRIA, Paris, France 2 DI/ENS, ENS-CNRS-INRIA and Oppida, France Journées Codage et Cryptographie,
More informationPractical Aspects of Modern Cryptography
Practical Aspects of Modern Cryptography Lecture 3: Symmetric s and Hash Functions Josh Benaloh & Brian LaMacchia Meet Alice and Bob Alice Bob Message Modern Symmetric s Setup: Alice wants to send a private
More informationAnalysis, demands, and properties of pseudorandom number generators
Analysis, demands, and properties of pseudorandom number generators Jan Krhovják Department of Computer Systems and Communications Faculty of Informatics, Masaryk University Brno, Czech Republic Jan Krhovják
More informationSoftware Security: Buffer Overflow Attacks
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationAbstract. Microsoft Research
Abstract The development and adoption of a cryptographic standard is a delicate endeavor with competing and conflicting actors, which becomes only harder with integration into security protocols some yet
More informationUNIVERSITY OF CALGARY. Analysis of Linux Random Number Generator in Virtualized Environment. Rashmi Kumari A THESIS
UNIVERSITY OF CALGARY Analysis of Linux Random Number Generator in Virtualized Environment by Rashmi Kumari A THESIS SUBMITTED TO THE FACULTY OF GRADUATE STUDIES IN PARTIAL FULFILLMENT OF THE REQUIREMENTS
More informationChapter 6 Random Number Generation
Chapter 6 Random Number Generation Requirements / application Pseudo-random bit generator Hardware and software solutions [NetSec/SysSec], WS 2007/2008 6.1 Requirements and Application Scenarios Security
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationCSE484 Final Study Guide
CSE484 Final Study Guide Winter 2013 NOTE: This study guide presents a list of ideas and topics that the TAs find useful to know, and may not represent all the topics that could appear on the final exam.
More informationSoftware Security: Buffer Overflow Defenses and Miscellaneous
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses and Miscellaneous Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationCryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption
Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 12 Message Authentication Codes At cats' green on the Sunday he took the message from
More informationHow to Implement Cryptography for the OWASP Top 10 (Reloaded)
How to Implement Cryptography for the OWASP Top 10 (Reloaded) AppSec USA 2011 http://www.appsecusa.org/ Minneapolis Convention Center Minneapolis, MN, USA Friday September 23 2011 1:30pm Anthony J. Stieber
More informationCryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks
More informationCIT 480: Securing Computer Systems. Hashes and Random Numbers
CIT 480: Securing Computer Systems Hashes and Random Numbers Topics 1. Hash Functions 2. Applications of Hash Functions 3. Secure Hash Functions 4. Collision Attacks 5. Pre-Image Attacks 6. Current Hash
More informationMTAT Applied Cryptography
MTAT.07.017 Applied Cryptography Introduction, Randomness, One-Time Pad, Stream Ciphers University of Tartu Spring 2017 1 / 34 Who am I? Arnis Paršovs MSc in Cyber Security Tallinn University of Technology,
More informationDataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.
Submitted by SPYRUS, Inc. Contents DT5000 and DT6000 Technology Overview...2 Why DT5000 and DT6000 Encryption Is Different...3 Why DT5000 and DT6000 Encryption Is Different - Summary...4 XTS-AES Sector-Based
More informationpage 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationUNCLASSIFIED//FOR OFFICIAL USE ONLY INDUSTRIAL CONTROL SYSTEMS CYBER EMERGENCY RESPONSE TEAM
ADVISORY ICSA-10-019-01 ZIGBEE PSEUDORANDOM NUMBER GENERATOR VULNERABILITY January 19, 2010 OVERVIEW On January 09, 2010, a security researcher published an attack on a ChipCon (CC) implementation of ZigBee
More informationEnding the Entropy Drought
White Paper: Ending the Entropy Drought February 2018 All questions and enquiries regarding this white paper should be directed to: John Lister Director of Cyber Security jlister@cognitiocorp.com February
More informationNetwork Security Essentials Chapter 2
Network Security Essentials Chapter 2 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Encryption What is encryption? Why do we need it? No, seriously, let's discuss this. Why do we need
More informationCryptography MIS
Cryptography MIS-5903 http://community.mis.temple.edu/mis5903sec011s17/ Cryptography History Substitution Monoalphabetic Polyalphabetic (uses multiple alphabets) uses Vigenere Table Scytale cipher (message
More informationState of TLS usage current and future. Dave Thompson
State of TLS usage current and future Dave Thompson TLS Client/Server surveys Balancing backward compatibility with security. As new vulnerabilities are discovered, when can we shutdown less secure TLS
More informationCryptographic Knowledge Base
Johns Hopkins and the Cryptographic Knowledge Base Debra Baker, CISSP CCSP Compliance Engineer at Cisco October 27, 2017 @deb_infosec >whoami Debra Baker, CISSP CCSP 20 years of practical experience in
More informationCSC 591 Systems Attacks and Defenses Stack Canaries & ASLR
CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More informationAttacking the Linux PRNG on Android. David Kaplan, Sagi Kedmi, Roee Hay & Avi Dayan IBM Security Systems
Attacking the Linux PRNG on Android David Kaplan, Sagi Kedmi, Roee Hay & Avi Dayan IBM Security Systems MOTIVATION motivation_keystore_buffer_overflow We discovered CVE-2014-3100, a stack-based Buffer
More informationComputer Security 3/23/18
s s encrypt a block of plaintext at a time and produce ciphertext Computer Security 08. Cryptography Part II Paul Krzyzanowski DES & AES are two popular block ciphers DES: 64 bit blocks AES: 128 bit blocks
More informationCryptography and Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 12 Hash Algorithms Each of the messages, like each one he had ever read of Stern's commands,
More informationUniversal Fuzzy Statistical Test for Pseudo Random Number Generators (UFST-PRNG)
Universal Fuzzy Statistical Test for Pseudo Random Number Generators (UFST-PRNG) Raad A. Muhajjar, Ph.D. ICCR Scholar, Dept. of Computer Science, Dr. S. Kazim Naqvi, Sr. System Analyst, Centre for IT,
More informationHigh-Performance Cryptography in Software
High-Performance Cryptography in Software Peter Schwabe Research Center for Information Technology Innovation Academia Sinica September 3, 2012 ECRYPT Summer School: Challenges in Security Engineering
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 2 Cryptographic Tools First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Cryptographic Tools cryptographic algorithms
More informationPOWER7+ Accelerated Encryption and Random Number Generation for Linux
POWER7+ Accelerated Encryption and Random Number Generation for Linux Kent Yoder IBM Linux Technology Center February 22, 2013 Contents 1 Introduction 2 2 Hardware Architecture
More informationConsiderations in Securing Connected Devices. Chris Conlon
Considerations in Securing Connected Devices Chris Conlon Where are we located? Seattle, WA Portland, OR Bozeman, MT San Jose, CA BRAZIL João Pessoa Tokyo, JP Open Source 10 employees worldwide Creating
More informationThe Design and Analysis of a True Random Number Generator in a Field Programmable Gate Array. By Paul Kohlbrenner November 20, 2003
The Design and Analysis of a True Random Number Generator in a Field Programmable Gate Array By Paul Kohlbrenner November 20, 2003 Presentation Organization 1. Thesis goal 2. The need for random bits in
More informationCryptographic Implementations In Digital Design
EECS 151 Spring 2018 Cryptographic Implementations In Digital Design 1 Cryptography and Digital Implementations Cryptography has long been a "typical" application for digital design A large repetitive
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationFall 2005 Joseph/Tygar/Vazirani/Wagner Notes 21
CS 161 Computer Security Fall 2005 Joseph/Tygar/Vazirani/Wagner Notes 21 Anyone who uses software to produce random numbers is in a state of sin. John von Neumann The generation of random numbers is too
More informationCryptography [Symmetric Encryption]
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Symmetric Encryption] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationCS 241 Honors Nothing is Ever Random
CS 241 Honors Nothing is Ever Random Kevin Hong University of Illinois Urbana-Champaign Feburary 13, 2018 Kevin Hong (UIUC) Randomness and Entropy Feburary 13, 2018 1 / 11 Kevin Hong (UIUC) Randomness
More informationCrypTech. October 2018 Barcelona
CrypTech October 2018 Barcelona Hardware Security Module From Wikipedia: A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security MAC, HMAC, Hash functions and DSA Vinod Ganapathy Lecture 6 Message Authentication message authentication is concerned with: protecting the integrity of a message validating
More informationFIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2
Oracle Solaris Kernel Cryptographic Framework with SPARC T4 and T5 Software Version: 1.0 and 1.1; Hardware Version: SPARC T4 (527-1437-01) and T5 (7043165) FIPS 140-2 Non-Proprietary Security Policy Level
More informationMTAT Applied Cryptography
MTAT.07.017 Applied Cryptography Introduction, Randomness, One-Time Pad, Stream Ciphers University of Tartu Spring 2015 1 / 33 Who am I? Arnis Paršovs MSc in Cyber Security Tallinn University of Technology,
More informationryptograi "ГС for Tom St Denis, Elliptic Semiconductor Inc. Simon Johnson and Author of the LibTom Project
for ryptograi "ГС V6 е Tom St Denis, Elliptic Semiconductor Inc. and Author of the LibTom Project Simon Johnson Contents Preface Chapter 1 Introduction 1 Introduction 2 Threat Models 3 What Is Cryptography?
More informationPseudorandom Number Generation
Pseudorandom Number Generation Thanks once again to A. Joseph, D. Tygar, U. Vazirani, and D. Wagner at the University of California, Berkeley 1 What Can Go Wrong? An example: This generates a 16 byte (128
More informationCryptography and the Common Criteria (ISO/IEC 15408) by Kirill Sinitski
Cryptography and the Common Criteria (ISO/IEC 15408) by Kirill Sinitski About CygnaCom FIPS and Common Criteria Services Accredited testing laboratories NIAP, NIST, CSEC Professional Services PKI infrastructure
More informationSneaking key escrow in through the back door
Sneaking key escrow in through the back door Tanja Lange Technische Universiteit Eindhoven http://projectbullrun.org/dual-ec/ 11 February 2015 Capstone Project NSA program, public since 1993. Standards
More informationWhy bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?
Jeroen van Beek 1 Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions? 2 Inadequate OS and application security: Data abuse Stolen information Bandwidth
More informationA Roadmap for High Assurance Cryptography
A Roadmap for High Assurance Cryptography Harry Halpin harry.halpin@inria.fr @harryhalpin (Twitter) NEXTLEAP (nextleap.eu) Harry Halpin Prosecco Thanks to Peter Schwabe (Radboud University) Harry.halpin@inria.fr
More informationSoftware Security: Buffer Overflow Defenses
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationFIPS Security Policy
FIPS 140-2 Security Policy BlackBerry Cryptographic Library Version 2.0.0.10 Document Version 1.2 BlackBerry Certifications, Research In Motion This document may be freely copied and distributed provided
More informationMisuse-resistant crypto for JOSE/JWT
Misuse-resistant crypto for JOSE/JWT Neil Madden OAuth Security Workshop, 2018 1 JOSE Content Encryption Methods Provide authenticated encryption AES-CBC with HMAC-SHA2 Requires random 128-bit IV Must
More informationRefresher: Applied Cryptography
Refresher: Applied Cryptography (emphasis on common tools for secure processors) Chris Fletcher Fall 2017, 598 CLF, UIUC Complementary reading Intel SGX Explained (ISE) Victor Costan, Srini Devadas https://eprint.iacr.org/2016/086.pdf
More informationOracle Solaris Kernel Cryptographic Framework Software Version 1.0 and 1.1
Oracle Solaris Kernel Cryptographic Framework Software Version 1.0 and 1.1 FIPS 140-2 Non-Proprietary Security Policy Level 1 Validation Version 1.2 12/12/2013 Copyright 2013 Oracle Corporation Table of
More informationRecommendation for Random Number Generation Using Deterministic Random Bit Generators
NIST SP 800-90A January 2012 NIST Special Publication 800-90A Recommendation for Random Number Generation Using Deterministic Random Bit Generators Elaine Barker and John Kelsey Computer Security Division
More informationThis chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest
1 2 3 This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest PKCS, Diffie- Hellman key exchange. This first published
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationMTAT Applied Cryptography
MTAT.07.017 Applied Cryptography Introduction, Randomness, One-Time Pad, Stream Ciphers University of Tartu Spring 2014 1 / 31 Who am I Arnis Paršovs MSc in Cyber Security Tallinn University of Technology,
More informationSecure Internet Communication
Secure Internet Communication Can we prevent the Cryptocalypse? Dr. Gregor Koenig Barracuda Networks AG 09.04.2014 Overview Transport Layer Security History Orientation Basic Functionality Key Exchange
More informationECE 646 Fall 2015 Term Project. Overview, comparison of open crypto libraries for application development. By Ravi Kota
ECE 646 Fall 2015 Term Project Overview, comparison of open crypto libraries for application development. By Ravi Kota Goal How to determine which open source crypto library or libraries can be considered
More informationSummary on Crypto Primitives and Protocols
Summary on Crypto Primitives and Protocols Levente Buttyán CrySyS Lab, BME www.crysys.hu 2015 Levente Buttyán Basic model of cryptography sender key data ENCODING attacker e.g.: message spatial distance
More informationThis Security Policy describes how this module complies with the eleven sections of the Standard:
Vormetric, Inc Vormetric Data Security Server Module Firmware Version 4.4.1 Hardware Version 1.0 FIPS 140-2 Non-Proprietary Security Policy Level 2 Validation May 24 th, 2012 2011 Vormetric Inc. All rights
More information