RNGs for Resource-Constrained Devices

Transcription

1 RNGs for Resource-Constrained Devices Werner Schindler Bundesamt für Sicherheit in der Informationstechnik (BSI), Bonn, Germany Bochum, November 6, 2017

2 Outline Crypto for IoT: some general thoughts RNGs on resource-constrained devices (focus on evaluation and design) Physical RNGs Deterministic RNGs Conclusions Schindler November 6, 2017 Slide 2

3 Crypto for IoT IoT devices are often resource-constrained. Cryptographic implementations then should save resources (area, memory, energy). The saving may be limited by requirements on the execution time. This goal may be supported by the use of lightweight algorithms. Note: AES implementations, for instance, can be lightweight, too. Schindler November 6, 2017 Slide 3

4 Crypto for IoT: General Challenges The designer / developer should assess the impact of successful attacks and their benefit for potential attackers determine an appropriate security level identify the relevant attack classes (mathematical cryptanalysis, side-channel attacks, fault attacks, ) prevent undesired side effects (attacks on weakly secured devices shall not allow the control of more security critical components) Schindler November 6, 2017 Slide 4

5 Crypto for IoT: General Challenges (II) In particular, the designer / developer should select appropriate cryptographic algorithms at least for (complex) long-term systems: enable key change crypto agility Schindler November 6, 2017 Slide 5

6 RNGs in real world devices High-end smart cards and general purpose hardware (PC, server etc.) normally use RNGs, which allow the broadest possible range of applications. Usually, smart cards utilize physical RNGs (PTRNGs) or deterministic RNG (DRNGs) PCs, server etc. utilize non-physical nondeterministic RNGs (NTRNGs) Example: /dev/random (Linux) Schindler November 6, 2017 Slide 6

7 AIS 20 and AIS 31 In the German certification scheme (Common Criteria) the evaluation guidance documents AIS 20: Functionality Classes and Evaluation Methodology for Deterministic Random Number Generators AIS 31: Functionality Classes and Evaluation Methodology for Physical Random Number Generators have been effective since 1999, resp. since 2001 (mathematical-technical reference updated in 2011) Schindler November 6, 2017 Slide 7

8 AIS 20 + AIS 31 Functionality classes Increasing requirements DRG.4 DRG.3 DRG.2 DRG.1 Increasing requirements PTG.3 PTG.2 PTG.1 Highest class: strong physical noise source with cryptographic postprocessing Pure PTRNGs NTG.1 DRNGs PTRNGs NTRNGs Schindler November 6, 2017 Slide 8

9 RNGs for IoT devices Principally, supporting a broad range of applications is a positive feature but general purpose RNGs may require substantial resources. Question: Is it possible to tailor RNGs on resourceconstrained devices to the needs of the applications? What would this mean for the design and the security evaluation of RNGs? Schindler November 6, 2017 Slide 9

10 Security evaluation of PTRNGs Primary Goal: Estimate the entropy per random bit Entropy is a property of random variables but not of random numbers. Unfortunately, general entropy estimators do not exist. Main task: Develop, verify and analyse a stochastic model ( entropy estimate) Schindler November 6, 2017 Slide 10

11 Security evaluation of PTRNGs (II) A trustworthy security evaluation should verify the suitability of the RNG design the online test, the tot test and the start-up test. online test: shall detect non-tolerable weaknesses of the random numbers. tot test (total failure test): shall consider all realistic scenarios of total failures. Schindler November 6, 2017 Slide 11

12 PTRNGs on low-cost devices Can the evaluation tasks be simplified / be reduced for low-cost devices? The answer is: no! Reason: The keys of (e.g.) lightweight algorithms may be shorter than keys of normal cryptographic algorithms but the entropy per key bit should not be smaller. The lower bound for the entropy per random bit cannot be scaled down in a natural way. Schindler November 6, 2017 Slide 12

13 PTRNGs on low-cost devices (II) At the cost of the output rate resource-efficient PTRNG designs might be utilized if the application permits. Can the online test and the tot test be dropped? Principally yes, but only at the risk of the unnoticed use of (very) weak random numbers! ( risk analysis; worst case: constant random numbers! ) Schindler November 6, 2017 Slide 13

14 Security evaluations of DRNGs The state transition function and the output function are usually composed of cryptographic primitives. A security evaluation of a DRNG shall verify that the seed entropy is sufficiently large that the random numbers have appropriate statistical properties. which of the following security properties are fulfilled forward secrecy backward secrecy enhanced backward secrecy Schindler November 6, 2017 Slide 14

15 Security evaluations of DRNGs (II) The security properties forward secrecy, backward secrecy enhanced backward secrecy are deduced from the security properties of the cryptographic primitives. Schindler November 6, 2017 Slide 15

16 Example 1 Enc: block cipher (AES, Triple-DES etc.), full OFB k: key (to be kept secret) (r n,k) r n (random number) (Enc(r n,k), k) internal state: s n = (r n,k) s n+1 = (Enc (r n, k), k) =: (r n+1,k) Schindler November 6, 2017 Slide 16

17 Example 1: a typical security proof Assumption: The attacker knows r i,r i+1,,r i+j Task: Find r i+j+1 = Enc(r i+j,k): Note that r i+1 = Enc(r i,k),, r i+j = Enc(r i+j-1,k) specific chosen-plaintext attack on Enc(,k) (for AES, for instance forward secrecy) Task: Find r i-1 = Dec(r i,k) = Enc -1 (r i,k): Note that r i+j-1 = Dec(r i+j,k),, r i = Dec(r i+1,k) specific chosen-plaintext attack on Dec(,k) (for AES, for instance backward secrecy) Schindler November 6, 2017 Slide 17

18 DRNGs for resource-constrained devices Natural approach: take a general purpose DRNG replace its cryptographic primitives by corresponding lightweight primitives (e.g., AES by Present). This may reduce the security level of the DRNG. This should not be critical until the security level of the DRNG is still the security level of the application, which uses the random numbers. Schindler November 6, 2017 Slide 18

19 DRNGs for resource-constrained devices (II) This approach allows to save resources without affecting the security level of the consuming lightweight cipher. However, the reduced design may still be (too) costly. Are further savings possible? Enhanced backward secrecy guarantees the secrecy of prior random numbers even if the internal state has been compromised. Its implementation yet might be (too) costly ( requires a one-way function). Schindler November 6, 2017 Slide 19

20 If further savings are necessary the designer might analyse carefully whether the enhanced backward secrecy is actually needed by the application ( threat model). Schindler November 6, 2017 Slide 20

21 Conclusion The selection of cryptographic mechanisms and their implementation on IoT devices should be based on a careful analysis. The evaluation methodology for RNGs does not become easier for resource-constraint devices. PTRNGs: The entropy requirements can not be relaxed. Instead, resources may be saved at the cost of performance. DRNGs: may be scaled down by substituting the cryptographic primitives by suitable lightweight primitives. Schindler November 6, 2017 Slide 21

22 Contact Bundesamt für Sicherheit in der Informationstechnik (BSI) Werner Schindler Godesberger Allee Bonn, Germany Tel: +49 (0) Fax: +49 (0) Schindler November 6, 2017 Slide 22