Randomness in Cryptography

Transcription

1 Randomness in Cryptography JKU Linz 2007 Randomness in Cryptography 1

2 Randomness? Randomness in Cryptography 2

3 The need for randomness Contents 1 Introduction The need for randomness Formal denitions, motivation for non-deterministic applications 2 Algebraical pseudo-randomness Fully algorithmic generation of random sequences User-interaction driven generation of random sequences 3 True unbiased bitstreams Quantum mechanical physical randomness Randomness through ordinary disk drives Balancing asymmetric occurences 4 Cryptographic endangerments due to lacks of entropy Early Netscape SSL implementations TCP sequence number prediction 5 Q & A Randomness in Cryptography 3

4 The need for randomness Classications What classies a computer: accuracy/precision determinism predictability traceability What classies randomness: nondeterminism unpredictability untracability Randomness in Cryptography 4

5 The need for randomness Classications What classies a computer: accuracy/precision determinism predictability traceability What classies randomness: nondeterminism unpredictability untracability Randomness in Cryptography 5

6 The need for randomness Incompatible? computers randomness = ε? Find approaches to force nondeterminism within a deterministic environment. Randomness in Cryptography 6

7 The need for randomness Incompatible? computers randomness = ε? Find approaches to force nondeterminism within a deterministic environment. Randomness in Cryptography 7

8 Formal denitions, motivation for non-deterministic applications Contents 1 Introduction The need for randomness Formal denitions, motivation for non-deterministic applications 2 Algebraical pseudo-randomness Fully algorithmic generation of random sequences User-interaction driven generation of random sequences 3 True unbiased bitstreams Quantum mechanical physical randomness Randomness through ordinary disk drives Balancing asymmetric occurences 4 Cryptographic endangerments due to lacks of entropy Early Netscape SSL implementations TCP sequence number prediction 5 Q & A Randomness in Cryptography 8

9 Formal denitions, motivation for non-deterministic applications Denition of randomness (Knu98) a sequence of independent random numbers each number was obtained completely random no correlations Randomness in Cryptography 9

10 Formal denitions, motivation for non-deterministic applications Predictability vs entropy Predictability: A fully random process is called unpredictable A fully unpredictable process doesn't need to be completely random. Example: Dice roll Entropy: The quantity of information within a given block of data The "negative logarithm of the probability of the process' most likely output" (GNP06) Randomness in Cryptography 10

11 Formal denitions, motivation for non-deterministic applications Predictability vs entropy Predictability: A fully random process is called unpredictable A fully unpredictable process doesn't need to be completely random. Example: Dice roll Entropy: The quantity of information within a given block of data The "negative logarithm of the probability of the process' most likely output" (GNP06) Randomness in Cryptography 11

12 Formal denitions, motivation for non-deterministic applications Predictability vs entropy Predictability: A fully random process is called unpredictable A fully unpredictable process doesn't need to be completely random. Example: Dice roll Entropy: The quantity of information within a given block of data The "negative logarithm of the probability of the process' most likely output" (GNP06) Randomness in Cryptography 12

13 Formal denitions, motivation for non-deterministic applications Entropy (2) Gathering maximum entropy assures complete, uniformly distributed randomness and is therefore indispensable. Randomness in Cryptography 13

14 Formal denitions, motivation for non-deterministic applications Example: The One-time-pad The one-time-pad is the only known completely secure cryptographic algorithm. Security relies on: (the shared secret is only known by trusted partners) the shared secret is truly random every element of the random sequence is only to be used once The securness totally relies on useful random numbers. An entirely deterministic process cannot produce randomness. Hence we use mathematical approaches to gain pseudo-randomness. Randomness in Cryptography 14

15 Formal denitions, motivation for non-deterministic applications Example: The One-time-pad The one-time-pad is the only known completely secure cryptographic algorithm. Security relies on: (the shared secret is only known by trusted partners) the shared secret is truly random every element of the random sequence is only to be used once The securness totally relies on useful random numbers. An entirely deterministic process cannot produce randomness. Hence we use mathematical approaches to gain pseudo-randomness. Randomness in Cryptography 15

16 Formal denitions, motivation for non-deterministic applications Example: The One-time-pad The one-time-pad is the only known completely secure cryptographic algorithm. Security relies on: (the shared secret is only known by trusted partners) the shared secret is truly random every element of the random sequence is only to be used once The securness totally relies on useful random numbers. An entirely deterministic process cannot produce randomness. Hence we use mathematical approaches to gain pseudo-randomness. Randomness in Cryptography 16

17 Formal denitions, motivation for non-deterministic applications Example: The One-time-pad The one-time-pad is the only known completely secure cryptographic algorithm. Security relies on: (the shared secret is only known by trusted partners) the shared secret is truly random every element of the random sequence is only to be used once The securness totally relies on useful random numbers. An entirely deterministic process cannot produce randomness. Hence we use mathematical approaches to gain pseudo-randomness. Randomness in Cryptography 17

18 Formal denitions, motivation for non-deterministic applications Example: The One-time-pad The one-time-pad is the only known completely secure cryptographic algorithm. Security relies on: (the shared secret is only known by trusted partners) the shared secret is truly random every element of the random sequence is only to be used once The securness totally relies on useful random numbers. An entirely deterministic process cannot produce randomness. Hence we use mathematical approaches to gain pseudo-randomness. Randomness in Cryptography 18

19 Fully algorithmic generation of random sequences Contents 1 Introduction The need for randomness Formal denitions, motivation for non-deterministic applications 2 Algebraical pseudo-randomness Fully algorithmic generation of random sequences User-interaction driven generation of random sequences 3 True unbiased bitstreams Quantum mechanical physical randomness Randomness through ordinary disk drives Balancing asymmetric occurences 4 Cryptographic endangerments due to lacks of entropy Early Netscape SSL implementations TCP sequence number prediction 5 Q & A Randomness in Cryptography 19

20 Fully algorithmic generation of random sequences Linear congruential generators One of the rst approaches in generating random sequences: X n := x n = (ax n 1 + b) mod m x n is taken as reminder mod m represents th n-th element of the pseudo-random sequence always liable to a maximum period θ < m + 1 maximum period will always produce the same cycle of numbers Randomness in Cryptography 20

21 Fully algorithmic generation of random sequences Linear congruential generators One of the rst approaches in generating random sequences: X n := x n = (ax n 1 + b) mod m x n is taken as reminder mod m represents th n-th element of the pseudo-random sequence always liable to a maximum period θ < m + 1 maximum period will always produce the same cycle of numbers Randomness in Cryptography 21

22 Fully algorithmic generation of random sequences Linear congruential generators - example X n := x n = (ax n 1 + b) mod m Let a = b = 3, m = 11, the initial value x n 1 = 0 X =... 3, 1, 6, 10, 0,... X obtains a maximum period of 5 Congruential generators (including quadratic and plynomial ones) have been proven to be insecure due to predictability (Sch05). Randomness in Cryptography 22

23 Fully algorithmic generation of random sequences Linear congruential generators - example X n := x n = (ax n 1 + b) mod m Let a = b = 3, m = 11, the initial value x n 1 = 0 X =... 3, 1, 6, 10, 0,... X obtains a maximum period of 5 Congruential generators (including quadratic and plynomial ones) have been proven to be insecure due to predictability (Sch05). Randomness in Cryptography 23

24 Fully algorithmic generation of random sequences Linear congruential generators - example X n := x n = (ax n 1 + b) mod m Let a = b = 3, m = 11, the initial value x n 1 = 0 X =... 3, 1, 6, 10, 0,... X obtains a maximum period of 5 Congruential generators (including quadratic and plynomial ones) have been proven to be insecure due to predictability (Sch05). Randomness in Cryptography 24

25 User-interaction driven generation of random sequences Contents 1 Introduction The need for randomness Formal denitions, motivation for non-deterministic applications 2 Algebraical pseudo-randomness Fully algorithmic generation of random sequences User-interaction driven generation of random sequences 3 True unbiased bitstreams Quantum mechanical physical randomness Randomness through ordinary disk drives Balancing asymmetric occurences 4 Cryptographic endangerments due to lacks of entropy Early Netscape SSL implementations TCP sequence number prediction 5 Q & A Randomness in Cryptography 25

26 User-interaction driven generation of random sequences Hybrid random sequence generators...is classied by using raw data which is not completely random, but quite non-traceable and used in combination with ordinary randomisation algorithms. Sustains upon: 1 direct user interaction 2 metadata about captured user interaction 3 various statistics 4 commonly used non-human-interface I/O-devices Randomness in Cryptography 26

27 User-interaction driven generation of random sequences Hybrid random sequence generators...is classied by using raw data which is not completely random, but quite non-traceable and used in combination with ordinary randomisation algorithms. Sustains upon: 1 direct user interaction 2 metadata about captured user interaction 3 various statistics 4 commonly used non-human-interface I/O-devices Randomness in Cryptography 27

28 User-interaction driven generation of random sequences User interaction Direct interaction: Keystrokes Mouse-movements and positioning (x,y) etc. Metadata about interaction: Inter- as well as intra-keystroke-timings Mouse-movement-timings and acceleration etc. Randomness in Cryptography 28

29 User-interaction driven generation of random sequences User interaction Direct interaction: Keystrokes Mouse-movements and positioning (x,y) etc. Metadata about interaction: Inter- as well as intra-keystroke-timings Mouse-movement-timings and acceleration etc. Randomness in Cryptography 29

30 User-interaction driven generation of random sequences Statistics and non-hi devices Statistics: Network-, and packet statistics process- and timetables etc. Non-human-interface I/O-devices: cameras microphones etc. Randomness in Cryptography 30

31 User-interaction driven generation of random sequences Statistics and non-hi devices Statistics: Network-, and packet statistics process- and timetables etc. Non-human-interface I/O-devices: cameras microphones etc. Randomness in Cryptography 31

32 User-interaction driven generation of random sequences Sidestep: Algebraical random generator under Linux Linux also uses a hybrid random number generator, which supplies two random number sources: /dev/random: Provides a very high level of entropy and therefore gives good but limited randomness /dev/urandom: Provides unlimited random numbers, but reuses entropy if not enough available The algebraical part of this generator sustains upon multiple iterations of the SHA-1 hashing-algorithm. Especially via /dev/urandom gathered entropy is re-used via re-hashing the collected data. Randomness in Cryptography 32

33 User-interaction driven generation of random sequences Sidestep: UI-driven randomness under Linux The UI-driven part of the Linux RNG mainly uses the following input sources: 1 Keystrokes (and timings), 2 Mouse movements (and timings), 3 Disk I/O operations, 4 System interrupts Note: Embedded Linux distributions like OpenWRT for routers often cannot provide good entropy, due to inexistence of input devices and harddisks; especially after resets! Randomness in Cryptography 33

34 Quantum mechanical physical randomness Contents 1 Introduction The need for randomness Formal denitions, motivation for non-deterministic applications 2 Algebraical pseudo-randomness Fully algorithmic generation of random sequences User-interaction driven generation of random sequences 3 True unbiased bitstreams Quantum mechanical physical randomness Randomness through ordinary disk drives Balancing asymmetric occurences 4 Cryptographic endangerments due to lacks of entropy Early Netscape SSL implementations TCP sequence number prediction 5 Q & A Randomness in Cryptography 34

35 Quantum mechanical physical randomness True randomness Atomic decay represents a good source for true randomness by measuring the quantity of emissions within a xed time-frame by a Geiger-counter. (SR07) describes the construction of a true quantum random number generator, measuring the quantum physical processes of photonic emissions in semiconductors. Provides up to 12Mbit s 1 Randomness in Cryptography 35

36 Quantum mechanical physical randomness True randomness Atomic decay represents a good source for true randomness by measuring the quantity of emissions within a xed time-frame by a Geiger-counter. (SR07) describes the construction of a true quantum random number generator, measuring the quantum physical processes of photonic emissions in semiconductors. Provides up to 12Mbit s 1 Randomness in Cryptography 36

37 Randomness through ordinary disk drives Contents 1 Introduction The need for randomness Formal denitions, motivation for non-deterministic applications 2 Algebraical pseudo-randomness Fully algorithmic generation of random sequences User-interaction driven generation of random sequences 3 True unbiased bitstreams Quantum mechanical physical randomness Randomness through ordinary disk drives Balancing asymmetric occurences 4 Cryptographic endangerments due to lacks of entropy Early Netscape SSL implementations TCP sequence number prediction 5 Q & A Randomness in Cryptography 37

38 Randomness through ordinary disk drives Randomness through ordinary disk drives Tests have shown, that rotantional speed, disk spacing and (cooling) air-ow directly aect the disk accessing behaviour. The algorithm measures the access-time for reading single sectors on the disk and uses the variation of these times as input source. Results still deserve the removal of correlations! Why results are supposed to be random: Main reason for disk-jitter is found in natural air turbulences inside the drive. (DIF94, ES00) Randomness in Cryptography 38

39 Randomness through ordinary disk drives Randomness through ordinary disk drives Tests have shown, that rotantional speed, disk spacing and (cooling) air-ow directly aect the disk accessing behaviour. The algorithm measures the access-time for reading single sectors on the disk and uses the variation of these times as input source. Results still deserve the removal of correlations! Why results are supposed to be random: Main reason for disk-jitter is found in natural air turbulences inside the drive. (DIF94, ES00) Randomness in Cryptography 39

40 Balancing asymmetric occurences Contents 1 Introduction The need for randomness Formal denitions, motivation for non-deterministic applications 2 Algebraical pseudo-randomness Fully algorithmic generation of random sequences User-interaction driven generation of random sequences 3 True unbiased bitstreams Quantum mechanical physical randomness Randomness through ordinary disk drives Balancing asymmetric occurences 4 Cryptographic endangerments due to lacks of entropy Early Netscape SSL implementations TCP sequence number prediction 5 Q & A Randomness in Cryptography 40

41 Balancing asymmetric occurences Neumann-ltering When a (pseudo) bitstream is gathered, the focus should be set on eliminitating correlations. One possible algorithm is the Neumann-Filter (Ert03). f = 00 ɛ 11 ɛ Randomness in Cryptography 41

42 Balancing asymmetric occurences Neumann-ltering When a (pseudo) bitstream is gathered, the focus should be set on eliminitating correlations. One possible algorithm is the Neumann-Filter (Ert03). f = 00 ɛ 11 ɛ Randomness in Cryptography 42

43 Balancing asymmetric occurences Let p be the possibility of any bit x inside the stream X to be 1, then the possibility of getting the value 1 after using the Neumann-Filter is dened through p n = p (1 p) 2p (1 p) = 0.5 Randomness in Cryptography 43

44 Why randomness is important Cryptography often relies on true randomness Randomness commonly builds the basement of key-generation processes Possibilities of reproduction/traceability must not exist Numerous vulnerabilities and exploits have been reported, which invalidate (strong) cryptographic routines due to corrupt random sources. Randomness in Cryptography 44

45 Early Netscape SSL implementations Contents 1 Introduction The need for randomness Formal denitions, motivation for non-deterministic applications 2 Algebraical pseudo-randomness Fully algorithmic generation of random sequences User-interaction driven generation of random sequences 3 True unbiased bitstreams Quantum mechanical physical randomness Randomness through ordinary disk drives Balancing asymmetric occurences 4 Cryptographic endangerments due to lacks of entropy Early Netscape SSL implementations TCP sequence number prediction 5 Q & A Randomness in Cryptography 45

46 Early Netscape SSL implementations How Netscape gathered entropy 1 global variable seed ; 2 3 RNG_ CreateContext () 4 ( seconds, microseconds ) = time of day ; 5 pid = process ID ; ppid = parent process ID ; 6 a = mklcpr ( microseconds ); 7 b = mklcpr ( pid + seconds + ( ppid << 12)); 8 seed = MD5 (a, b ); Randomness in Cryptography 46

47 Early Netscape SSL implementations Early SSL implementations The original Netscape code only took three parameters to gather entropy for key generation and exchange: system ID of current process system ID of parent process current time of day Several papers have shown that this combination of pseudo-random sources is breakable within under one minute (Gut98). Randomness in Cryptography 47

48 Early Netscape SSL implementations Early SSL implementations The original Netscape code only took three parameters to gather entropy for key generation and exchange: system ID of current process system ID of parent process current time of day Several papers have shown that this combination of pseudo-random sources is breakable within under one minute (Gut98). Randomness in Cryptography 48

49 TCP sequence number prediction Contents 1 Introduction The need for randomness Formal denitions, motivation for non-deterministic applications 2 Algebraical pseudo-randomness Fully algorithmic generation of random sequences User-interaction driven generation of random sequences 3 True unbiased bitstreams Quantum mechanical physical randomness Randomness through ordinary disk drives Balancing asymmetric occurences 4 Cryptographic endangerments due to lacks of entropy Early Netscape SSL implementations TCP sequence number prediction 5 Q & A Randomness in Cryptography 49

50 TCP sequence number prediction TCP sequence number prediction (Bel98) TCP uses stateful connections, and hence sequence numbering to assure correctness Both, server and client, chose their own random values as initial sequence number θ C, θ S TCP 3-way-handshake: 1 C S: SYN (θ C ) 2 S C: SYN (θ S ), ACK (θ C ) 3 C S: ACK (θ S ) Randomness in Cryptography 50

51 TCP sequence number prediction TCP sequence number prediction (Bel98) TCP uses stateful connections, and hence sequence numbering to assure correctness Both, server and client, chose their own random values as initial sequence number θ C, θ S TCP 3-way-handshake: 1 C S: SYN (θ C ) 2 S C: SYN (θ S ), ACK (θ C ) 3 C S: ACK (θ S ) Randomness in Cryptography 51

52 TCP sequence number prediction Prediction on Berkeley systems On Berkeley systems, sequence numbers are permanently incremented once a second by a constant amount Morover, they're increased by half of this amount everytime a connection is initiated This levels the ground for serious TCP session hijacking, interception and manipulation attacks, due to sequence number predictability. Randomness in Cryptography 52

53 Any questions? delta-xi.net Thank you. Randomness in Cryptography 53