Download - Linux Pseudo random Number Generator (LPRNG)
![Page 1: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/1.jpg)
Linux Pseudo random Number Generator (LPRNG)
Real-life cryptographyPfeiffer Alain
![Page 2: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/2.jpg)
Index
Types of PRNG‘s History General Structure User space Entropy types Initialization process Building Blocks Security requirements Conclusion
![Page 3: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/3.jpg)
Types Non-cryptographic deterministic: Should not
be used for security (Mersenne Twister)
Cryptographically secure: Algorithm with properties that make it suitable for the use in cryptography (Fortuna)
Entropy inputs: Produces bits non-deterministically as the internal state is frequently refreshed with unpredictable data from one or several external entropy sources (LPRNG)
![Page 4: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/4.jpg)
History
Part of the Linux Kernel since 1994 Written by Ts‘o Modified by Mackall +/- 1700 lines of C code
![Page 5: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/5.jpg)
General Structure Internal states:
Input pool (128, 32-bit words = 4096 bits) Blocking pool (32, 32 bit words = 1024 bits) Nonblocking pool (1024 bits)
Output function: Sha-1 Mixing function: Linear mixing function ≠ hash Entropy Counter:
Decremented when bits are extracted Incremented when new bits are collected
![Page 6: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/6.jpg)
User space /dev/random
Reads from blocking pool Limits the number of generated bits Blocked when not enough entropy Resumed when new entropy in input pool
/dev/urandom Reads from nonblocking Generates random bits WITHOUT blocking
Writing the data does NOT change the entropy counter!!!
Get_random_bytes() Kernel space Reads random bytes from nonblocking pool
![Page 7: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/7.jpg)
Entropy inputs Backbone of security
Injected: Into generator for initialization Through updating mechanism
Usable independently Does NOT rely on physical non-deterministic phenomena Hardware RNGs▪ Available for user space▪ NOT mixed into LPRNG
Entropy gathering daemon:▪ Collects the outputs▪ Feeds them into LPRNG
![Page 8: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/8.jpg)
Entropy sources
Reliable Entropy: User inputs (Keyboard, Mouse) Disk timings
Interrupt timings are NOT reliable: Regular interrupts Miss-use of the
„IRQF_SAMPLE_RANDOM“ flag
![Page 9: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/9.jpg)
Entropy events „num“ value (Type of event, 32 bits)
Mouse (12 bits) Keyboard (8 bits) Interrupts (4 bits) Hard drive (3 bits)
CPU „cycle“ Max: 32 bits AVG: 15 bits
„jiffies“ count (32 bits) Kernel counter of timer interrupts (avg. 3 – 4 Bits) Frequency 100 – 1000 ticks/sec
The generator never assumes max entropy.
![Page 10: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/10.jpg)
Entropy Estimation Conditions1. Unknown distribution: Inputs vary a lot2. Unknown correlation: Correlations
between inputs are likely3. Large sample space: Hard to keep
track of 232 Jiffies values.4. Limited time: Estimation happens after
interrupts, so they must be fast.5. Estimation at runtime: Estimation for
every input!6. Unknown knowledge of the attacker
![Page 11: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/11.jpg)
Initialization
Not much entropy in Linux boot process! At Shutdown:
Generates data from /dev/urandom Save into file
At Startup: Writes the saved data to /dev/random Mixes the data to:▪ Blocking pool▪ Nonblocking poolwithout changing the counter!
![Page 12: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/12.jpg)
Building Blocks
1. Mixing Function2. Entropy Estimator3. Output Function4. Entropy Extraction
![Page 13: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/13.jpg)
Linear feedback shifting register
…
![Page 14: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/14.jpg)
1. Mixing Function
1. Mixes 1 byte after each other2. Extend it to 32-bit word3. Rotate it by 0-314. Linear shifting (LFSR) into the
pool
No entropy gets lost
![Page 15: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/15.jpg)
1. Mixing WITHOUT Input
Linear feedback shifting register (LFSR)over
Galois field: GF(232)with
Feedback Polynomial: Q(X) = α3 (P(X) – 1) + 1
where
Primitive element: α Size of the pool: P(X)
Input Pool: P(X) = X128+X103+X76+X51+X25+X+1 Output Pool: P(X) = X32+X26+X20+X14+X7+X+1
Input pool period: 292*32 -1 ≠ 2128*32 -1 Output pool period: 226*32 -1 ≠ 232*32 -1
![Page 16: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/16.jpg)
1. Mixing WITHOUT Input (cont.) Input Pool: P(X) = X128+X103+X76+X51+X25+X+1 Output Pool: P(X) = X32+X26+X20+X14+X7+X+1
P(X) is NOT irreducible! But by changing one feedback position
Input Pool: P(X) = X128+X104+X76+X51+X25+X+1 Output Pool: P(X) = X32+X26+X19+X14+X7+X+1
P(X) is irreducible But NOT primitive! However by changing α to:
α2 (X32+X26+X23+X14+X7+X+1) α4
α7
… P(X) is irreducible AND primitive! Periods: 2128*32 -1 & 232*32 -1
![Page 17: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/17.jpg)
1. Mixing WITH Input
Function L1: {0,1}8 {0,1}32
▪ Rotates▪ Multiplication in GF(232)
Feedback function L2: ({0,1}32)5 {0,1}32
![Page 18: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/18.jpg)
2. Entropy Estimator (1) Random variables:
Identically distributed Different (single) source
Sample space: D where |D| >> 2 Jiffies count: ᵹi
[1] at time i Estimator with input Ti:
Logarithm function:
Outcome:
![Page 19: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/19.jpg)
2. Entropy Estimator (2) To compute We must know:
Time ti-1
Jiffies count: ᵹi-1[1] where [1] = event 1
Jiffies count: ᵹi-1[2] where [2] = event 2
Property: invariant under a permutation Permutation: Distribution q: Distribution p:
H(p) ≠ H(q), since it uses the value of a given element and not its probability!
![Page 20: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/20.jpg)
3. Output Function
Transfer: Input pool output poolGenerate data from
output pool Uses Sha-1 hash
Feedback phase Extraction phase
![Page 21: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/21.jpg)
3. Output – Feedback phase
Sha-1 Get all pool bytes (32-bit word) Produce 5-word hash Send it to▪ Mixing function▪ Extraction phase
Mixing function Get the 5-word hash Mix it back Shift 20 times (20 words = 640 bits)
![Page 22: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/22.jpg)
3. Output – Extraction phase
Sha-1 Initial value (Hash) Get (16) Pool-words▪ Overlap with last word from the feedback function▪ Overlap with 3 first words of the output pool
Produce 5-word hash
Fold in half Extract w0 xor w1 xor w2 xor w3 xor w4 Produce 10 byte output
![Page 23: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/23.jpg)
4. Entropy Extraction
Random Variable: XRényi Entropy: H2(X)Hash function: Random choice of the hash: G
IF H2(X) ≥ r G: uniformly distributed
Entropy is close to r bits
![Page 24: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/24.jpg)
4. Entropy Extraction - LPRNG LPRNG fixed hash function:
Assumptions: Each element has size of Attacker knows all permutations
Universal hash function:
If the pool contains: k bits of Rényi entropy m ≤ k
Entropy close to m bits:
![Page 25: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/25.jpg)
Security requirements Sound entropy estimation:
Estimate the amount entropy correctly Guarantee that an attacker who knows the input can
NOT guess the output!
Pseudo randomness: Impossible to compute the:▪ Internal state▪ Future outputs
Unable to recover:▪ Internal state▪ Future outputswith partial knowledge of the entropy
![Page 26: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/26.jpg)
Sound entropy estimationSamples: N = 7MEmpirical frequency: Estimators:
LPRNG entropy: Shannon entropy: Min-entropy: Rényi entropy:
Results:
![Page 27: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/27.jpg)
Pseudorandomness Sha-1: one-way function
Adversary can NOT recover the content of ▪ output pool▪ input pool if he only knows the outputs!
Folding: Avoids recognizing patterns Output of the hash is NOT directly recognizable
Secure if the internal state is NOT compromised!
![Page 28: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/28.jpg)
Security resilience
Backtracking resistance: An attacker with knowledge of the current state should NOT be able to recover previous outputs!
Prediction resistance: An attacker should NOT be able to predict future outputs with enough future entropy inputs!
![Page 29: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/29.jpg)
Securiy resilience LPRNG Forward security: Knowledge of the initial state does
NOT provide information on previous states. Even if the state was not refreshed by new entropy inputs.
Backtracking provided by: One-way output function
Backward security: Adversary who knows the internal state is able predict Outputs Future outputsbecause the Output function is deterministic… (Bad!)
Prediction provided by: Reseed the internal state between requests!
![Page 30: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/30.jpg)
Forward Security Attacker knows:
Input pool Output pool
Attacker knows the previous states EXCEPT the 160 bits which were fed back.
BUT without additional knowledge an generic attack would have:▪ 2160 overhead▪ 280 solutions
![Page 31: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/31.jpg)
Backward Security Transferring k bits of entropy means that
after: Generating data from UNKNOWN S1 Mixing S1 to the KNOWN S2 Guessing the NEW S2would cost on average 2k-1 trials for the attacker!
Collecting k bits of entropy means that after: Processing unknown data from KNOWN S1 Guessing the NEW S1would cost on average 2k-1 trials for the observer!
![Page 32: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/32.jpg)
Backward Security – Attacks 1. Attacker:
Knows the output pool Does NOT know the input pool
2. Attacker knows Input pool Output pool
![Page 33: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/33.jpg)
Backward Security – Attack 1Enough entropy (k >= 64 bits)?
Yes!▪ Transferring k bits from input▪ Attacker looses k bits of knowledge▪ NO output before k bits are mixed Generic attack (2k-1): k bits resistance!
No!▪ NO bits are transferred▪ Attacker keeps knowledge▪ NO output before k bits are sent from input Generic attack (2k-1): k bits resistance!
![Page 34: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/34.jpg)
Backward Security – Attack 2 //k = 64 bitsCollect k bits of entropy (2k-1
guessings) If (counter >= k bits) then
counter-- Else
counter++ transfer k bits from input
64 bits resistance
![Page 35: Linux Pseudo random Number Generator (LPRNG)](https://reader035.vdocuments.us/reader035/viewer/2022062310/56816935550346895de08faa/html5/thumbnails/35.jpg)
Conclusion
Good level of security
Mixing function could be improved!
Newer hash-function could be used (Sha-3)