kristjan kelt - cryptolux · 2013-12-18 · entropy entropy is just the size of the pool from where...
TRANSCRIPT
![Page 1: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/1.jpg)
Kristjan Kelt
Survey of random number generators
on various platforms
University of Luxembourg 2013
![Page 2: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/2.jpg)
Objective
● Investigate random number generation in several open source libraries, frameworks and applications that are based on cryptography
● Investigated– Pure-Python ECDSA
– PyBitmessage
– BitcoinJS
– Bitaddress.org
– CryptoCat
● Part II (if time permits), Trusting random generators (based on Intel RDRAND)
![Page 3: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/3.jpg)
Importance
● Good random generator is cornerstone of good cryptography– Everything that must be hard to predict needs a
good random source
![Page 4: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/4.jpg)
Importance
● Example attack– September 2006, buy commenting out few lines in
OpenSSL library, Debian developers created a bug that rendered OpenSSL random source useless
● Bug was discovered May 2008 by Luciano Bello● All cryptographic keys generated on Debian (or derived
distributions like Ubuntu) with OpenSSL turned out to have only 15 bit entropy provided by process id)
● All keys generated were possible to break with brute force
![Page 5: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/5.jpg)
Importance
● Second attack example– In 2013 vulnerability in Android SecureRandom
class implementation was described by Michaelis, Meyer, Schwenk
– Cascade of bugs reduced entropy to 31 bits making random numbers generated on Android guessable
– Vulnerability was previously used to steal at least 55 BTC from different wallets that used keys generated on Android
![Page 6: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/6.jpg)
What is a good random number?
● Is 7 a good random number?● What about 21299212?● Or 9?
![Page 7: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/7.jpg)
What is a good random number?
● They all can be either good or bad random numbers depending on how they are generated
![Page 8: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/8.jpg)
Entropy
● Entropy is just the size of the pool from where the numbers are randomly picked– Entropy of 1 coin flip is 1 bit – To get more entropy (in bits), we need more flips
(random events)
● Real random numbers are hard to generate (read: slow) both for brain and computer– But entropy can be mixed, combined and distilled– Unfortunately entropy is also consumed fast by
todays cryptographic applications
![Page 9: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/9.jpg)
PRNG (Pseudo random number generator)
● Benefits– Provides statistically good distribution
– Need very low entropy as a source (i.e. current time)
– Fast
● Why are PRNGs not secure?– Predictability
– Linear dependencies
![Page 10: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/10.jpg)
CSPRNG(Cryptographically Secure Pseudo Random Number
Generator)
● Requirements– Forward secrecy
– Backward secrecy
– State security
– Sufficiently large entropy● RFC 1750 Randomness Recommendations for Security,
Schiller, Crocker, Eastlake 1994
● Cryptanalytic Attacks on Pseudorandom Number Generator, Schneier, Kelsey, Wagner, 1998
![Page 11: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/11.jpg)
Generalized CSPRNG, with periodic reseeding
Generalized CSPRNG, with periodic reseeding
Proposed in 1998 by Schneier, Kelsey, Wagner, Hall in Cryptanalytic Attacks on Pseudorandom Number Generators
![Page 12: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/12.jpg)
Presentation of investigated random number generators
● First operation system provided generators were investigated
● Then platform libraries and browsers ● Finally libraries, frameworks and applications in
question
![Page 13: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/13.jpg)
Operating systems
![Page 14: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/14.jpg)
Linux***
Entropy pool
Entropy sources
Non blocking pool
Blockingpool
/dev/urandom /dev/random
ApplicationHardware entropy
source feedback in user space when available
Saved entropy during boot
get_random_bytes
*** without Intel RDRAND
![Page 15: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/15.jpg)
Linux(few comments)
● Entropy estimator seems to be based upon Kolmogorov complexity rather than Shannon entropy (2012 Pousse, Short communication: An interpretation of the Linux entropy estimator)
● Analysis of the Linux Random Number Generator by Gutterman, Pinkas, Reinman 2006
● The Linux Pseudorandom Number Generator Revisited by Lacharme, Röck, Strubel, Videau 2012
![Page 16: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/16.jpg)
Yarrow-160
OSX
Entropy pool(non blocking)
Entropy sources
/dev/random /dev/urandom
Entropy sources
![Page 17: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/17.jpg)
Windows XP
?????
CryptGetRandom
Application
![Page 18: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/18.jpg)
Windows Vista & 7
?????
CryptGetRandom
Application
BCryptGenRandom
?????
?=
![Page 19: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/19.jpg)
Windows 8
?????
CryptGetRandom????
Application
BcryptGenRandomFIPS ?? NIST ??
?????
?=
CryptographicBuffer.GenerateRandom
??
?????
?=
![Page 20: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/20.jpg)
Platform libraries
![Page 21: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/21.jpg)
Windows *Linux, OSX
Python
os.urandom(direct wrapper)
random.SystemRandom
/dev/urandom CryptGetRandom
Application
![Page 22: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/22.jpg)
OpenSSL
Windows *Linux, OSX
RAND_bytes(OpenSSL has different engines but according to documentation
seeds at least once at first call)
/dev/urandom CryptGetRandom
Application
![Page 23: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/23.jpg)
Browsers
![Page 24: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/24.jpg)
Firefoxsince version 21
Windows *Linux, OSX
window.crypto.getRandomValues()
/dev/urandom CryptGetRandom
Application
NIST SP 800-90 - Hash_DRBG (SHA256)(seed length 440 bits, reseeded after 2^48 bytes,
generator is shared between threads)
![Page 25: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/25.jpg)
Internet Explorersince version 11
Windows 7, Windows 8
window.crypto.getRandomValues()
BCryptGetRandom
Application
![Page 26: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/26.jpg)
Webkit(Safari, Chrome, Opera, browser specific)
Windows *Linux, OSX
window.crypto.getRandomValues()
/dev/urandom CryptGetRandom
Application
ARC4 stream cipher based random number generator(seed length 1024 bits, reseeded after 1600000 bytes,
generator is shared between threads)
![Page 27: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/27.jpg)
Libraries, frameworks and applications in question
![Page 28: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/28.jpg)
CryptoCat
window.crypto.getRandomValues
Salsa20/20(seed size 256 bits, reseed never)
Chat Application
![Page 29: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/29.jpg)
Pure-Python ECDSA (library)
os.urandom
ApplicationClass PRNG
Sha256 + counter
Class SigningKey(default NIST192p)
util.randrange(small wrapper around
os.urandom)
![Page 30: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/30.jpg)
OpenSSL library
PyBitmessage (library)
OpenSSL.RAND_bytes
Application
OpenSSL.rand(a library wrapper)
RAND_bytes
addressGenerator
![Page 31: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/31.jpg)
BitcoinJS
● Library crypto.js – contains Crypto.util namespace that with function randomBytes that uses Math.random()
● Library rng.js, provides class SecureRandom– on pool initialization calls window.crypto.random in case of
specific browser version (this interface does not exist) – Then continues to fill pool with Math.random()– Finally adds current time (in ms) to the end of the pool
![Page 32: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/32.jpg)
BitcoinJS
● Library rng.js, prototype SecureRandom– When generating first random byte, creates a ARC4
generator seeded by current pool + current time
– Seed size is 1024 and it is calculated over potentially larger entropy pool
– Generator is never seeded again
![Page 33: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/33.jpg)
BitcoinJS
● At the top of the rng.js is a suggestion to call rng_seed_time() on body.onClick and body.onKeyPress – As generator is never seeded again, it has effect
only till first byte is generated
– Does not suggest mouse movements
– Sample user interface implementation does not follow this suggestion
![Page 34: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/34.jpg)
BitcoinJS
Math.random()
Application
SecureRandom.nextBytes
ARC4(seed size 1024,
from potentially larger entropy pool, never reseeded)
Mouse and keyboard Current time
![Page 35: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/35.jpg)
Bitaddress.org
● Incorporates code from different libraries including BitcoinJS
● Uses similar SecureRandom class but indeed follows the suggestion to fill the pool based on random user generated events
● Uses mouse move event in addition– Uses current time and mouse pointer coordinates
(X*Y)
![Page 36: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/36.jpg)
Bitaddress.org
● Uses seed count to collect enough entropy● Seed count threshold is generated with
Math.random() (from Crypto.util.randomBytes)
![Page 37: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/37.jpg)
Bitaddress.org
● When generating random bytes, checks for existence of window.crypto.getRandomValues– When present, returns bytes using this interface
instead
– In practice this renders seed counting useless as it does not change seed for the window.crypto.getRandomValues
![Page 38: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/38.jpg)
Bitaddress.org
window.crypto.getRandomValues
SecureRandom.nextBytes
ARC4(seed size 1024,
from potentially larger entropy pool, never reseeded)
OR
Application
![Page 39: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/39.jpg)
Full Random Generation Chains
● Pure-Python ECDSA ● PyBitmessage● Bitaddress.org (including parts of BitcoinJS)● CryptoCat
![Page 40: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/40.jpg)
Pure-Python ECDSArandom generation chain
Windows *OSX
/dev/urandom CryptGetRandom
????? ?????
Entropy pool
Linux
/dev/urandom
?????
Entropy pool
Non blocking pool
os.urandom(direct wrapper)
Application
Class SigningKey(default NIST192p)
util.randrange(wrapper around os.urandom)
![Page 41: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/41.jpg)
PyBitmessagerandom generation chain
Windows *OSX
/dev/urandom CryptGetRandom
????? ?????
Entropy pool
Linux
/dev/urandom
?????
Entropy pool
Non blocking pool
OpenSSL.RAND_bytes
Application
addressGenerator
OpenSSL.rand(a library wrapper)
![Page 42: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/42.jpg)
FirefoxNIST SP 800-90 - Hash_DRBG (SHA256)
CryptoCatrandom generation chain
window.crypto.getRandomValues
Salsa20/20
Chat Application
WebkitARC4
Windows *OSX
/dev/urandom CryptGetRandom
window.crypto.getRandomValues
????? ?????
Entropy pool
Linux
/dev/urandom
?????
Entropy pool
Non blocking pool
![Page 43: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/43.jpg)
FirefoxNIST SP 800-90 - Hash_DRBG (SHA256)
Bitaddress.orgrandom generation chain
window.crypto.getRandomValues
WebkitARC4
Windows *OSX
/dev/urandom CryptGetRandom
window.crypto.getRandomValues
????? ?????
Entropy pool
Linux
/dev/urandom
?????
Entropy pool
Non blocking pool
SecureRandom.nextBytes
Application
OR
Math.random()
ARC4
Mouse and keyboard
Current time
![Page 44: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/44.jpg)
Conclusion
● In general most investigated projects got things right– Only really problematic project is
BitcoinJS that can not be used directly out of the box
– Bitaddress.org that extends on BitcoinJS got the things (relatively) right though
●
![Page 45: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/45.jpg)
Conclusion continues
● Random number generation consist very often different linked random number generators
● Cryptography application writer must understand full random generation chain of target platforms
![Page 46: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/46.jpg)
Questions or Part II(if time permits)
Trusting Random Generators
![Page 47: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/47.jpg)
Trusting Random Generators
● Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator)
● Intel RDRAND instruction in Linux
![Page 48: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/48.jpg)
Dual_EC_DRBG(Dual Elliptic Curve Deterministic Random Bit Generator)
● Part of NIST Special Publication 800-90A– National Institute of Standards and Technology
– Recommendation for Random Number Generation Using Deterministic Random Bit Generators
– Contains 4 specifications
● Contains possible backdoor– Showed by Dan Shumow and Niels Ferguson at the
CRYPTO 2007 conference in August
– Still used (after 2007) by RSA security (confirmed) and possibly by Intel and Microsoft (suspected)
– Backdoor somewhat confirmed in 2013
![Page 49: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/49.jpg)
Intel RDRAND in Linux
● Documentation of Linux random driver (comments of random.c) states that hardware random sources are not part of the kernel and entropy from them should be feed back into the pool externally
● 2011 Intel engineers approached Linux and suggested to incorporate Intel RDRAND instruction directly into Linux kernel as an architectural entropy source
![Page 50: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/50.jpg)
Intel RDRAND in Linux
● Everything went (relatively) smoothly and patches went into kernel
● Fast forward to third quarter of 2013 when revelations of Dual_EC_DRBG came out
● Suddenly people noticed that documentation of RDRAND mentions NIST SP 800-90A– But this contains also Dual_EC_DRBG
– But Linux uses RDRAND
![Page 51: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/51.jpg)
Intel RDRAND in Linux
● Linus Torvalds made a statement that– Kernel maintainers actually know what they are doing
– Output of RDRAND is mixed into entropy pool before it is returned to the user
● Theodore Ts said– "I am so glad I resisted pressure from Intel engineers
to let /dev/random rely only on the RDRAND instruction.”
![Page 52: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/52.jpg)
Intel RDRAND in Linux(change history)
void get_random_bytes(void *buf, int nbytes){- extract_entropy(&nonblocking_pool, buf, nbytes, 0, 0);+ char *p = buf;++ while (nbytes) {+ unsigned long v;+ int chunk = min(nbytes, (int)sizeof(unsigned long));++ if (!arch_get_random_long(&v))+ break;++ memcpy(buf, &v, chunk);+ p += chunk;+ nbytes -= chunk;+ }++ extract_entropy(&nonblocking_pool, p, nbytes, 0, 0);}EXPORT_SYMBOL(get_random_bytes);
author Linus Torvalds <[email protected]> 2011-10-28 12:29:07 (GMT)committer Linus Torvalds <[email protected]> 2011-10-28 12:29:07 (GMT)
![Page 53: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/53.jpg)
Intel RDRAND in Linux(change history)
static void add_timer_randomness(struct timer_rand_state *state, unsigned num){
struct {- cycles_t cycles;long jiffies;+ unsigned cycles;unsigned num;
} sample;long delta, delta2, delta3;
@@ -637,7 +637,11 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
goto out;
sample.jiffies = jiffies;- sample.cycles = get_cycles();++ /* Use arch random value, fall back to cycles */+ if (!arch_get_random_int(&sample.cycles))+ sample.cycles = get_cycles();+
sample.num = num;mix_pool_bytes(&input_pool, &sample, sizeof(sample));
author Linus Torvalds <[email protected]> 2011-12-22 19:36:22 (GMT)committer H. Peter Anvin <[email protected]> 2011-12-30 00:49:45 (GMT)
![Page 54: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/54.jpg)
Intel RDRAND in Linux(change history)
● Function add_input_randomness is called by– add_input_randomness
– add_disk_randomness
![Page 55: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/55.jpg)
Intel RDRAND in Linux(change history)
author Theodore Ts'o <[email protected]> 2011-12-22 21:28:01 (GMT)committer H. Peter Anvin <[email protected]> 2012-01-16 19:18:21 (GMT)
static void init_std_data(struct entropy_store *r){
+ int i;ktime_t now;unsigned long flags;
@@ -974,6 +975,11 @@ static void init_std_data(struct entropy_store *r)now = ktime_get_real();mix_pool_bytes(r, &now, sizeof(now));
+ for (i = r->poolinfo->poolwords; i; i--) {+ if (!arch_get_random_long(&flags))+ break;+ mix_pool_bytes(r, &flags, sizeof(flags));+ }
mix_pool_bytes(r, utsname(), sizeof(*(utsname())));}
![Page 56: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/56.jpg)
Intel RDRAND in Linux(change history)
author Linus Torvalds <[email protected]> 2012-01-17 02:23:09 (GMT)committer Linus Torvalds <[email protected]> 2012-01-17 02:23:09 (GMT)
static void init_std_data(struct entropy_store *r){+ int i;
ktime_t now;unsigned long flags;
@@ -974,6 +975,11 @@ static void init_std_data(struct entropy_store *r)now = ktime_get_real();
mix_pool_bytes(r, &now, sizeof(now));+ for (i = r->poolinfo->POOLBYTES; i > 0; i -= sizeof flags) {+ if (!arch_get_random_long(&flags))+ break;+ mix_pool_bytes(r, &flags, sizeof(flags));+ }
mix_pool_bytes(r, utsname(), sizeof(*(utsname())));}
![Page 57: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/57.jpg)
Intel RDRAND in Linux(change history)
● If the CPU supports a hardware random number generator, use it in xfer_secondary_pool(), where it will significantly improve things and where we can afford it.
● Also, remove the use of the arch-specific rng in add_timer_randomness(), since the call is significantly slower than get_cycles(), and we're much better off using it in xfer_secondary_pool() anyway.
author Theodore Ts'o <[email protected]> 2012-07-05 14:21:01 (GMT)committer Theodore Ts'o <[email protected]> 2012-07-15 00:17:46 (GMT)
![Page 58: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/58.jpg)
Intel RDRAND in Linux(change history)
● Mix in any architectural randomness in extract_buf() instead of xfer_secondary_buf(). This allows us to mix in more architectural randomness, and it also makes xfer_secondary_buf() faster, moving a tiny bit of additional CPU overhead to process which is extracting the randomness.
author H. Peter Anvin <[email protected]> 2012-07-28 02:26:08 (GMT)committer Theodore Ts'o <[email protected]> 2012-07-28 02:37:20 (GMT)
![Page 59: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/59.jpg)
Intel RDRAND in Linux(change history)
author H. Peter Anvin <[email protected]> 2012-07-28 02:26:08 (GMT)committer Theodore Ts'o <[email protected]> 2012-07-28 02:37:20 (GMT)
static void extract_buf(struct entropy_store *r, __u8 *out){
[...............]
+ /*+ * If we have a architectural hardware random number+ * generator, mix that in, too.+ */+ for (i = 0; i < LONGS(EXTRACT_SIZE); i++) {+ unsigned long v;+ if (!arch_get_random_long(&v))+ break;+ hash.l[i] ^= v;+ }++ memcpy(out, &hash, EXTRACT_SIZE);+ memset(&hash, 0, sizeof(hash));}
Code of the previous slide
![Page 60: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/60.jpg)
Possible attack of Intel RDRAND in Linux
● Taylor Hornby– At the first sight there is no problem as RANDOM
xor INDEPENDENTLY_BIASED = RANDOM
– What if RDRAND is used as a marker to activate malicious behavior of the CPU?
– Then when it sees the RDRAND followed by XOR, it could bias the RDRAND output according to the second input of the XOR (in this case the state of the entropy buffer)
![Page 61: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/61.jpg)
Intel RDRAND in Linux(change history, current fix of the previous problem)
author Theodore Ts'o <[email protected]> 2013-09-21 22:06:02 (GMT)committer Theodore Ts'o <[email protected]> 2013-10-10 18:32:13 (GMT)
● Previously if CPU chip had a built-in random number generator (i.e., RDRAND on newer x86 chips), we mixed it in at the very end of extract_buf() using an XOR operation.
● We now mix it in right after the calculate a hash across the entire pool. […]
![Page 62: Kristjan Kelt - CryptoLUX · 2013-12-18 · Entropy Entropy is just the size of the pool from where the numbers are randomly picked – Entropy of 1 coin flip is 1 bit – To get](https://reader034.vdocuments.us/reader034/viewer/2022042309/5ed5af0d0a1a7f290d5f6f61/html5/thumbnails/62.jpg)
Conclusion
● Random number generator in the CPU can not be trusted