The Entropy Bogeyman. Ed Morris and Khai Van November 5, 2015 International Crypto Module Conference

Similar documents
Enough Entropy? Justify It!

Random Number Generation Is Getting Harder It s Time to Pay Attention

Entropy. Finding Random Bits for OpenSSL. Denis Gauthier and Dr Paul Dale Network Security & Encryption May 19 th 2016

Pseudo-Random Generators

Topics. Pseudo-Random Generators. Pseudo-Random Numbers. Truly Random Numbers

Random Bit Generation

Pseudo-Random Generators

Entropy Estimation by Example

Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)

Contents. ID Quantique SA Tel: Chemin de la Marbrerie 3 Fax : Carouge

Dan Boneh. Stream ciphers. The One Time Pad

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics

What is the Q in QRNG?

Information Security

Design of Secure TRNGs for Cryptography Past, Present, and Future

On Linux Random Number Generator

Device Independent Randomness Extraction for Arbitrarily Weak Min-Entropy Source

Survey of Hardware Random Number Generators (RNGs) Dr. Robert W. Baldwin Plus Five Consulting, Inc.

Week 12: Hash Functions and MAC

Entropy Extraction in Metastability-based TRNG

Entropy Evaluation for Oscillator-based True Random Number Generators

Entropy Estimation Methods for SW Environments in KCMVP. NSR: Seogchung Seo, Sangwoon Jang Kookmin University: Yewon Kim, Yongjin Yeom

A study of entropy transfers

/dev/random and SP800-90B

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Pseudo-Random Number Generators

FPGA based entropy source for cryptographic use

True Random Number Generation on FPGA

AIR FORCE INSTITUTE OF TECHNOLOGY

Network Security. Random Numbers. Cornelius Diekmann. Version: November 21, 2015

Symmetric Crypto Systems

Message Authentication Codes (MACs)

CRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018

An Improved Fast and Secure Hash Algorithm

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Memory Elements I. CS31 Pascal Van Hentenryck. CS031 Lecture 6 Page 1

Recovering Private Keys Generated With Weak PRNGs

Symmetric Crypto Systems

Analysis of Message Injection in Stream Cipher-based Hash Functions

Network Security (NetSec)

Random number generators

True Random Number Generators Secure in a Changing Environment

Foundations of Network and Computer Security

Improving the Performance of the SYND Stream Cipher

THEORETICAL SIMPLE POWER ANALYSIS OF THE GRAIN STREAM CIPHER. A. A. Zadeh and Howard M. Heys

Foundations of Network and Computer Security

Lecture Notes. Advanced Discrete Structures COT S

Analysis of Underlying Assumptions in NIST DRBGs

Cryptanalysis of the Dual Elliptic Curve Pseudorandom Generator

CPSC 467: Cryptography and Computer Security

FResCA: A Fault-Resistant Cellular Automata Based Stream Cipher

Algorithmic Number Theory and Public-key Cryptography

Picnic Post-Quantum Signatures from Zero Knowledge Proofs

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Post-Quantum Cryptography & Privacy. Andreas Hülsing

Foundations of Network and Computer Security

Pseudo-random Number Generation. Qiuliang Tang

ALICE IN POST-QUANTUM WONDERLAND; BOB THROUGH THE DIGITAL LOOKING-GLASS

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

Quantum Differential and Linear Cryptanalysis

Post-quantum key exchange for the Internet based on lattices

On the Counter Collision Probability of GCM*

EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs)

c 2009 Michael Alan Wayne

A Highly Flexible Lightweight and High Speed True Random Number Generator on FPGA

Leftovers from Lecture 3

Asymmetric Encryption

Fundamentals of Modern Cryptography

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Fault Attacks Against Lattice-Based Signatures

Implementation Tutorial on RSA

Random Number Generation. Stephen Booth David Henty

CPSC 467: Cryptography and Computer Security

ONLINE TEST BASED ON MUTUAL INFORMATION FOR TRUE RANDOM NUMBER GENERATORS

Post-Quantum Cryptography & Privacy. Andreas Hülsing

Selecting Elliptic Curves for Cryptography Real World Issues

A model and Architecture for Pseudo-Random Generation and Applications to /dev/random

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Online Cryptography Course. Collision resistance. Introduc3on. Dan Boneh

Quantum Technology: Challenges and Opportunities for Cyber Security. Yaoyun Shi University of Michigan

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Remote Timing Attacks are Practical

Computational and Statistical Learning Theory

Cryptography 2017 Lecture 2

Yale University Department of Computer Science

Lessons Learned from High-Speed Implementa6on and Benchmarking of Two Post-Quantum Public-Key Cryptosystems

Information and Communications Security: Encryption and Information Hiding

CIS 6930/4930 Computer and Network Security. Topic 4. Cryptographic Hash Functions

A Control Flow Integrity Based Trust Model. Ge Zhu Akhilesh Tyagi Iowa State University

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Linear Feedback Shift Registers (LFSRs) 4-bit LFSR

Daniel J. Bernstein University of Illinois at Chicago. means an algorithm that a quantum computer can run.

A model and architecture for pseudo-random generation with applications to /dev/random

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Public-key Cryptography: Theory and Practice

A Provably Secure True Random Number Generator with Built-in. Tolerance to Active Attacks

Power Consumption Analysis. Arithmetic Level Countermeasures for ECC Coprocessor. Arithmetic Operators for Cryptography.

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

Transcription:

The Entropy Bogeyman Ed Morris and Khai Van November 5, 2015 International Crypto Module Conference

Topics Overview Background Design Problems Public Entropy Vulnerabilities Recommendations International Crypto Module Conference 2 2015/11/05

Overview Entropy: measure of the unpredictability of a string of bits Entropy underpins cryptography Poor entropy can undermine security Ø But to what degree? Ø And with what consequences? 3 International Crypto Module Conference 2015/11/05

Background (Entropy Defined) Measures of entropy: Shannon Entropy, Renyi, Min-entropy, etc. Statistical assessments for entropy: DIEHARD FIPS 140-1 (11 Jan 1994) AIS 20 (2 Dec 1999) NIST SP 800-22 (1 Dec 2000) AIS 20/31 (18 Sep 2011) NIST SP 800-90B (Aug 2012) Assessing entropy is non-trivial 4 International Crypto Module Conference 2015/11/05

Background (Entropy Arch.) Key 1: ECC P-384 Key 2: AES 256 Key3: RSA 2048 RBG #1: Hash SHA-256 RBG #2: CTR AES-128 RBG #3: X9.31 AES-128 440-bits 512-bits 192-bits Noise Source Conditioning Entropy Source 5 International Crypto Module Conference 2015/11/05

Background (noise & whitening) Source type (hardware or software) Hardware: ring oscillators, voltage oscillators Software: timing variations in high-precision clock Types of whitening/conditioning Unbiasing (Von Neumann) Condensing (XORing, folding) Pool stirring (Hashing) Linear Feedback Shift Register (LFSR) Assess min-entropy of raw entropy samples Tim Hall s SP800-90B Python Suite 6 International Crypto Module Conference 2015/11/05

Background (RBG Strengths) Standard RBG Bits of security Seed Size X9.31 AES-128 128 256 800-90A AES-128 CTR 128 192 X9.31 AES-256 256 384 800-90A AES-256 CTR 256 384 800-90A SHA-256 Hash 256 440 800-90A SHA-256 HMAC 256 440 7 International Crypto Module Conference 2015/11/05

Background (Key Strengths) Bits of security Symmetric key algs 112 3DES-192 L = 2048 N = 224 128 AES-128 L = 3072 N = 256 192 AES-192 L = 7680 N = 384 256 AES-256 L = 15360 N = 512 DSA/DH RSA ECC 2048 224 3072 256 7680 384 15360 512+ 8 International Crypto Module Conference 2015/11/05

Design Problems (1) Key 1: ECC P-384 Key 2: AES 256 Key3: RSA 2048 RBG #1: Hash SHA-256 RBG #2: CTR AES-128 RBG #3: X9.31 AES-128 440-bits 512-bits 192-bits Noise Source Conditioning Entropy Source 9 International Crypto Module Conference 2015/11/05

Design Problems (2)??????? 10? International Crypto Module Conference 2015/11/05

Design Problems (3) 192 256 112 256 128 128 440 512 192 Noise Source Conditioning Entropy Source 11 International Crypto Module Conference 2015/11/05

Design Problems (4) Hardware sources are generally fine But it s often impossible to obtain raw samples for testing Software based mechanisms Sample a high-frequency clock, Do some operation (sleep 100 µsecs or execute code loop) Sample clock again, and take difference. Statistical testing on SW source raw samples is extremely important 12 International Crypto Module Conference 2015/11/05

Low Entropy Symmetric Keys Strong AES key (DRBG seeded w/256-bits of entropy) 0xC1459F958ADB58B6CBEB54E373F52 0xEB4B7FFC4C137288FBB3F573B12E7 2 nd AES key (DRBG seeded w/only 40-bits of entropy) 0x435F57D964A89F3853CBC98C28D8B 0xED41C9E8F9FB8817155B489A14E89 Can you spot the weakness in the 2 nd key? Don t worry, neither can an attacker 13 International Crypto Module Conference 2015/11/05

Public Entropy Vulnerabilities 1995 Goldberg and Wagner Netscape SSL PRNG PRNG (secs, usecs, pid, ppid) 2008 Debian OpenSSL Seeding Bug Seed = PID (maximum value 32,768/2^15 ) 2008 Karsten Nohl - weak Mifare RNG 16-bit RNG depended on read time 2012 Lenstra et al. Ron was Wrong, Whit is Right 2012 Heninger et al. Mining Your Ps and Qs Most comprehensive analysis of TLS/SSH public keys 14 International Crypto Module Conference 2015/11/05

Mining Your Ps and Qs Some shocking conclusions worth examining 5.57% TLS hosts share public keys 9.60% SSH hosts share public keys Let's remove default keys 0.75% TLS certs share keys (entropy too low during key gen) 1.70% TLS certs come from same faulty implementation But things get worse because of insufficient entropy 0.50%/0.03% (TLS/SSH) RSA keys cracked (shared primes 1.03% DSA SSH keys cracked (repeated k values) 15 International Crypto Module Conference 2015/11/05

Mining Your Ps and Qs (2) But let s examine more closely The authors conjecture that the use of /dev/urandom and the Boot-time entropy hole are to blame. They continue examining OpenSSL s method of RSA key generation as an explanation for the factorable RSA keys. They posit Dropbear SSH seeding with insufficient entropy / dev/urandom These problems are less concerning upon inspection Again, for symmetric keys generation, these problems don t exist 16 International Crypto Module Conference 2015/11/05

Recommendations Avoid foolish mistakes Do not use /dev/urandom (use /dev/random instead) Use simple post-processing/conditioning (or none) Watch for entropy bottlenecks Mix entropy sources appropriately (XOR or pool Hashing) and account for the weighted contribution of each source Scrutinize entropy at a cold boot/first boot Do not automatically generate key pairs during boot Scrutinize software noise sources (hardware noise sources are generally good) 17 International Crypto Module Conference 2015/11/05

Recommendations (2) Oversample whenever possible, be conservative Accept tradeoffs to increase security Test software entropy quality on all hardware models Introduce device unique data (e.g., seed at factory) Use hardware noise or evaluated sources if available Catastrophic failures are rare 40-bits of entropy likely to be indistinguishable from 256-bits once fed through an appropriate DRBG 18 International Crypto Module Conference 2015/11/05

Questions? Contacts: Ed Morris EdMorris@gossamersec.com Khai Van KhaiVan@gossamersec.com www.gossamersec.com www.facebook.com/gossamersec @gossamersec 19 International Crypto Module Conference 2015/11/05

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback