Entropy. Finding Random Bits for OpenSSL. Denis Gauthier and Dr Paul Dale Network Security & Encryption May 19 th 2016

Similar documents
Random Number Generation Is Getting Harder It s Time to Pay Attention

/dev/random and SP800-90B

A study of entropy transfers

Pseudo-Random Generators

Pseudo-Random Generators

Topics. Pseudo-Random Generators. Pseudo-Random Numbers. Truly Random Numbers

Enough Entropy? Justify It!

The Entropy Bogeyman. Ed Morris and Khai Van November 5, 2015 International Crypto Module Conference

Random Bit Generation

Dan Boneh. Stream ciphers. The One Time Pad

Analysis of Entropy Usage in Random Number Generators

Random number generators

*** SAMPLE ONLY! The actual NASUNI-FILER-MIB file can be accessed through the Filer address>/site_media/snmp/nasuni-filer-mib ***

CIS 4930/6930: Principles of Cyber-Physical Systems

Administrivia. Course Objectives. Overview. Lecture Notes Week markem/cs333/ 2. Staff. 3. Prerequisites. 4. Grading. 1. Theory and application

A model and Architecture for Pseudo-Random Generation and Applications to /dev/random

Algorithms. Gregory D. Weber. April 11, 2016

Private-Key Encryption

Information Security Theory vs. Reality

Part I. System call overview. Secure Operating System Design and Implementation System Calls. Overview. Abstraction. Jon A. Solworth.

A model and architecture for pseudo-random generation with applications to /dev/random

Knott, M. May Future t r e n d s

Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)

Process Scheduling for RTS. RTS Scheduling Approach. Cyclic Executive Approach

COMPUTER SCIENCE TRIPOS

I/O Devices. Device. Lecture Notes Week 8

WordPress and CRM. Match Made In Heaven... or Hell?

Symmetric Crypto Systems

Entropy Estimation Methods for SW Environments in KCMVP. NSR: Seogchung Seo, Sangwoon Jang Kookmin University: Yewon Kim, Yongjin Yeom

Scheduling I. Today Introduction to scheduling Classical algorithms. Next Time Advanced topics on scheduling

Network Security (NetSec)

Qualitative vs Quantitative metrics

CSE332: Data Structures & Parallelism Lecture 2: Algorithm Analysis. Ruth Anderson Winter 2018

CSE332: Data Structures & Parallelism Lecture 2: Algorithm Analysis. Ruth Anderson Winter 2018

Computer Architecture

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

CSE332: Data Structures & Parallelism Lecture 2: Algorithm Analysis. Ruth Anderson Winter 2019

Network Security. Random Numbers. Cornelius Diekmann. Version: November 21, 2015

Lecture 6. Real-Time Systems. Dynamic Priority Scheduling

Symmetric Crypto Systems

Entropy Assessment of Windows OS Performance Counters

Matrix Assembly in FEA

ISSP User Guide CY3207ISSP. Revision C

Real-Time Scheduling. Real Time Operating Systems and Middleware. Luca Abeni

Herschel Space Observatory and The NASA Herschel Science Center at IPAC. April, u George Helou. u Implementing Portals to the Universe Report

SmartDairy Catalog HerdMetrix Herd Management Software

ECE/CS 250 Computer Architecture

CS1800: Hex & Logic. Professor Kevin Gold

Entropy transfers in the Linux Random Number Generator

ECE 250 / CPS 250 Computer Architecture. Basics of Logic Design Boolean Algebra, Logic Gates

Let s now begin to formalize our analysis of sequential machines Powerful methods for designing machines for System control Pattern recognition Etc.

Process Scheduling. Process Scheduling. CPU and I/O Bursts. CPU - I/O Burst Cycle. Variations in Bursts. Histogram of CPU Burst Times

COMPUTER SCIENCE TRIPOS

Howto make an Arduino fast enough to... Willem Maes

LSN 15 Processor Scheduling

On some properties of PRNGs based on block ciphers in counter mode

Che-Wei Chang Department of Computer Science and Information Engineering, Chang Gung University

What Every Programmer Should Know About Floating-Point Arithmetic DRAFT. Last updated: November 3, Abstract

Math 231E, Lecture 25. Integral Test and Estimating Sums

2.6 Complexity Theory for Map-Reduce. Star Joins 2.6. COMPLEXITY THEORY FOR MAP-REDUCE 51

Service Information Letter SIL # 017

Menu. Lecture 2: Orders of Growth. Predicting Running Time. Order Notation. Predicting Program Properties

2016 Junior Lesson One

CMP 338: Third Class

30.5. Iterative Methods for Systems of Equations. Introduction. Prerequisites. Learning Outcomes

COMS 6100 Class Notes

THE UTP SUITE YOUR ALL-IN-ONE SOLUTION FOR BUILDING MODERN TEST SYSTEM SOFTWARE

Information Security

COMPUTER SCIENCE TRIPOS

Satellite project, AST 1100

Entropy Evaluation for Oscillator-based True Random Number Generators

The conceptual view. by Gerrit Muller University of Southeast Norway-NISE

Real-Time Scheduling and Resource Management

The Bell-LaPadula Model

ECEN 449: Microprocessor System Design Department of Electrical and Computer Engineering Texas A&M University

CPSC 467: Cryptography and Computer Security

On the Security of Election Audits with Low Entropy Randomness

Multi-Map Orbit Hopping Chaotic Stream Cipher

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Mechanizing Elliptic Curve Associativity

UC Santa Barbara. Operating Systems. Christopher Kruegel Department of Computer Science UC Santa Barbara

Pseudo-random Number Generation Using Binary Recurrent Neural Networks

The Changing Face of Geospatial Technology

Analysis of Underlying Assumptions in NIST DRBGs

INF2270 Spring Philipp Häfliger. Lecture 8: Superscalar CPUs, Course Summary/Repetition (1/2)

Class 12. Random Numbers

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

convert a two s complement number back into a recognizable magnitude.

ECE/CS 250: Computer Architecture. Basics of Logic Design: Boolean Algebra, Logic Gates. Benjamin Lee

On Linux Random Number Generator

A Repetition Test for Pseudo-Random Number Generators

FACULTY OF SCIENCE ACADEMY OF COMPUTER SCIENCE AND SOFTWARE ENGINEERING OBJECT ORIENTED PROGRAMMING DATE 07/2014 SESSION 8:00-10:00

CS 700: Quantitative Methods & Experimental Design in Computer Science

Thanks to: University of Illinois at Chicago NSF CCR Alfred P. Sloan Foundation

CHAPTER 3 CHAOTIC MAPS BASED PSEUDO RANDOM NUMBER GENERATORS

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Scheduling I. Today. Next Time. ! Introduction to scheduling! Classical algorithms. ! Advanced topics on scheduling

Differentiation 1. The METRIC Project, Imperial College. Imperial College of Science Technology and Medicine, 1996.

Bust-A-Myth Particles of Matter and Heat Transfer. Students will use the online Research Gadget and experimentation to bust or confirm the myth:

Random Numbers and Distributions Session 1

Transcription:

Entropy Finding Random Bits for OpenSSL Denis Gauthier and Dr Paul Dale Network Security & Encryption May 19 th 2016

Program Agenda 1 2 3 4 OpenSSL s Entropy Finding Good Quality Entropy Designing an Entropy Module Summary The statements and opinions expressed here are my own and do not necessarily represent those of Oracle Corporation. 2

Definitions Entropy is a measure of possible patterns present within random data Entropy is a random string which has no shorter description than the string itself (Kolmogorov complexity) 3

OpenSSL Entropy: FIPS Case OpenSSL provides entropy for the non-fips case, but not for the FIPS case Bring Your Own Entropy (BYOE) OpenSSL Security Policy: Module users (the calling applications) shall use entropy sources that meet the security strength required for the random number generation mechanism as shown in [SP 80090] Table (Hash_DRBG, HMAC_DRBG), Table 3 (CTR_DRBG) and Table 4 (Dual_EC_DRBG). This entropy is supplied by means of callback functions. Those functions must return an error if the minimum entropy strength cannot be met. For years, FIPS validation authorities had a no comment entropy policy 4

OpenSSL Entropy: Non-FIPS Case For *nix platforms, seeds its PRNG at startup with 256 bits from: Files: /dev/urandom; /dev/random; /dev/srandom Sockets: /var/run/egd-pool; /dev/egd-pool; /etc/egd-pool; /etc/entropy Other: Add in pid, uid & time (not much entropy here) One single global PRNG for all crypto for all time (while OpenSSL is running) Never re-seeds no forward secrecy 5

OpenSSL Entropy: Conclusions BYOE: Find some entropy for OpenSSL Periodically reseed the OpenSSL PRNG to provide forward secrecy 6

Reseeding: Not Everyone Will Get it Right Deadlines and competing priorities A little learning is a dangerous thing - Alexander Pope Example random seed from Ubuntu forums: (unsigned int)time(0) + getpid() developer advised to remove getpid() Not enough entropy XKCD.com 7

Reseeding: Finding Good Quality Entropy Do your entropy sources produce enough entropy? Do your entropy sources produce unpredictable data? Does your entropy come from trusted sources? 8

Reseeding: Enough Entropy There is no universal solution the amount varies with each source and its operating environment Hardware: if available, HRNGs produce a lot of entropy Software: higher amounts come from timers (low order bits) It is hard to predict when an event will take place Most systems have many events interacting in unpredictable ways 9

Reseeding: Enough Entropy => Not Much time(2) or getpid(2) Keyboard strokes and mouse movements No good on headless systems and when operators are away When users try to generate entropy, movements become repetitive Use these but don t rely on them 10

Reseeding: Enough Entropy => More Good but not always reliable: Turbid, Randomsound /dev/urandom Good but slow: CPU & memory info, IO, process times, disk stats, interrupts, network interface stats, kernel timer stats /dev/random on *nix systems 11

Reseeding: Enough Entropy => Plenty Software CPU jitter (Haveged) High speed timers Instruction counter (TSC) Timer jitter (Maxwell) Hardware: RDRAND Dedicated HRNGs 12

Reseeding: Enough Entropy => Generation Rates 13

Reseeding: Unpredictable Data Statistical tests NIST SP800-90B python tool (IID and non-iid) NIST SP800-22 statistical tests Ent Dieharder TestU01 Crush TestU01 Big Crush All give false negatives and false positives They will detect some non-randomness, but cannot prove randomness 14

Reseeding: Unpredictable Data Statistical tests cannot distinguish entropy from the output of a PRNG Some tests cannot distinguish entropy from simple functions Libc rand passes SP800-90B IID tests with 7.87 bits/byte entropy Do not use this function in applications intended to be portable when good randomness is needed. rand(3) man page 15

Reseeding: Unpredictable Data Simple and non-random iterated function passes tests Suite Samples Result Entropy / byte Note SP800-90B IID 10 6 Pass 7.88698 SP800-90B noniid 10 6 Pass 5.74889 SP800-22 10 6 Pass Ent 10 6 Pass 7.999803 Dieharder 10 9 Pass 7 weak successes TestU01 Crush 10 9 Fail 44 failures TestU01 Big Crush 10 9 Fail 83 failures 16

Reseeding: Unpredictable Data => Time to Collect Samples 17

Reseeding: Unpredictable Data => Summary It is difficult/impossible to measure the quality of your entropy Do run statistical tests (and continuous health tests) Catches some poor entropy Estimate how much entropy the source delivers, BUT If someone substitutes your entropy, you won t know the difference Trust is a central issue when it comes to getting good entropy 18

Reseeding: Trusted Sources => Careful Evaluation Due diligence evaluate your sources carefully Cardinal rule Transparency is Good (but examine it well ) Technical considerations Social/political considerations 19

Reseeding: Trusted Sources => HRNGs HRNGs are usually in a black box (IC), but can you trust what is hidden in a black box? It would be possible for an HRNG to sabotage the entropy pool in some cases 20

Entropy Module Design Considerations Diversify multiple independent sources Use a scheduler Handles reseeding for forward secrecy Every source has a different entropy generation rate and that determines the appropriate polling interval and when to push to the application s pool Performance: don t starve your system Conditioning 21

Summary OpenSSL entropy is weak BYOE Reseed the OpenSSL PRNG Find some independent sources Test it Trust it Bolt cutters not required scissors will do. 22

Questions? Contact: denis.gauthier@oracle.com 23

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback