Random Number Generation Is Getting Harder It s Time to Pay Attention

Similar documents
Entropy. Finding Random Bits for OpenSSL. Denis Gauthier and Dr Paul Dale Network Security & Encryption May 19 th 2016

Pseudo-Random Generators

Pseudo-Random Generators

Topics. Pseudo-Random Generators. Pseudo-Random Numbers. Truly Random Numbers

/dev/random and SP800-90B

Random Bit Generation

A study of entropy transfers

Survey of Hardware Random Number Generators (RNGs) Dr. Robert W. Baldwin Plus Five Consulting, Inc.

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics

Design of Secure TRNGs for Cryptography Past, Present, and Future

What is the Q in QRNG?

The Entropy Bogeyman. Ed Morris and Khai Van November 5, 2015 International Crypto Module Conference

Enough Entropy? Justify It!

Random number generators

Entropy Evaluation for Oscillator-based True Random Number Generators

Information Security

Entropy Estimation Methods for SW Environments in KCMVP. NSR: Seogchung Seo, Sangwoon Jang Kookmin University: Yewon Kim, Yongjin Yeom

The Quantum Threat to Cybersecurity (for CxOs)

Dan Boneh. Stream ciphers. The One Time Pad

Contents. ID Quantique SA Tel: Chemin de la Marbrerie 3 Fax : Carouge

Network Security (NetSec)

Analysis of Entropy Usage in Random Number Generators

Managing the quantum risk to cybersecurity. Global Risk Institute. Michele Mosca 11 April 2016

Entropy Extraction in Metastability-based TRNG

Private-Key Encryption

Research Article A Novel True Random Number Generator Based on Mouse Movement and a One-Dimensional Chaotic Map

Tutorial: Device-independent random number generation. Roger Colbeck University of York

Network Security. Random Numbers. Cornelius Diekmann. Version: November 21, 2015

arxiv: v1 [cs.it] 23 Dec 2014

True Random Number Generation on FPGA

Quantum Computing: What s the deal? Michele Mosca ICPM Discussion Forum 4 June 2017

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Real Randomness with Noise and Chaos

Lecture 20. Randomness and Monte Carlo. J. Chaudhry. Department of Mathematics and Statistics University of New Mexico

CHAPTER 3 CHAOTIC MAPS BASED PSEUDO RANDOM NUMBER GENERATORS

Sampling exactly from the normal distribution

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Password Cracking: The Effect of Bias on the Average Guesswork of Hash Functions

Topics in Computer Mathematics

Administrivia. Course Objectives. Overview. Lecture Notes Week markem/cs333/ 2. Staff. 3. Prerequisites. 4. Grading. 1. Theory and application

Recommendations and illustrations for the evaluation of photonic random number generators

Device Independent Randomness Extraction for Arbitrarily Weak Min-Entropy Source

On Linux Random Number Generator

Other Public-Key Cryptosystems

On the Security of Election Audits with Low Entropy Randomness

Cryptanalysis of the Dual Elliptic Curve Pseudorandom Generator

Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers

A Highly Flexible Lightweight and High Speed True Random Number Generator on FPGA

ONLINE TEST BASED ON MUTUAL INFORMATION FOR TRUE RANDOM NUMBER GENERATORS

PQ Crypto Panel. Bart Preneel Professor, imec-cosic KU Leuven. Adi Shamir Borman Professor of Computer Science, The Weizmann Institute, Israel

Experiment 1: The Same or Not The Same?

Quantum Key Distribution. The Starting Point

Multi-Map Orbit Hopping Chaotic Stream Cipher

DATA ENCRYPTION DEVICE USING RADIOACTIVE DECAY AND A HYBRID QUANTUM ENCRYPTION ALGORITM

Introduction to Side Channel Analysis. Elisabeth Oswald University of Bristol

Branch Prediction based attacks using Hardware performance Counters IIT Kharagpur

Message Authentication Codes (MACs)

Information and Communications Security: Encryption and Information Hiding

Continuous Machine Learning

Lesson One Hundred and Sixty-One Normal Distribution for some Resolution

An ultrafast quantum random number generator based on quantum phase fluctuations

AIR FORCE INSTITUTE OF TECHNOLOGY

How generative models develop in predictive processing

Introduction. Entropy and Security

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Previous Exam Questions, Chapter 2

A DPA attack on RSA in CRT mode

DPA-Resistance without routing constraints?

A NEW RANDOM NUMBER GENERATOR USING FIBONACCI SERIES

ALICE IN POST-QUANTUM WONDERLAND; BOB THROUGH THE DIGITAL LOOKING-GLASS

The quantum threat to cryptography

WHITE PAPER ON QUANTUM COMPUTING AND QUANTUM COMMUNICATION

Uncertainty in Measurement of Isotope Ratios by Multi-Collector Mass Spectrometry

STREAM CIPHER. Chapter - 3

One Weird Trick to Stop Selfish Miners: Fresh Bitcoins, A Solution for the Honest Miner

The Hash Function JH 1

Slides 3: Random Numbers

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

CPSC 467: Cryptography and Computer Security

Generation of True Random Numbers using quasi-monte Carlo methods

Cryptographic Hash Functions

The Dual Elliptic Curve Deterministic RBG

Elliptic Curve Cryptography and Security of Embedded Devices

Quantum Wireless Sensor Networks

Entropy transfers in the Linux Random Number Generator

From Sequential Circuits to Real Computers

A novel pseudo-random number generator based on discrete chaotic iterations

Examples of frequentist probability include games of chance, sample surveys, and randomized experiments. We will focus on frequentist probability sinc

EECS 126 Probability and Random Processes University of California, Berkeley: Fall 2014 Kannan Ramchandran September 23, 2014.

Lecture 3: Lower bound on statistically secure encryption, extractors

BU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/

Post Von Neumann Computing

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

c 2009 Michael Alan Wayne

Calibration Routine. Store in HDD. Switch "Program Control" Ref 1/ Ref 2 Manual Automatic

Scribe for Lecture #5

STAT509: Probability

B. Maddah ENMG 622 Simulation 11/11/08

Why should you care?? Intellectual curiosity. Gambling. Mathematically the same as the ESP decision problem we discussed in Week 4.

A Provably Secure True Random Number Generator with Built-in. Tolerance to Active Attacks

Transcription:

SESSION ID: PDAC-F03 Random Number Generation Is Getting Harder It s Time to Pay Attention Richard Moulds General Manager Whitewood Richard Hughes Laboratory Fellow (Retired) Los Alamos National Laboratory

All crypto security starts with random numbers Crypto security assumptions rely on keys being random, when patterns emerge (or are engineered) keys get more predictable Anything less than true randomness is a risk

But, there s a problem We need more and more randomness But, we are less and less sure we have enough entropy More and more crypto in use Longer and longer keys Increased key management scrutiny Tougher compliance Quantum threat Abstraction, containers and VMs Hosted and cloud environments Headless systems, no users Snap shots and replication Low power IoT devices

Hidden vulnerabilities and backdoors of choice

Basic requirements for randomness Uniformity: As many 1s as 0s, on average Independence: Each bit uncorrelated with all previous - statistical tests Diehard(er), NIST SP800-22 STS, TestU01 etc. These are necessary, but are not sufficient: π passes these tests 3.141592653589793238462643383279502884197169399375896 For cryptography, we also need - Compromise of one output must not compromise future or previous outputs Different outputs from each use

Unpredictability, irreproducibility requires entropy A hypothetical source of random numbers: Tossing a fair coin N times makes an N-bit random binary sequence (H=0, T=1) Example: 256 coin flips generate a 256-bit binary sequence Probability of a 256-bit output sequence x, is P x Unpredictability is quantified by entropy Min-entropy captures the probability that the output could be guessed in 1 trial But practical coin flips are biased: A bias of 51:49 is typical - i.e. not uniform How unpredictable? P. Diaconis et al., Dynamical Bias in the Coin Toss, SIAM Review 49, no.2, 211 (2007). 256 flips with a bias of 51:49 has H = 249 bits As unpredictable as 249 flips of a fair coin How to find entropy, quantify it, and use it to make a trusted, verifiable source of randomness for crypto?

Finally we have a standard (nearly) Specifying an entropy source is a complicated matter. This is partly due to confusion in the meaning of entropy, and partly due to the fact that, while other parts of an RBG design are strictly algorithmic, entropy sources depend on physical processes that may vary from one instance of a source to another. Recommendation for the Entropy Sources Used for Random Bit Generation (SP800-90B 2 nd draft) NIST January 2016 Constructions specify how entropy sources can be used to supply cryptographic randomness Assured randomness that s easy to use

NIST SP 800-90B entropy assessment A very general methodology Treats noise source as a black box Novel feature: entropy assessment Sequential and restart internal datasets Permutation testing to determine IID or non-iid Numerical entropy assessment tests Beyond statistical randomness tests Provides internal and external entropy scores Measured as bits of entropy per bit of output What entropy scores do present and future randomness sources have?

Why so complicated? Most random numbers come from the Operating System RANDOM NUMBER GENERATO R But software doesn t act randomly

Entropy - a long standing issue Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin. (J. von Neumann, 1951)

Pseudo-random numbers an oxymoron? Entropy Source Random Seeds Operating System Pseudorandom number generator Random Numbers Crypto Application Shuffling the deck Dealing the deck

Where does entropy come from? Local Environment Host System Keyboards Mouse Clicks App1 App2 App3 Random Numbers Camera Entropy Pseudo-random number generator Operating System Microphone Entropy Antenna CPU Timing Network Timing Hard Drive Timing Hardware

But in a virtual world Local Environment Host System Keyboards Mouse Clicks App1 App2 App3 Random Numbers Camera Pseudo-random number generator Operating System Microphone Hypervisor Antenna CPU Timing Network Timing Hard Drive Timing Hardware

Random number generators in Linux Delivers random numbers only if sufficient entropy has been captured - otherwise it stops Delivers random numbers irrespective of how much entropy has been captured

Entropy sources in Linux Interrupt Events Timer Events (Disk activity, keyboard clicks and mouse movements etc.) Interrupt Entropy Pool (1024 bits) Main Entropy Pool (4096 bits) /dev/urandom PRNG /dev/random PRNG Check your entropy level with: cat /proc/sys/kernel/random/entropy_avail

Interrupt derived entropy in Linux Kernel IRQ handler adds data from interrupts into the Interrupt Pool Cycle Count & Kernel Timer (4 bytes) IRQ (4 bytes) Instruction Pointer (8 bytes) Cycles Kernel IRQ Instruction Pointer 123975895488 4294893898 14 18446744071578900000 123977123888 4294893898 14 18446744071578900000 123979445304 4294893898 18446744071578900000 123983781984 Entropy 4294893899 Score: 0.108 bits 14of entropy per 18446744071578900000 bit (non-iid) 123985083096 4294893899 14 18446744071578900000 123986825584 4294893899 14 18446744071578900000 123987250920 4294893899 14 18446744071578900000 Thanks to Adam Everspaugh - http://pages.cs.wisc.edu/~ace/

Disk derived entropy in Linux Timing of disk events is added directly to Input Pool Kernel Timer (4 bytes) Cycle Counter (4 bytes) Device ID (8 bytes) Kernel Timer Cycles Device ID 4294893055 114984099168 8388864 4294893055 114984867024 8388864 4294893055 114985479992 8388864 Entropy Score: 0.137 bits of entropy per bit (non-iid) 4294893055 114985942112 8388864 4294893060 115031476128 8388864 4294893060 115031907648 8388864 4294893060 115032263720 8388864 4294893060 115032643792 8388864 Thanks to Adam Everspaugh - http://pages.cs.wisc.edu/~ace/

Enhancing system entropy Goal: Generate true random numbers from a PRNG Good news - entropy is always additive Supplementary entropy source(s) Existing Applications PRNG e.g. /dev/random True random numbers Operating System Existing system entropy

Supplementary sources of entropy Three general approaches to improve entropy beyond the basic kernel: 1. Software daemons to more efficiently extract entropy for existing signals in interrupts State changes - HAVEGED (www.issihosts.com/haveged/) Timing Jitter CPU Jitter RNG (www.chronox.de/jent.html) Microphones and cameras audio-entropyd (www.vanheusden.com/aed/ and www.lavarnd.org/) 2. Local hardware based entropy sources (>0.99 bits of entropy per output bit?) Embedded CPU feature - e.g. Intel RdRand External or plug in devices - USB sticks, HSMs, PCI cards, etc. 3. Network based entropy sources and RNGs Random number services (https://random.org and https://beacon.nist.gov/home) Entropy as a Service (https://getnetrandom.com and https://entropy.ubuntu.com/

Comparing hardware RNGs Entropy or noise source Sample analog noise Digitize Remove sampling distortion (no entropy added) Post Processing Entropy extraction and whitening (no entropy added) Conditioning Random number outputs Noise sources Electrical noise Thermal noise Metastable circuits Ring oscillators Quantum fluctuations Health tests and entropy measurements Assessment criteria Quality of entropy source Verifiability of implementation Access to raw entropy for testing Data output rate Reliability of health tests Pseudo random number Generator Data rate expansion (no entropy added)

Comparison of supplementary entropy sources Jitter Daemons Embedded Hardware Sources Retrofit Hardware Sources Entropy as a Service Goal Low cost improvements Hardware/CPU differentiation Compliance and security Consistency and security Maturity Open source Mature Niche Emerging Advantages Low cost Low cost Speed Assurance Speed Consistency Assurance Barriers Hard to validate Hard to Manage Hard to validate Platform specific Inconvenient Cost Trust Immaturity

Summary Random numbers are critical for security but are often poorly understood and managed Random number generators are a point of attack and vulnerability potentially an invisible one Modern application environments present entropy challenges VMs, cloud and IoT Proving the operation and quality of entropy sources and random number generators goes beyond statistical tests - NIST SP 800-90B will help Supplementary sources of entropy can help and exist in various deployment models Random number generation should be a critical component of your key management strategy and datacenter infrastructure

Apply what you have learned today Next week you should: Identify applications that require true random numbers Think about entropy sources and their availability within your application environments In the first three months following this presentation you should: Consider supplementary entropy sources where risks of entropy starvation might exist Assess tools to test the quality of randomness in your organization Track the evolution (and finalization) of NIST SP 800-90 Within six months you should: Consider entropy management in data center infrastructure planning Consider entropy as part of any IoT strategy Make NIST standards certification a purchase criteria Define internal entropy validation and assurance policies

Thank you Questions? richard.moulds@whitewoodsecurity.com

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback