Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics

Similar documents
Network Security (NetSec)

Network Security. Random Numbers. Cornelius Diekmann. Version: November 21, 2015

Pseudo-Random Generators

Pseudo-Random Generators

Topics. Pseudo-Random Generators. Pseudo-Random Numbers. Truly Random Numbers

Pseudo-random Number Generation. Qiuliang Tang

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Random number generators

Lecture Notes. Advanced Discrete Structures COT S

STREAM CIPHER. Chapter - 3

Public-key Cryptography: Theory and Practice

What is the Q in QRNG?

Random Bit Generation

CHAPTER 3 CHAOTIC MAPS BASED PSEUDO RANDOM NUMBER GENERATORS

Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)

Computer Science A Cryptography and Data Security. Claude Crépeau

Pseudorandom Generators

Information Security

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Leftovers from Lecture 3

Pseudorandom number generators based on random covers for finite groups

Random Number Generation Is Getting Harder It s Time to Pay Attention

Efficient Pseudorandom Generators Based on the DDH Assumption

All-Or-Nothing Transforms Using Quasigroups

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

State Recovery Attacks on Pseudorandom Generators

True & Deterministic Random Number Generators

has the solution where M = Since c = w 2 mod n we have c w 2 (mod p) and c w 2 (mod q);

Private-Key Encryption

Yale University Department of Computer Science

On ZK-Crypt, Book Stack, and Statistical Tests

A novel pseudo-random number generator based on discrete chaotic iterations

Cryptography IV: Asymmetric Ciphers

Introduction to Information Security

CHAPTER 6: OTHER CRYPTOSYSTEMS, PSEUDO-RANDOM NUMBER GENERATORS and HASH FUNCTIONS. Part VI

Survey of Hardware Random Number Generators (RNGs) Dr. Robert W. Baldwin Plus Five Consulting, Inc.

Scribe for Lecture #5

On some properties of PRNGs based on block ciphers in counter mode

Foundations of Network and Computer Security

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Week 12: Hash Functions and MAC

A Pseudo-Random Encryption Mode

Foundations of Network and Computer Security

IEOR SEMINAR SERIES Cryptanalysis: Fast Correlation Attacks on LFSR-based Stream Ciphers

On Quasigroup Pseudo Random Sequence Generators

CRC Press has granted the following specific permissions for the electronic version of this book:

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Notes for Lecture 9. 1 Combining Encryption and Authentication

One-way Hash Function Based on Neural Network

Pseudorandom Generators

arxiv:cs/ v1 [cs.cr] 20 Aug 2004

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Secret Key: stream ciphers & block ciphers

Fundamentals of Modern Cryptography

A Very Efficient Pseudo-Random Number Generator Based On Chaotic Maps and S-Box Tables M. Hamdi, R. Rhouma, S. Belghith

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Cryptography 2017 Lecture 2

Simple Unpredictable Pseudo-Random Number Generator

STORY of SQUARE ROOTS. and QUADRATIC RESIDUES. Part I. Public-key cryptosystems II. Other cryptosystems and cryptographic primitives

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Cryptographic Hash Functions

Security Implications of Quantum Technologies

An efficient parallel pseudorandom bit generator based on an asymmetric coupled chaotic map lattice

About Random Bits. December 3, Random Bit Generators Pseudo-Random Bit Generators... 2

Block ciphers And modes of operation. Table of contents

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

Chaotic Random Bit Generator Realized with a Microcontroller

On the Big Gap Between p and q in DSA

An introduction to Hash functions

1 Number Theory Basics

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Equivalences of Basic Cryptographic Functions

Lecture 7: Pseudo Random Generators

CPA-Security. Definition: A private-key encryption scheme

PREDICTING MASKED LINEAR PSEUDORANDOM NUMBER GENERATORS OVER FINITE FIELDS

1 Cryptographic hash functions

Research Article A Novel True Random Number Generator Based on Mouse Movement and a One-Dimensional Chaotic Map

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Cryptanalysis of the Dual Elliptic Curve Pseudorandom Generator

1 Cryptographic hash functions

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Entropy Extraction in Metastability-based TRNG

Blind Collective Signature Protocol

Improved Cascaded Stream Ciphers Using Feedback

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

On the Security of CTR + CBC-MAC

Analysis of SHA-1 in Encryption Mode

Entropy Evaluation for Oscillator-based True Random Number Generators

Lecture 3: Randomness in Computation

The Dual Elliptic Curve Deterministic RBG

AIR FORCE INSTITUTE OF TECHNOLOGY

Cryptanalysis of a Multistage Encryption System

Quantum Permanent Compromise Attack to Blum-Micali Pseudorandom Generator

Random Number Generation. Stephen Booth David Henty

Introduction. Entropy and Security

CPSC 467: Cryptography and Computer Security

NEW RESULTS CONCERNING THE POWER OF NIST RANDOMNESS TESTS

Transcription:

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle Network Security Chapter 2 Basics 2.4 Random Number Generation for Cryptographic Protocols

Motivation It is crucial to security that cryptographic keys are generated with a truly random or at least a pseudo-random generation process (see subsequently) Otherwise, an attacker might reproduce the key generation process and easily find the key used to secure a specific communication Generation of pseudo-random numbers is required in cryptographic protocols for the generation of Cryptographic keys Nonces (Numbers Used Once) Example usages Key generation and peer authentication in IPSec and SSL Authentication with challenge-response-mechanism, e.g. GSM and UMTS authentication Network Security, WS 2010/11, Chapter 2.4 2

Random Number Generators Definition: A random bit generator is a device or algorithm which outputs a sequence of statistically independent and unbiased binary digits. Remark: A random bit generator can be used to generate uniformly distributed random numbers e.g. a random integer in the interval [0, n] can be obtained by generating a random bit sequence of length lg 2 n + 1 and converting it into a number. If the resulting integer exceeds n it can be discarded and the process is repeated until an integer in the desired range has been generated. Network Security, WS 2010/11, Chapter 2.4 3

Entropy (c.f. Niels Ferguson, Bruce Schneier: Practical Cryptography, pp. 155ff) The measure for randomness is called entropy Let X a random variable which outputs a sequence of n bits The Shannon information entropy is defined by: H ( X ) = P( X = x)ln2( P( X = x)) x E.g. if all possible outputs are equally probable, then n 2 n H X = 1 1 1 1 ( ) ( ) ln n n n 2 ( ) = 2 * * ( ) = n n i = 0 2 2 2 A secure cryptographic key of length n bits should have n bits of entropy. If k from the n bits become known to an attacker and the attacker has no information about the remaining (n k) bits, then the key has an entropy of (n k) bits A bits sequence of arbitrary large length that takes only 4 different values has only 2 bits of entropy Passwords that can be remembered by human beings have usually a much lower entropy than their length. Entropy can be understood as the average number of bits required to specify a bit-sequence if an ideal compression algorithm is used. Network Security, WS 2010/11, Chapter 2.4 4

Pseudo-Random Number Generators (1) Definition: A pseudo-random bit generator (PRBG) is a deterministic algorithm which, given a truly random binary sequence of length k ( seed ), outputs a binary sequence of length m >> k which appears to be random. The input to the PRBG is called the seed and the output is called a pseudo-random bit sequence. Remarks: The output of a PRBG is not random, in fact the number of possible output sequences of length m with 2 k sequences is at most a small fraction of 2 m, as the PRBG produces always the same output sequence for one (fixed) seed The motivation for using a PRBG is that it is generally too expensive to produce true random numbers of length m, e.g. by coin flipping, so just a smaller amount of random bits is produced and then a pseudo-random bit sequence is produced out of the k truly random bits In order to gain confidence in the randomness of a pseudo-random sequence, statistical tests are conducted on the produced sequences Network Security, WS 2010/11, Chapter 2.4 5

Pseudo-Random Number Generators (2) Example: A linear congruential generator produces a pseudo-random sequence of numbers y 1, y 2,... According to the linear recurrence y i = a y i-1 + b MOD q with a, b, q being parameters characterizing the PRBG Unfortunately, this generator is predictable even when a, b and q are unknown, and should, therefore, not be used for cryptographic purposes Network Security, WS 2010/11, Chapter 2.4 6

Random and Pseudo-Random Number Generation (3) Security requirements of PRBGs for use in cryptography: As a minimum security requirement the length k of the seed to a PRBG should be large enough to make brute-force search over all seeds infeasible for an attacker The output of a PRBG should be statistically indistinguishable from truly random sequences The output bits should be unpredictable for an attacker with limited resources, if he does not know the seed Definition: A PRBG is said to pass all polynomial-time statistical tests, if no polynomial-time algorithm can correctly distinguish between an output sequence of the generator and a truly random sequence of the same length with probability significantly greater than 0.5 Polynomial-time algorithm means, that the running time of the algorithm is bound by a polynomial in the length m of the sequence Network Security, WS 2010/11, Chapter 2.4 7

Random and Pseudo-Random Number Generation (4) Definition: A PRBG is said to pass the next-bit test, if there is no polynomial-time algorithm which, on input of the first m bits of an output sequence s, can predict the (m + 1) st bit s m+1 of the output sequence with probability significantly greater than 0.5 Theorem (universality of the next-bit test): A PRBG passes the next-bit test it passes all polynomial-time statistical tests For the proof, please see section 12.2 in [Sti95a] Definition: A PRBG that passes the next-bit test possibly under some plausible but unproved mathematical assumption such as the intractability of the factoring problem for large integers is called a cryptographically secure pseudo-random bit generator (CSPRBG) Network Security, WS 2010/11, Chapter 2.4 8

Hardware-Based Random Number Generation Hardware-based random bit generators are based on physical phenomena, as: elapsed time between emission of particles during radioactive decay, thermal noise from a semiconductor diode or resistor, frequency instability of a free running oscillator, the amount a metal insulator semiconductor capacitor is charged during a fixed period of time, air turbulence within a sealed disk drive which causes random fluctuations in disk drive sector read latencies, and sound from a microphone or video input from a camera A hardware-based random bit generator should ideally be enclosed in some tamper-resistant device and thus shielded from possible attackers Network Security, WS 2010/11, Chapter 2.4 9

Software-Based Random Number Generation Software-based random bit generators, may be based upon processes as: the system clock, elapsed time between keystrokes or mouse movement, content of input- / output buffers user input, and operating system values such as system load and network statistics Ideally, multiple sources of randomness should be mixed, e.g. by concatenating their values and computing a cryptographic hash value for the combined value, in order to avoid that an attacker might guess the random value If, for example, only the system clock is used as a random source, than an attacker might guess random-numbers obtained from that source of randomness if he knows about when they were generated Usually, such generators are used to initialize PRNGs, i.e. to set their seed. Network Security, WS 2010/11, Chapter 2.4 10

De-skewing Consider a random generator that produces biased but uncorrelated bits, e.g. it produces 1 s with probability p 0.5 and 0 s with probability 1 - p, where p is unknown but fixed The following technique can be used to obtain a random sequence that is uncorrelated and unbiased: The output sequence of the generator is grouped into pairs of bits All pairs 00 and 11 are discarded For each pair 10 the unbiased generator produces a 1 and for each pair 01 it produces a 0 Another practical (although not provable) de-skewing technique is to pass sequences whose bits are correlated or biased through a cryptographic hash function such as MD-5 or SHA-1 Network Security, WS 2010/11, Chapter 2.4 11

Statistical Tests for Random Numbers The following tests allow to check if a generated random or pseudorandom sequence inhibits certain statistical properties: Monobit Test: Are there equally many 1 s as 0 s? Serial Test (Two-Bit Test): Are there equally many 00-, 01-, 10-, 11-pairs? Runs Test: Are the numbers of runs (sequences containing only either 0 s or 1 s) of various lengths as expected for random numbers? Autocorrelation Test: Are there correlations between the sequence and (non-cyclic) shifted versions of it? Maurer s Universal Test: Can the sequence be compressed? The above descriptions just give the basic ideas of the tests. For a more detailed and mathematical treatment, please refer to sections 5.4.4 and 5.4.5 in [Men97a] Network Security, WS 2010/11, Chapter 2.4 12

Examples for PRNGs Linear Congruential Generator X n+1 = (a X n + b) mod m Very fast, but not suitable for cryptography! Suitable for cryptography Blum Blum Shub On the basis of symmetric encryption Output of block cipher in OFB or CTR mode Output of a stream cipher (e.g. RC4) Stream cipher = symmetric cipher that produces a random bitstream to be XORed with the plaintext On the basis of a cryptographic hash function Iterate using hash function and seed, e.g. X 0 = seed X i+1 = H (X seed) i Network Security, WS 2010/11, Chapter 2.4 13

Addtional References [Ferg03] [Men97a] [Sti95a] Niels Ferguson, Bruce Schneier, Practical Cryptography, John Wiley & Sons, 2003 A. J. Menezes, P. C. Van Oorschot, S. A. Vanstone. Handbook of Applied Cryptography. CRC Press Series on Discrete Mathematics and Its Applications, Hardcover, 816 pages, CRC Press, 1997. D. R. Stinson. Cryptography: Theory and Practice (Discrete Mathematics and Its Applications). Hardcover, 448 pages, CRC Press, 1995. Network Security, WS 2010/11, Chapter 2.4 14

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback