a study of entropy transfers
play

A study of entropy transfers in the Linux Random Number Generator - PowerPoint PPT Presentation

Jul 26, 2023 •149 likes •483 views

A study of entropy transfers in the Linux Random Number Generator Th. Vuillemin, F . Goichon, G. Salagnac, C. Lauradoux 1 The need for random numbers Computers are built to be fully deterministic... ...but unpredictability is still required

  1. A study of entropy transfers in the Linux Random Number Generator Th. Vuillemin, F . Goichon, G. Salagnac, C. Lauradoux 1

  2. The need for random numbers Computers are built to be fully deterministic... ...but unpredictability is still required Cryptography Security Randomized algorithms Scheduling Networking 2

  3. Random numbers a an OS resource LRNG : Linux Random Number Generator Service provided by the OS kernel Shared among several (non-privileged) users ✴❞❡✈✴r❛♥❞♦♠ and ✴❞❡✈✴✉r❛♥❞♦♠ Essential for security-oriented software (SSH, SSL/TLS) Depends on system entropy Prone to entropy shortages ⇒ RNG stalls May have negative impact on application performance 3

  4. Motivating example 35 30 Request completion time (second) 25 20 15 10 5 0 0 200 400 600 800 1000 Time Response time of ✴❞❡✈✴r❛♥❞♦♠ for 1000 one-byte requests. Average 264 ms. Standard deviation 1.68 s. 4

  5. Questions What is entropy anyway ? Why does the LRNG need it ? How to explain such variability in response time ? Inria Research Report 8060 ❤tt♣✿✴✴❤❛❧✳✐♥r✐❛✳❢r✴❤❛❧✲✵✵✼✸✽✻✸✽ 5

  6. Agenda Introduction 1 Random Number Generation 2 The Linux RNG 3 Experiments 4 5 Conclusion and perspectives 6

  7. Desirable properties of “random” numbers X , Y random variables e.g. the result of rolling a die Ω sample space e.g. { 1 , 2 , 3 , 4 , 5 , 6 } X = P (Ω) event space e.g. X ∈ { 2 , 4 , 6 } ◮ { Pr ( i ) } i ∈X probability law Uniform distribution 1 ∀ x ∈ Ω Pr ( X = x ) = card (Ω) Statistical independence ∀ x , y ∈ Ω Pr ( X = x | Y = y ) = Pr ( X = x ) 7

  8. Measuring randomness Shannon Entropy � H ( X ) = − Pr ( X = i ) log 2 Pr ( X = i ) . ∀ i ∈X expresses the “amount of uncertainty” contained in X ◮ “how much information do I gain by looking at X ” Caveat Emptor Other entropy measures exist (e.g. Kolmogorov complexity) If we don’t know Pr , we cannot directly apply the formula Entropy estimation is a very active research topic 8

  9. Different types of generators A Random Number Generator is a computer program imitating the behaviour of a random variable PRNG : Pseudo Random Number Generator CSPRNG : Cryptographically Secure Random Number Gen. HRNG : Hardware Random Number Generator TRNG : True Random Number Generator 9

  10. Deterministic generators PRNG : Pseudo-Random Number Generator finite-state machine transition function : updates internal state output function : produces actual numbers seed : initial internal state ◮ (hopefully) good statistical properties CSPRNG : Cryptographically Secure PRNG ◮ A PRNG with stronger statistical properties (periodicity...) 10

  11. Security issues Threat model What if an attacker guesses the internal state ? ◮ they can predict every future output of the RNG ! Solutions choose the output function such that it’s hard to reverse ... or just don’t be deterministic 11

  12. Non-deterministic generators HRNG : Hardware Random Number Generator Based on some physical phenomenon really unpredictable, but often biased limited by the througput of the entropy source TRNG : True Random Number Generator Pseudo-Random Number Generator internal state reseeded with entropy sources 12

  13. Agenda Introduction 1 Random Number Generation 2 The Linux RNG 3 Experiments 4 5 Conclusion and perspectives 13

  14. The Linux RNG Authors Theodore Ts’o (1994–2005, 2012–now) Matt Mackall (2005–2012) TRNG architecture uses a CSPRNG to produce numbers internal state : 6Kb output function : a variant of md5 uses system events as entropy sources opportunistic reseeding hypothesis : inter-event timing is unpredictable tries to keep internal state hard to guess for an attacker tracks the entropy level of state over time 14

  15. Architecture Blocking Pool /dev/random Disque dur Input Pool Clavier /dev/urandom Non-blocking Pool Souris get_random_bytes() LRNG 15

  16. Output interfaces ✴❞❡✈✴r❛♥❞♦♠ comsumes entropy in case of shortage → requests put on hold ✴❞❡✈✴✉r❛♥❞♦♠ consumes entropy in case of shortage → PRNG ❣❡t❴r❛♥❞♦♠❴❜②t❡s✭✮ kernel function consumes entropy in case of shortage → PRNG 16

  17. Entropy pools (internal state of the PRNGs) Blocking pool 1Kb bitfield + entropy counter supplies data for ✴❞❡✈✴r❛♥❞♦♠ Non-blocking pool 1Kb bitfield + entropy counter supplies data for ✴❞❡✈✴✉r❛♥❞♦♠ and ❣❡t❴r❛♥❞♦♠❴❜②t❡s✭✮ Input pool 4Kb bitfield + entropy counter supplies data for the two other pools refilled by opportunistically sampling entropy sources 17

  18. Entropy sources Callback functions exported by the LRNG to harvest entropy : ❛❞❞❴❞✐s❦❴r❛♥❞♦♠♥❡ss✭✮ Hard drive events ❛❞❞❴✐♥♣✉t❴r❛♥❞♦♠♥❡ss✭✮ UI events : keyboard, mouse, trackpad ❛❞❞❴✐♥t❡rr✉♣t❴r❛♥❞♦♠♥❡ss✭✮ Other hardware events : USB, device drivers ❛❞❞❴♥❡t✇♦r❦❴r❛♥❞♦♠♥❡ss✭✮ removed, deemed too vulnerable 18

  19. Architecture Blocking Pool /dev/random Disque dur Input Pool Clavier /dev/urandom Non-blocking Pool Souris get_random_bytes() LRNG 19

  20. The need for entropy estimation What if an attacker controls all the callbacks ? What if hardware events happen to be predictable ? Not all system events carry uncertainty Let’s try to assess randomness ◮ We need an entropy estimator ! 20

  21. The LRNG entropy estimator : detecting regularities δ i = t i − t i − 1 δ 2 = δ i − δ i − 1 i δ 3 δ 2 i − δ 2 = i i − 1 ∆ i = min ( | δ i | , | δ 2 i | , | δ 3 i | )  0 if ∆ i < 2  if ∆ i ≥ 2 12 H i = 11 ⌊ log 2 (∆ i ) ⌋ otherwise  21

  22. Example ❚✐♠❡ ✶✵✵✹ ✶✵✶✷ ✶✵✷✹ ✶✵✷✺ ✶✵✸✵ ✶✵✹✶ ✶st ❞✐❢❢ ✽ ✶✷ ✶ ✺ ✶✶ ✷♥❞ ❞✐❢❢ ✹ ✶✶ ✹ ✻ ✸r❞ ❞✐❢❢ ✼ ✼ ✷ H ( 1041 ) = 1, H ( 1030 ) = 2, H ( 1025 ) = 0 22

  23. Agenda Introduction 1 Random Number Generation 2 The Linux RNG 3 Experiments 4 5 Conclusion and perspectives 23

  24. Architecture Blocking Pool /dev/random Disque dur Input Pool Clavier /dev/urandom Non-blocking Pool Souris get_random_bytes() LRNG 24

  25. Experimental setup Prototype use a kernel debugger ? → would kill timing use ♣r✐♥t❦✭✮ ? → would generate disk events ! ◮ instrument the LRNG itself (callbacks + output functions) use the netpoll API to send out UDP packets Studied scenarios Desktop workstation : web surfing, word processing File server : large file transfer Computation : CPU-intensive program only each experiment : one hour long 25

  26. Entropy harvesting disk 34% mouse generic_input 2% 35% 28% keyboard (a) Workstation 100% 100% (b) File server (c) Computation 26

  27. Entropy extraction 48% ❣❡t❴r❛♥❞♦♠❴❜②t❡s✭✮ ✴❞❡✈✴✉r❛♥❞♦♠ 52% (d) Workstation 20% 100% 80% (e) File server (f) Computation 27

  28. Entropy consumers : Workstation [K] ❧♦❛❞❴❡❧❢❴❜✐♥❛r②✭✮ 26% [U] svn [U] chromium-browse 2% 5% [U] php5 46% Others 21% 28

  29. Entropy consumers : File server 15% [K] ❧♦❛❞❴❡❧❢❴❜✐♥❛r②✭✮ [U] php5 2% [K] ✐♥❡t❴❢r❛❣❴s❡❝r❡t❴r❡❜✳✳✳ 5% 6% 72% [U] apache2 Others 29

  30. Entropy consumers : Computation 5% [K] ❧♦❛❞❴❡❧❢❴❜✐♥❛r②✭✮ 95% [K] ✐♥❡t❴❢r❛❣❴s❡❝r❡t❴r❡❜✉✐❧❞✭✮ 30

  31. Entropy level in the input pool 31

  32. Summary of experimental results only major entropy source : the hard drive ✴❞❡✈✴r❛♥❞♦♠ never used in practice blocking r❡❛❞✭✮ considered too problematic by developers doesn’t even exist in other kernels (BSD) security-oriented applications have their own CSPRNG people believe that « there will soon be entropy » (true ?) major entropy consumer : the kernel itself via ❣❡t❴r❛♥❞♦♠❴❜②t❡s✭✮ mostly for ❧♦❛❞❴❡❧❢❴❜✐♥❛r②✭✮ (i.e. ASLR) 32

  33. Conclusions and perspectives Summary Study of the architecture of the LRNG Measures of entropy transfers Study of entropy consumers see [Inria RR 8060] ❤tt♣✿✴✴❤❛❧✳✐♥r✐❛✳❢r✴❤❛❧✲✵✵✼✸✽✻✸✽ Perspectives Port experiments to diskless devices Android phone, set-top box, SSD-based laptop Entropy will be scarce Come up with new sources of entropy in the system portability ? availability ? 33

Recommend

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of a discrete random variable. Properties: H(x) &gt;= 0 Entropy Entropy Lesser the probability for an event, larger the entropy.

471 views • 21 slides
Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S) Entropy is o8en related to disorder but not strictly correct Entropy is a measure

351 views • 8 slides
Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Entropy Entropy Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1 Entropy Entropy and Information Joint Entropy Frank Keller Conditional Entropy School of Informatics University of Edinburgh

81 views • 4 slides
Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Outline Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the Technion) Huffman coding Arithmetic coding Lempel-Ziv coding 2 Entropy Definitions Alphabet : A finite set containing at least

402 views • 10 slides
Intergenerational transfers of infant mortality in historical contexts: a comparative study of

Intergenerational transfers of infant mortality in historical contexts: a comparative study of

Intergenerational transfers of infant mortality in historical contexts: a comparative study of five European populations Luciana Quaranta 1 , Gran Brostrm 2 , Ingrid van Dijk 3 , Robyn Donrovich 4 , Sren Edvinsson 2 , Elisabeth Engberg 2 ,

451 views • 20 slides
Informational Study: Increased Capabilities for Transfers of Low Carbon Electricity between the

Informational Study: Increased Capabilities for Transfers of Low Carbon Electricity between the

Informational Study: Increased Capabilities for Transfers of Low Carbon Electricity between the Pacific Northwest and California Ebrahim Rahimi Lead Engineer, Regional Transmission - North 2018-2019 Transmission Planning Process Stakeholder

814 views • 67 slides
PRACTITIONERS DEEDS AND TRANSFERS UNDER THE RPA Fraud in conveyances and transfers of property

PRACTITIONERS DEEDS AND TRANSFERS UNDER THE RPA Fraud in conveyances and transfers of property

TIPS FOR PRACTITIONERS DEEDS AND TRANSFERS UNDER THE RPA Fraud in conveyances and transfers of property under the rpo is increasing and attorneys should be cautious in reviewing deeds and transfers which constitute the title to a property

403 views • 39 slides
The economic and legal aspects of g p transfers of players Results of the study Didier

The economic and legal aspects of g p transfers of players Results of the study Didier

The economic and legal aspects of g p transfers of players Results of the study Didier PRIMAULT and Christophe LEPETIT Friday, 8 th March Sport Directors meeting Dublin Sport Directors meeting, Dublin Objectives and scope of the study

728 views • 39 slides
Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically

Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically

Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically - defined thermodynamic quantity that helps to account for the flow of energy through a thermodynamic process. 2 What is

467 views • 13 slides
Committee to Study Rates and Transfers/Public Enterprises Department of Environmental Quality

Committee to Study Rates and Transfers/Public Enterprises Department of Environmental Quality

September 26, 2018 Committee to Study Rates and Transfers/Public Enterprises Department of Environmental Quality Division of Water Infrastructure SWIA Master Plan Vision The state will best be able to meet its water infrastructure needs by

395 views • 13 slides
Study that Evaluates Interface Design using Gaze Entropy Yejin Lee a , Hyun-Chul Lee b a SA

Study that Evaluates Interface Design using Gaze Entropy Yejin Lee a , Hyun-Chul Lee b a SA

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 Study that Evaluates Interface Design using Gaze Entropy Yejin Lee a , Hyun-Chul Lee b a SA Monitoring and Mitigation Research Team, KAERI, 34057, Daejeon, S.

72 views • 4 slides
E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION

E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION

E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION Entropy measures exponential complexity in a topological dynamical system: topological entropy very crude, entropy function on invariant

556 views • 23 slides
Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute

Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute

Chapter 2 Entropy, Relative Entropy, and Mutual Infor- mation Peng-Hua Wang Graduate Institute of Communication Engineering National Taipei University Chapter Outline Chap. 2 Entropy, Relative Entropy, and Mutual Information 2.1 Entropy 2.2

752 views • 51 slides
Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of

Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of

Huffman Encoding 13-Oct-11 Entropy Entropy is a measure of information content: the number of bits actually required to store data. Entropy is sometimes called a measure of surprise A highly predictable sequence contains little actual

293 views • 16 slides
ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF

ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF

ARE THE SHANNON ENTROPY AND RESIDUAL ENTROPY SYNONYMS? H = R 0 ? MARKO POPOVIC DEPARTMENT OF CHEMISTRY AND BIOCHEMISTRY, BYU, PROVO, UT 84602, POPOVIC.PASA@GMAIL.COM Thermodynamic entropy - S (J/K) At T=0K ideal crystal imperfect

560 views • 21 slides
Infotheory for Statistics and Learning Lecture 1 Entropy Relative entropy Mutual

Infotheory for Statistics and Learning Lecture 1 Entropy Relative entropy Mutual

Infotheory for Statistics and Learning Lecture 1 Entropy Relative entropy Mutual information f -divergence Mikael Skoglund 1/16 Entropy Over ( R , B ) , consider a discrete RV X with all probability in a countable set X B ,

538 views • 8 slides
Barriers in business transfers Intra-family and external transfers - Technical and non-technical

Barriers in business transfers Intra-family and external transfers - Technical and non-technical

Business Transfer Conference, Malta, March 17 2017 Barriers in business transfers Intra-family and external transfers - Technical and non-technical barriers - Leif Melin Most likely future owner in order of likeliness 1. Another operating

335 views • 16 slides
Nuclear Material Transfers Nuclear Material Transfers Project Four Waste streams

Nuclear Material Transfers Nuclear Material Transfers Project Four Waste streams

Harwell Nuclear Material Transfers Nuclear Material Transfers Project Four Waste streams Significant Lifetime cost savings Scope To Sellafield to NDA estate. Consolidation of NM on a Category 1 site (Sellafield) and 251

322 views • 7 slides
Model Uncertainty and Robustness: Entropy Coherent and Entropy Convex Measures of Risk Roger J.

Model Uncertainty and Robustness: Entropy Coherent and Entropy Convex Measures of Risk Roger J.

Model Uncertainty and Robustness: Entropy Coherent and Entropy Convex Measures of Risk Roger J. A. Laeven Dept. of Econometrics and OR Tilburg University, CentER and Eurandom based on joint work with Mitja Stadje August 30, 2011 Entropy

442 views • 40 slides
Comparison Between Bayesian and Maximum Entropy Analysis of Flow Networks 1 Maximum Entropy

Comparison Between Bayesian and Maximum Entropy Analysis of Flow Networks 1 Maximum Entropy

Comparison Between Bayesian and Maximum Entropy Analysis of Flow Networks 1 Maximum Entropy The Maximum Entropy (MaxEnt) method is a methodology to assign or update probability distributions to describe systems which are not completely

202 views • 17 slides
Increased Capabilities for Transfers of Low Carbon Electricity between the Pacific Northwest and

Increased Capabilities for Transfers of Low Carbon Electricity between the Pacific Northwest and

2018-2019 Transmission Planning Process Increased Capabilities for Transfers of Low Carbon Electricity between the Pacific Northwest and California Informational Study Ebrahim Rahimi Lead Regional Transmission Engineer Stakeholder Call April

380 views • 14 slides
Orc David Schleef Entropy Wave Inc (c) 2009 Entropy Wave Inc What is Orc A system for

Orc David Schleef Entropy Wave Inc (c) 2009 Entropy Wave Inc What is Orc A system for

Orc David Schleef Entropy Wave Inc (c) 2009 Entropy Wave Inc What is Orc A system for describing low-level computation on modern CPUs (c) 2009 Entropy Wave Inc Motivation (c) 2009 Entropy Wave Inc Motivation Want maintainable assembly

611 views • 28 slides
1) Entropy = measure of randomness 2) Entropy = measure of compressibility More random = Less

1) Entropy = measure of randomness 2) Entropy = measure of compressibility More random = Less

Introduction to Information Retrieval Entropy: a basic introduction 1) Entropy = measure of randomness 2) Entropy = measure of compressibility More random = Less compressible High entropy = high randomness/low compressibility Low entropy =

236 views • 19 slides
1 Plasma Entropy In ideal MHD, specific entropy is conserved along a flow path: where:

1 Plasma Entropy In ideal MHD, specific entropy is conserved along a flow path: where:

Plasma Entropy in the Magnetosphere Joachim Raeder 1 , Kai Germaschewski 1 , LiWei Lin 1 Space Science Center, University of New Hampshire, Durham, NH 03824, USA Congre ASTRONUM, Biarritz, France, July 2, 2013 Basic Structure of the

499 views • 11 slides

More recommend