Why do we need random numbers? • Simulation • Sampling • Numerical analysis Pseudo-Random Generators • Computer programming (e.g. randomized algorithm) • Elementary and critical element in many cryptographic protocols Usually: – “ Alice picks key K at random ” – Cryptosystems only secure if keys random. – Session keys for symmetric ciphers. – Nonce in different protocols (to avoid replay) Cryptography relies on Truly Random Numbers randomness • Random bits are generated by a hardware • To encrypt e-mail, digitally sign that’s based on physical phenomena. documents, or spend a few dollars • Those numbers cannot be reliably of electronic cash over the internet, reproduced or predicted. we need random numbers. • Generation of (truly) random bits is an • If random numbers in any of these inefficient procedure in most practical applications are insecure, then the entire systems: slow & expensive. application is insecure. • Storage and transmission of a large number of random bits may be impractical. Pseudo-Random Numbers Pseudo-Random Numbers • !" � #$$%&%'"( � )*+,-"+.%/, � (%.'0 � 1'('2.%"%3(%& � Pseudorandom - Having the appearance of randomness, but nevertheless exhibiting a /,4+2%(5. � 67 specific, repeatable pattern. 4%!'+), 819%1$ Random numbers are very difficult to generate, 5))6&'(7 811+ especially on computers which are designed #$%&'( to be deterministic devices. The sequence is not truly random in that it is completely determined by a relatively small set of initial values, called the PRNG's state. ./0!'+1+"#$%&'(")* !"#$%&'(")*"' ,2'"0#13+)%!'+), %!'+),"-&$# -&$#
The Seed Normal RNG Operation Can’t create randomness out of nothing. !"#$%&' !"#$%&' • True physical sources of randomness that cannot be predicted: – Noise from a semiconductor device (Hardware). – Resource utilization statistics and system load (Software). t ! t+k t+k+1 t+k+2 ! t+n – User's mouse movements. – Device latencies. "#$%#$ "#$%#$ "#$%#$ "#$%#$ "#$%#$ • Use as a minimum security requirement the length n of the seed to a PRNG should be large enough to make brute-force search over all seeds infeasible for an attacker. The difference between Truly Random looking Random and Pseudo-Random If one knows: The algorithm & seed used to Random looking means that: create the numbers. • If the number is in the range: 0 n. He can predict all the numbers returned by • And there are m numbers to be generated. every call to the algorithm. • An observer given m-1 out of m numbers, cannot predict the m th number with better With genuinely random numbers, knowledge probability than 1/n. of one number or a long sequence of numbers is of no use in predicting the next number to be generated. 85/( � 1+ � 9' � ':*'&( � $2+. 85/( � 1+ � 9' � ':*'&( � $2+. *3';1+ � 2/"1+."'33< *3';1+ � 2/"1+."'33< • Long period : The generator should be of • Unbiased: The output of the generator has long period (the period of a random good statistical characteristics. number generator is the number of times • Unpredictable: Given a few first bits, it we can call it before the random sequence should not be easy to predict, or compute, begins to repeat). the rest of the bits. • Fast computation: The generator should • Uncorrelated sequences - The sequences be reasonably fast and low cost. of random numbers should be serially uncorrelated.
Some basic ideas RNG Security Requirements for tests • Pseudo-randomness • Randomness is a probabilistic property: Output is indistinguishable from random The properties of a random sequence can be characterized in terms of probability. • Backward security • The following tests may be applied: RNG outputs cannot be compromised by a break-in in the past – Monobit Test: Are there equally many 1’s like 0’s? • Forward security – Serial Test (Two-Bit Test): Are there equally RNG outputs cannot be compromised by a many 00, 01, 10, 11 pairs? break-in in the future =2+*'2(%'3 � +$ � >/"1+. � ?;.@'23 • A9+ � %.*+2(/"( � 3(/(%3(%&/, � *2+*'2(%'3B – C"%$+2.%(- – D"1'*'"1'"&'7 Linear Congruential Method • >/"1+. � ?;.@'2E � ! " E � .;3( � @' � %"1'*'"1'"(,- � 12/9" � $2+. � / � ;"%$+2. � 1%3(2%@;(%+" � 9%(5 � *1$B � � � 1 , 0 x 1 Example for PRNG algorithm � f ( x ) � 0 , otherwise � 1 2 1 x 1 � � � � E ( R ) xdx 2 2 0 0 H%4;2'B � *1$ � $+2 � 2/"1+. � ";.@'23 FG I%"'/2 � J+"42;'"(%/, � K'(5+1 #:/.*,'3 LIJKN LA'&5"%M;'3N • A+ � *2+1;&' � / � 3'M;'"&' � +$ � %"('4'23E � # $ % � # & % � ' @'(9''" � ( /"1 � ) � $ • Use X 0 = 27 , a = 17 , c = 43 , and m = 100 . @- � $+,,+9%"4 � / � 2'&;23%O' � 2',/(%+"35%*B • The X i and R i values are: � � � X ( aX c ) mod m , i 0 , 1 , 2 ,... i � 1 i X 1 = (17*27+43) mod 100 = 502 mod 100 = 2, R 1 = 0.02; A5' � A5' � A5' � .;,(%*,%'2 .+1;,;3 %"&2'.'"( X 2 = (17*2+43) mod 100 = 77, • A5' � 3','&(%+" � +$ � (5' � O/,;'3 � $+2 � * E � + E � ) E � /"1 � # ( 12/3(%&/,,- � /$$'&(3 � R 2 = 0.77 ; (5' � 3(/(%3(%&/, � *2+*'2(%'3 � /"1 � (5' � &-&,' � ,'"4(57 X 3 = (17*77+43) mod 100 = 52, • A5' � 2/"1+. � %"('4'23 � /2' � @'%"4 � 4'"'2/('1 � L (%) � $ NE � /"1 � (+ � R 3 = 0.52; &+"O'2( � (5' � %"('4'23 � (+ � 2/"1+. � ";.@'23B X 4 = (17* 52 +43) mod 100 = 27, X � � R i , i 1 , 2 ,... i m R 4 = 0.27 FP FQ
I%"'/2 � J+"42;'"&' � ! � 6++1 � IJ6 � #:/.*,' 6'"'2/(+23 � D" � J2-*(+42/*5- • `+9'O'2E � 'O'" � 5%45 � M;/,%(- � &,/33%&/, � TURVWXYWXZ � [3''1 � O/,;' $+2 � %UFBFSSSSE 4'"'2/(+23 � /2' � .+3(,- � "+( � ;3/@,' � %" � TU.+1)FXXVWRW\T]FSFYQSVRRYER^YR0Z &2-*(+42/*5-7 � 85-< C)%0UT_R^YRZ '"1 • a'&/;3' � 4%O'" � 3'O'2/, � 3;&&'33%O' � ";.@'23 � '14'3USBS7SWBFZ KU5%3(&)CE'14'30Z (5/( � 9'2' � 4'"'2/('1 � @- � IJ6E � %( � %3 � *+33%@,' � (+ � @/2)K0Z &+.*;(' � (5' � .+1;,;3 � /"1 � (5' � .;,(%*,%'2 � 9%(5 � 5+,1Z 2'/3+"/@,' � '$$%&%'"&-7 $%4;2'Z 5+,1Z • K'/"%"4B � (5'2' � %3 � /,9/-3 � (5' � 2%3b � +$ � c2'O'23' � $+2 � %UFBWSSSE '"4%"''2%"4d +$ � (5' � 4'"'2/(+237 *,+()C)R\% � F0EC)R\%00Z '"1 RS =3';1+ � >/"1+. � 6'"'2/(+23 D" � J2-*(+42/*5- • If generators are needed in cryptographic applications, they are usually created using the cryptographic primitives, such as: I%";: � =?>6 – block ciphers – hash functions • There is a natural tendency to assume that the security of these underlying primitives will translate to security for the PRNG. Entropy Collection I%";: � =?>6 • Implemented in the kernel. • Events are represented by two 32- bit words – Entropy based PRNG – Event type. • Used by many applications • E.g., mouse press, keyboard value – TCP, PGP, SSL, S/MIME, – Event time in milliseconds. • Two interfaces • Bad news: – Kernel interface – get_random_bytes (non- – Actual entropy in every event is very limited blocking) – User interfaces – • Good news: /dev/random (blocking) – There are many of these events /dev/urandom (non-blocking)
#"(2+*- � '3(%./(%+" I>?6 � 3(2;&(;2' A • A counter estimates the physical entropy in the A keyboard LRNG /dev/random Secondary mouse blocking E A 128 Bytes E • Increased on entropy addition (from OS events) Entropy Sources Entropy C A • Decreased on data extraction. Pool interrupts /dev/urandom 512 bytes Urandom get_random_bytes 128 Bytes • blocking and non-blocking interfaces E A E non-blocking disk – Blocking interface does not provide output when A entropy estimation reaches zero A – Non-blocking interface always provides output C – entropy collection – Blocking interface is “considered more secure” A – entropy addition E – data extraction
Recommend
More recommend
