Randomness Some content taken from “Silence on the Wire” by Michal Zalewski
Today’s Agenda • Randomness in Private Key Generation • Randomness in Election (fraud) • Randomness in Coin Flipping
What is random? • Chosen without method
Random beacons • Atmospheric noise • random.org • Radioactive Decay • http://www.fourmilab.ch/hotbits/ • Lava lamps • Cloudflare • Thunderstorms • Seismic data in earthquake-prone areas
Pseudorandom vs. random Characteristics Psuedorandom Random Efficiency Excellent Poor Determinism Deterministic Nondeterministic Periodicity Periodic Aperiodic https://www.random.org/randomness/
How computers use randomness • Blinky lights • Quicksort • Computer games • Cryptographic keys
Randomness in Private Key Generation • Applied cryptography relies on randomness in key generation. • Lack of randomness —> somebody else can guess your private key
P seudo r andom N umber G eneration • Pick a (random) seed • Algorithmically pick the next number.
Netscape PRNG global variable seed; RNG_CreateContext() (seconds, microseconds) = time of day; /* Time elapsed since 1970 */ pid = process ID; ppid = parent process ID; a = mklcpr(microseconds); b = mklcpr(pid + seconds + (ppid << 12)); seed = MD5(a, b); RNG_GenerateRandomBytes() x = MD5(seed); seed = seed + 1; return x;
Netscape’s Crypto Issues • 40 bit keys • seeded PRNG with time • can get process info with ps
Feeding /dev/urandom • There can be no general method for determining an outcome of any computer procedure or algorithm in a finite time. • paraphrasing of Alan Turing
Feeding /dev/urandom
Feeding /dev/urandom • Entropy from running a computer enters the entropy pool • Process reads from that pool
Using randomness to create keys • Algorithms for creating prime number candidates (pseudoprimes) • Algorithms for detecting if a number could be prime quickly (verify pseudoprimes)
DJB quoting Mark Twain • Behold, the fool saith, "Put not all thine eggs in the one basket"—which is but a manner of saying, "Scatter your money and your attention;" but the wise man saith, "Put all your eggs in the one basket and—WATCH THAT BASKET." • http://blog.cr.yp.to/20140205-entropy.html
Weak Keys (2008) • At least 5.23% of TLS hosts use default keys • 0.75% of TLS certificates share keys (bad entropy in key gen) • 1.70% come from the same faulty implementations (susceptible to compromise) • Obtained RSA private keys for 0.50% of TLS hosts and 0.03% of SSH hosts (shared p or q) • Vast majority found in embedded systems
RSA: Recall from last class • Choose two large, distinct prime numbers p, q . • Compute the modulus n=pq • φ (n) = φ (p) ×φ (q) = (p − 1) × (q − 1) • φ (n): Number of integers less than n that aren’t coprime • coprime: x,y are coprime if the only common factor they have is 1. • Pick a number, e, such that e< φ (n) and e, φ (n) are coprime. • Determine d such that de ≡ 1 (mod φ (n)) • Public key is (n,e). Private key is (n,d).
How did they factor? • Pairwise GCD of all distinct RSA moduli • N1=p1*q1, N2=p2*q2 • If no factors are common, than GCD(N1,N2)=1 • Otherwise, if p1=p2, then GCP(N1, N2)=p1 • 5.5 hours for over 11 million RSA keys
Commonly Repeated Keys
Visualizing RSA Common Factors
Generating Keys from Boot
2009 Iranian Election • Mahmoud Ahmadinejad ran against three others • 85% turnout • Mahmoud Ahmadinejad “won” with 64% of the vote • Caused massive protests “Green Revolution”
Benford's Law
Methodology • Look at election results • Ask NYU undergrads to make up numbers • Compare least significant digits
Runs Test • A sequence with n heads and m tails • A run is a sequence of coin flips with the same side • 11000100010000101110111101001000101110111
Runs Test • Given a sequence of n heads; m tails; R runs • E(R) = (2nm / (n+m)) + 1 • V(R) = ( 2nm(2nm – n – m )) / ((n + m) 2 (n + m – 1)) • Z score: (x - E(R)) / √ (V(R))
Recommend
More recommend