CIS 4615 meeting -*- Outline -*- * Weak Random Numbers Based on chapter 20 of the book "24 Deadly Sins of Software Security" by Michael Howard, David LeBlanc, and John Viega (McGraw Hill, 2010). and chapter 10 of the book "Building Secure Software" by John Viega and Gary McGraw (Addison Wesley 2002 ** background *** importance and uses of random numbers ------------------------------------------ IMPORTANCE AND USES OF RANDOM NUMBERS Random numbers are used for: - cryptographic key - session identifiers - TCP/IP sequence numbers - stream cyphers - password generators ------------------------------------------ Q: How are random numbers used in these applications? Cryptographic keys need to be difficult to guess Session identifiers should be unguessable so only the authorized participants can take part in the session the idea is to prevent replay attacks Sequence numbers are used to avoid spoofing (masquerading as another party) Stream cyphers take a stream of bits and xor it with the data transmitted *** kinds of Random Number Generators ------------------------------------------ KINDS OF RANDOM NUMBER GENERATORS Problem: computers are deterministic so hard to generate randomness Pseudo-random Number Generators (PRNGs): - pass statistical tests for randomness - repeatable (for simulations) Example: linear congruential generator X[n+1] = (a * X[n] + b) mod c usually a, b, and c are primes Properties: easy to predict next value Should never be used for security Crytographic Random Number Generators - make it hard to guess the next number - not repeatable - may use hidden internal state, not revealed by output ------------------------------------------ Q: Why is it easy to guess the next value in a PRNG? Not much state (say 32 bits) There are some examples of CRNGs given in the Building Secure Software book (e.g., Tiny) *** entropy ------------------------------------------ ENTROPY def: entroy is the measure of a system's lack How to gather entropy on a computer? ------------------------------------------ ... of order or predictability, measured in bits = amount of information needed to specify the system's exact state ... use system clock? only 32 bits, so can't give more than 32 bits of entropy if you are using the microseconds, get less than 4 bits use keyboard or mouse events plus timings, may get about 2 bits per event. use drift in system clock, see truerand.c (on net) use a hardware device (ComScire QNG via a USB port) see https://www.comscire.com or TPM on some computers these get entropy from thermal noise ** attack ------------------------------------------ ATTACK 1. Observe outputs of system, 2. Search for sequences in the RNG algorithm that match those outputs 3. Find the state of the RNG 4. Predict the next outputs ------------------------------------------ This was done, for example against an online poker system (ASF), and the other players' hands could be guessed in real time! ** What to avoid ------------------------------------------ HOW TO AVOID ATTACKS Don't use a weak RNG (PRNG) for security! Use a CRNG Keep the seed secret Be careful with entropy ------------------------------------------ entropy isn't additive, needs to be massaged to remove any statistical patterns ** auditing ------------------------------------------ AUDITING - Find places random numbers should be used - Find places that use PRNGs - Where CRNGs are used, make sure they are seeded properly Never use a static seed! ------------------------------------------ ** redemption ------------------------------------------ REDEMPTION Use a CRNG If it fails, tell the caller you failed don't use a less secure RNG In a high-assurance situation, use a hardware solution ------------------------------------------