Applying Cryptography
CSC 482/582: Computer Security
Topics
1.
2.
3.
4.
5.
6.
Key Generation
Randomness and Information Theory
PRNGs
Entropy Gathering
Key Storage
Cryptographic APIs
CSC 482/582: Computer Security
Key Generation
Goal: generate difficult to guess keys
Given set of K potential keys, choose one randomly.
 Equivalent to selecting a random number between 0
and K–1 inclusive.
Difficulty: generating random numbers
 Computer generated numbers are pseudo-random,
that is, generated by an algorithm.
 “Anyone who considers arithmetical methods of
producing random digits is, of course, in a state of sin.”
– John vonNeumann
CSC 482/582: Computer Security
How can be measure randomness?
For a fair coin flip, our uncertainty is 2 results. It could
be either heads or tails.
 The uncertainty of 2 flips would be 2*2 = 4.
Logarithmic measure of uncertainty.
 We feel uncertainties should add, not multiply.
 Measures uncertainties in bits, instead of raw #s.
 Uncertainty is log2(M), where M is # results.
U = log2 M
CSC 482/582: Computer Security
Information
The amount of information in a message is the
minimal number of bits needed to encode all
possible meanings.
Example: day of the week (7 possibilities)
 Encode in 3 bits
 000 Sunday to 110 Saturday, with 111 unused
 ASCII strings “Sunday” through “Saturday” use more
bits, but don’t encode more information.
CSC 482/582: Computer Security
Information
The amount of information in a message is the
minimal number of bits needed to encode all
possible meanings.
Example: day of the week
 Encode in <3 bits
 000 Sunday to 110 Saturday, with 111 unused
 ASCII strings “Sunday” through “Saturday” use more
bits, but don’t encode more information.
In general, if N possible items, log2 N bits needed.
I = log2 N
which is the same formula as for uncertainty, so U = I.
CSC 482/582: Computer Security
Information and Probability
If the probability of each of the N messages being
sent is equal, then p = 1/N.
I = log2 1/p
What does 1/p really mean? Let's see:
Message: "Coin comes up heads or tails"
 Probability p=1
 Information I = log2 1/1 = log2 1 = 0
Message: "Coin comes up heads"
 Probability p=0.5
 Information I = log2 1/0.5 = log2 2 = 1
CSC 482/582: Computer Security
What if probabilities aren’t equal?
Given a message of N symbols, such that each
symbol occurs Ni times
i=1..M Ni = N
Our average uncertainty for the string is
i=1..M Ni (-log2(Pi)) / i=1..M Ni
which can be rewritten as
-i=1..M Ni/N log2(Pi)
CSC 482/582: Computer Security
Information
I = -i=1..M Pi log2(Pi)
Reduces to original formula if all symbols
equiprobable, i.e., Pi = 1/M:
I
= -i=1..M 1/M log2(1/M)
= 1/M log2(M) i=1..M
= log2(M)
CSC 482/582: Computer Security
1
Information Content of English
For random English letters,
log2(26) @ 4.7 bits/letter
For large samples of English text,
1.3 bits/letter
For bzipped English text,
7.95+ bits/letter
CSC 482/582: Computer Security
Testing for Randomness
A byte stream is random if
 I is approximately 8 bits/byte
 Compression is a good randomizing function.
 Cryptography is a good randomizing function.
Statistical tests for randomness
 Zeros occur about as often as ones.
 Pairs of zeros occur about half as often as single
zeros and as often as pairs of ones.
CSC 482/582: Computer Security
PRNGs
1.
2.
3.
4.
5.
6.
7.
Determinism and Randomness
Seeding the PRNG
Linear Congruential
CSPNRGs
Blum-Blum-Shub
Tiny
Attacks on PNRGs
CSC 482/582: Computer Security
Determinism
Computers are deterministic
 Can’t produce true random numbers.
Pseudo-random numbers appear to be random to certain
statistical tests.
 Tests can be derived from compression.
 If you can compress sequence, it’s not random.
Software generated pseudo-random sequences are
periodic and predictable.
CSC 482/582: Computer Security
Seeds
Input used to generate initial PR number.
Should be computationally infeasible to predict
 Generate seed from random, not PR, data.
 Large seed: 32 bits too small; only 232 combinations.
Sequence is still periodic, but starts from different
point for each different seed.
 Identical sequences produced for identical seeds.
 Period needs to be large for security.
CSC 482/582: Computer Security
Linear Congruential Generator
nk = (ank–1 + b) mod m
m Modulus (a large prime integer), maximum period
a Multiplier (integer from 2..m-1)
b Increment
n0 Sequence initializer (seed)
CSC 482/582: Computer Security
LCG Example in Python
#!/usr/bin/env python
import sys
def lcg(x): return a*x % 13
i = 0; li=[]
a, x = map(int, sys.argv[1:3])
while(i < 10):
x = lcg(x)
li.append(str(x))
i += 1
print ", ".join(li)
>./prng.py 5 2
11, 4, 8, 2, 11, 4, 8, 2, 11, 4
>./prng.py 6 2
0, 1, 7, 4, 12, 8, 10, 9, 3, 6
CSC 482/582: Computer Security
Modulus
Multiplier
Seed
Linear Congruential Generator
Choice of a critical
 Many choices of a do not produce a full period.
 Sequence is permutation of integers 1..m-1
 Ex: 2, 6, 7, 11 for m=13
For production LCGs, m=232-1 common
 a = 16807 is well studied full period multiplier
LCGs are statistically random
 but predictable, giving away LCG state with each number.
LCGs are not cryptographically useful.
CSC 482/582: Computer Security
Secure PRNGs
Cryptographically Secure PRNGs:
1.
2.
3.
Statistically appear random.
Difficult to predict next member of sequence from
previous members.
Difficult to extract internal state of PRNG from
observing output.
Similar to stream ciphers.
May be re-seeded at runtime, unlike PRNGs.
CSC 482/582: Computer Security
Blum Blum Shub
xn+1 = xn2 mod M
Blum Number M
 Product of two large primes, p and q
 p mod 4 = 3, q mod 4 = 3
Seed
 Choose random integer x, relatively prime to M.
 x0 = x2 mod M
CSC 482/582: Computer Security
Blum Blum Shub
Random Output:
 LSB of xn+1
 Can safely use log2M bits.
Provably secure
 Distinguishing output bits from random bits is as
difficult as factoring M for large M.
Slow
 Requires arbitrary precision software math libraries.
CSC 482/582: Computer Security
Strong Mixing Functions
Strong mixing function: function of 2 or more inputs
with each bit of output depending on some nonlinear
function of all input bits.
 Examples: AES, DES, SHA-1, SHA-2
 Use on UNIX-based systems:
(date; ps gaux) | md5
where “ps gaux” lists all information about all
processes on system.
CSC 482/582: Computer Security
Attacks on PNRGs
Direct Cryptanalytic
 Distinguish between PRNG output and random output
with better than 50% accuracy.
Input-Based
 Use knowledge of PRNG input to predict output.
 Insert input into PRNG to control output.
State Compromise Extension
 Extend previously successful attack that has recovered
internal state to recover either or both.


past unknown PRNG outputs
future PRNG outputs after additional inputs given to PRNG
CSC 482/582: Computer Security
ASF On-line Gambling
Re-seeded PRNG before each shuffle
 always start with ordered deck.
Shuffling
 Fair: 52! @ 2226 combinations
 32-bit seed: 232 combinations
 ms seed: 86,400,000 combinations
 synchronize time: 200,000 combinations
Predict deck based on 5 known cards.
CSC 482/582: Computer Security
ASF PRNG Flaws
1.
2.
3.
PRNG algorithm used small seed (32 bits.)
Non-cryptographic PRNG used.
Seed generated by poor source of randomness.
CSC 482/582: Computer Security
Entropy Collection
Hardware Solutions
2. Software Solutions
3. Poor Entropy Collection
4. Entropy Estimation
1.
CSC 482/582: Computer Security
Hardware Sources
Radioactive Decay
 Hotbits: 256 bits/s
 http://www.fourmilab.ch/hotbits/
Thermal or Electrical Noise
 Comscire QNG Model J1000KU, 1 Mbit/s
 Via Padlock RNG on Via x86 CPUs 800-1600kbits/s
LavaRnd
 SGI used LavaLite; LavaRnd uses lenscapped digicam
 http://www.lavarnd.org/
 up to 200 kbits/s
CSC 482/582: Computer Security
Software Sources
Less Secure, More Convenient
 Software systems can be sufficiently complex to be
almost impossible to predict.
User Input: Push, don’t Pull
 Record time stamp when keystroke or mouse event
occurs.
 Don’t poll most recent user input every .1s

Far fewer possible timestamps.
CSC 482/582: Computer Security
Software Sources: /dev/random
Idea: use multiple random software sources.
 Store randomness in pool for user requests.
 Use hash functions (i.e., strong mixing functions) to
distill data from multiple sources.
/dev/random can use random sources such as
 CPU load
 disk seeks
 kernel interrupts
 keystrokes
 network packet arrival times
 /dev/audio
CSC 482/582: Computer Security
sans microphone
Software Sources: /dev/random
/dev/random
 each bit is truly random.
 blocks unless enough random bits are available.
/dev/urandom
 supplies requested number of bits immediately.
 reuses current state of pool—lower quality randomness.
CSC 482/582: Computer Security
Poor Entropy: Netscape 1.1
SSL encryption
 generates random 40- or 128-bit session key
 Netscape 1.1 seeded PRNG with


time of day
PID and PPID
 All visible to attacker on same machine.
Remote attack broke keys in 30 seconds
 guessed limited randomness in PID/PPID.
 packet sniffing can determine time of day.
CSC 482/582: Computer Security
Random Number APIs
Windows
 rand() – insecure PRNG, uses LCG
 CryptGenRandom() – CSRNG
 CryptGenKey() – to securely generate keys
Java
 java.util.Random – insecure PRNG
 java.security.SecureRandom – CSRNG
 Relies on OS, so SecureRandom can fall back to insecure
Random if OS does not provide /dev/random or similar
CSC 482/582: Computer Security
Key Storage
Source Code
 Can use strings to extract from binary.
File on Disk
 Attacker can search disk for files with high entropy,
which are likely to contain keys.
 Encryption of file adds another layer of difficulty, but
there must be a key someplace.
Registry
 Attacker can access with regedit.
External Device, e.g. smartcards, smartphones, etc.
 Attacker can obtain PINs or use power analysis attackers
to extract keys from device.
CSC 482/582: Computer Security
Key Points
Keys generated must be truly random.
1.
Test for randomness by measuring information.
1.
I = -i=1..M Pi log2(Pi)
2.
2.
Secure PRNGs must have the following qualities:
1.
2.
3.
3.
Algorithmic PRNG techniques:
1.
2.
4.
Statistically appear random.
Difficult to predict next member of sequence from previous
members.
Difficult to extract internal state of PRNG from observing
output.
Linear congruential generators: non-crypto.
Blum Blum Shub cryptographic PRNG.
Computer RNGs:
1.
2.
Hardware RNGs: thermal noise, decays.
Software RNGs: disk seeks, interrupts.
CSC 482/582: Computer Security
References
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005.
D. Eastlake, “Randomness Recommendations for Security,” RFC 1750,
http://www.ietf.org/rfc/rfc1750.txt, 1994.
Ian Goldberg and David Wagner, “Randomness and the Netscape Browser,” Doctor
Dobbs’ Journal, 1996. http://www.cs.berkeley.edu/~daw/papers/ddj-netscape.html
Michael Howard and David LeBlanc, Writing Secure Code, 2nd edition, Microsoft
Press, 2003.
Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, Handbook of Applied
Cryptography, http://www.cacr.math.uwaterloo.ca/hac/, CRC Press, 1996.
S. K. Park, K. W. Miller, “Random number generators: good ones are hard to
find,” Communications of the ACM, Volume 31 Issue 10 , October 1988.
Tom Schneider, “Information Theory Primer,”
http://www.lecb.ncifcrf.gov/~toms/paper/primer/, 2000.
Bruce Schneier, Applied Cryptography, 2nd edition, Wiley, 1996.
John Viega and Gary McGraw, Building Secure Software, Addison-Wesley, 2002.
Joss Visser, “Kernel based random number generation in HP-UX 11.00,”
http://www.josvisser.nl/hpux11-random/hpux11-random.html, 2003.
David Wheeler, Secure Programming for UNIX and Linux HOWTO,
http://www.dwheeler.com/secure-programs/Secure-ProgramsHOWTO/index.html, 2003.
CSC 482/582: Computer Security