SlideShare uma empresa Scribd logo

CNIT 141: 2. Randomness

Sam Bowne
Sam Bowne

For a college course -- CNIT 141: Cryptography for Computer Networks, at City College San Francisco Based on "Serious Cryptography: A Practical Introduction to Modern Encryption", by Jean-Philippe Aumasson, No Starch Press (November 6, 2017), ISBN-10: 1593278268 ISBN-13: 978-1593278267 Instructor: Sam Bowne More info: https://samsclass.info/141/141_S19.shtml

Educação
1 de 52
Baixar para ler offline
CNIT 141 Cryptography for Computer Networks 2. Randomness
Topics • Random or Non-Random? • Randomness as a Probability Distribution • Entropy: A Measure of Uncertainty • Random Number Generators (RNGs) and
 Pseudorandom Number Generators (PRNGs) • Real-World PRNGs • How Things Can Go Wrong
Random or Non-Random?
What is Randomness? • Is 11010110 more random than 00000000 ? • Both are equally likely, as exact values • But if the first one is described as "three zeroes and five ones" it's more likely • So if we see something that "looks like" 11010110 • That is more likely to be truly random than 00000000
Randomness as a Probability Distribution
Probability • A fair coin • 50% chance of head, 50% chance of tails • A fair die • 1/6 chance of 1, 1/6 of 2, ... up to 6 • Total is always 100% • Uniform distribution • Equal chance of every outcome
Entropy: A Measure of Uncertainty
Definition of Entropy • Distribution has probabilities p1, p2, ... pN • Entropy is - p1 log(p1) - p2 log(p2) ... - pN log(pN) • log is to base 2
Examples • One random bit: probabilities 1/2, 1/2 • Entropy is - 1/2 log(1/2) - 1/2 log(1/2) log(1/2) = -1, so this is - 1/2 (-1) - 1/2 (-1) = 1 bit • Also called information content
Examples • One random byte: probabilities 1/256, 1/256, ... 1/256 (256 equal values) • Entropy is - 1/256 log(1/256) - 1/256 log(1/256) ... 
 (256 terms) log(1/256) = -8, so this is - 1/256 (-8) - 1/256 (-8) ... (256 terms) 
 = 8 bits
Examples • One non-random bit: probabilities 100% of 0, 0% of 1 • Entropy is - 1 log(1) - 0 log(0) log(1) = 0, ignore second term, so this is 0 bits
Python Code
Eight Possibilities
Weighted Coin
Random Number Generators (RNGs) and 
 Pseudorandom Number Generators (PRNGs)
RNGs and PRNGs • To generate randomness, computers need • A source of entropy • Provided by a Random Number Generator (RNG) • An algorithm to produce random bits from the entropy • Pseudorandom Number Generator (PRNG)
RNG • Randomness comes from the environment • Analog, chaotic, unpredictable • Temperature, acoustic noise, random electrical fluctuations • Sensors: I/O devices, network or disk activity, logs, running processes, keypresses, mouse movements
QRNG • Quantum Random Noise Generator • Radioactive decay, vacuum polarization, photons
PRNG • Pseudorandom Noise Generator • Create many artificial random bits • From a few truly random bits • Continues working even if physical source stops (e.g., the mouse stops moving)
How PRNGs Work • PRNG receives random bits from RNG • at regular intervals • Updates the entropy pool • Mixes pool's bits together when updating • To remove bias
DRBG • The PRNG uses a Deterministic Random Bit Generator (DRBG) • Expands some bits from the entropy pool into a much longer sequence • Deterministic: not randomized • Always produces the same stream of bits from the same input
PRNG Operations • init() • Initializes the entropy pool and the internal state of the PRNG • refresh() • Updates the entropy pool using R (data from the RNG), called reseeding • R is called the seed • next() • Returns N pseudorandom bits and updates the entropy pool
Security Concerns • Backtracking resistance • Also called forward secrecy • Previously generated bits are impossible to recover • Prediction resistance • Future bits are impossible to predict
• NSA stores exabytes of captured encrypted traffic • 1 EB is 1 million TB • Waiting for cryptographic keys to be found
Achieving Resistance • Backtracking resistance • refresh and next operations must be irreversible, so • If attacker obtains the entropy pool, they still can't determine previously generated bits • Prediction resistance • PRNG must refresh regularly with R values that the attacker cannot find or guess
Fortuna • A PRNG designed in 2003 by Neils Ferguson and Bruce Schneier • Used in Windows • Uses 32 entropy pools, a 16-byte key, and a 16-byte counter • Mac OS and iOS use Yarrow • Designed in 1998 by Kelsey and Schneier
Security Failures • If RNGs fail to produce enough random bits • Fortuna might not notice, and produce lower- quality pseudorandom bits • Or stop delivering bits • If seed files are stolen or re-used, • Fortuna will produce identical sequences of bits
Cryptographic vs. Non- Cryptographic PRNGs • Most PRNGs provided for programming languages are non-cryptographic • Only concerned with statistical randomness, not predictability • Often use Mersenne Twister algorithm • Cryptographic PRNGs are unpredictable
Real-World PRNGs
Unix-Based Systems • /dev/urandom gets data from the crypto PRNG • Non-blocking: always returns data, even if entropy is low • /dev/random • Blocking: refuses to return data if entropy is low
Blocking • Blocking turned out to be a bad idea • Entropy estimates are unreliable • Attackers can fool them • /dev/random runs out of entropy quickly • Producing denial of service while waiting for more entropy • In practice, /dev/urandom is better
• Links Ch 2b, Ch 2c
Linux Commands • To see entropy pool • for i in {1..100}; do cat /proc/sys/kernel/ random/entropy_avail; sleep 2; done • To consume entropy • dd if=/dev/random bs=8 count=8 | base64
Demo: Without Haveged
Demo: With Haveged
Windows • CryptGenRandom() function • Now replaced by BcryptGenRandom() • Takes entropy from the kernel mode driver cng.sys (formerly ksedd.sys) • Loosely based on Fortuna
Intel RDRAND • Hardware RNG introduced in 2012 with Ivy Bridge • Uses RDRAND assembly language instruction • Only partially documented • Some people fear that it has an NSA backdoor
• Talk given in 2007 • Link Ch 2d
• Dual_EC_DRBG is 1000x slower that other options • Championed by the NSA • Schneier said to avoid it in 2007 • Link Ch 2f
• TOP SECRET leaks from Snowden • New York Times, 2013 (Link Ch 2h)
• Link Ch 2g
How Things Can Go Wrong
Poor Entropy Sources • Netscape's SSL in 1996 • Seeded from process ID and system time in microseconds • Predictable values • Total entropy only 47 bits, but should have had 128
• In 2012, researchers tested 7.1 million 1024- bit RSA public keys • 27,000 of them had a shared prime factor (p or q) • Link Ch 2i
Insufficient Entropy 
 at Boot Time • Cause: devices generated public keys early after bootup, before collecting enough entropy
Non-Cryptographic PRNG • Old version of MediaWiki, used for Wikipedia • mt_rand is a Mersenne Twister
Sampling Bug with
 Strong Randomness • Cryptocat had an off-by-one error • Values had 45 bits of entropy instead of 53
CNIT 141: 2. Randomness

Recomendados

CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersSam Bowne
 
CNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingCNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingSam Bowne
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsSam Bowne
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingSam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionSam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsSam Bowne
 

Recomendados

CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersSam Bowne
 
CNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingCNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingSam Bowne
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsSam Bowne
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingSam Bowne
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionSam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsSam Bowne
 
2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream CiphersSam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream CiphersSam Bowne
 
Master Canary Forging by Yuki Koike - CODE BLUE 2015
Master Canary Forging by Yuki Koike - CODE BLUE 2015Master Canary Forging by Yuki Koike - CODE BLUE 2015
Master Canary Forging by Yuki Koike - CODE BLUE 2015CODE BLUE
 
Symmetric encryption
Symmetric encryptionSymmetric encryption
Symmetric encryptionDR RICHMOND ADEBIAYE
 
Idea
IdeaIdea
IdeaOuissem eddine Amir BOUDOUR
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication CodesDarshanPatil82
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneArash Ramez
 
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)Svetlin Nakov
 
One-Time Pad Encryption
One-Time Pad EncryptionOne-Time Pad Encryption
One-Time Pad EncryptionCharles Southerland
 
A Brief History of Cryptography
A Brief History of CryptographyA Brief History of Cryptography
A Brief History of Cryptographyguest9006ab
 
CISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - CryptographyCISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - CryptographyKarthikeyan Dhayalan
 
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And OthersCh03 Ch06 Des And Others
Ch03 Ch06 Des And Othersnathanurag
 
Keccak
KeccakKeccak
KeccakRajeev Verma
 
Advanced encryption standard (aes)
Advanced encryption standard (aes)Advanced encryption standard (aes)
Advanced encryption standard (aes)farazvirk554
 
SHA-3
SHA-3SHA-3
SHA-3rokham khawaja
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1CAS
 
Block Cipher
Block CipherBlock Cipher
Block CipherBrandon Byungyong Jo
 
Idea (international data encryption algorithm)
Idea (international data encryption algorithm)Idea (international data encryption algorithm)
Idea (international data encryption algorithm)AmanMishra208
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS ProtocolDevang Badrakiya
 
Cryptography in Python
Cryptography in PythonCryptography in Python
Cryptography in PythonAmirali Sanatinia
 
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbelleurobsdcon
 
Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Cloudflare
 

Mais conteúdo relacionado

Mais procurados

2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream CiphersSam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream CiphersSam Bowne
 
Master Canary Forging by Yuki Koike - CODE BLUE 2015
Master Canary Forging by Yuki Koike - CODE BLUE 2015Master Canary Forging by Yuki Koike - CODE BLUE 2015
Master Canary Forging by Yuki Koike - CODE BLUE 2015CODE BLUE
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication CodesDarshanPatil82
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneArash Ramez
 
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)Svetlin Nakov
 
A Brief History of Cryptography
A Brief History of CryptographyA Brief History of Cryptography
A Brief History of Cryptographyguest9006ab
 
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And OthersCh03 Ch06 Des And Others
Ch03 Ch06 Des And Othersnathanurag
 
Advanced encryption standard (aes)
Advanced encryption standard (aes)Advanced encryption standard (aes)
Advanced encryption standard (aes)farazvirk554
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1CAS
 
Idea (international data encryption algorithm)
Idea (international data encryption algorithm)Idea (international data encryption algorithm)
Idea (international data encryption algorithm)AmanMishra208
 

Mais procurados (20)

2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream Ciphers
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
Master Canary Forging by Yuki Koike - CODE BLUE 2015
Master Canary Forging by Yuki Koike - CODE BLUE 2015Master Canary Forging by Yuki Koike - CODE BLUE 2015
Master Canary Forging by Yuki Koike - CODE BLUE 2015
 
Symmetric encryption
Symmetric encryptionSymmetric encryption
Symmetric encryption
 
Idea
IdeaIdea
Idea
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication Codes
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part One
 
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
 
One-Time Pad Encryption
One-Time Pad EncryptionOne-Time Pad Encryption
One-Time Pad Encryption
 
A Brief History of Cryptography
A Brief History of CryptographyA Brief History of Cryptography
A Brief History of Cryptography
 
CISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - CryptographyCISSP - Chapter 3 - Cryptography
CISSP - Chapter 3 - Cryptography
 
Ch03 Ch06 Des And Others
Ch03 Ch06 Des And OthersCh03 Ch06 Des And Others
Ch03 Ch06 Des And Others
 
Keccak
KeccakKeccak
Keccak
 
Advanced encryption standard (aes)
Advanced encryption standard (aes)Advanced encryption standard (aes)
Advanced encryption standard (aes)
 
SHA-3
SHA-3SHA-3
SHA-3
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1
 
Block Cipher
Block CipherBlock Cipher
Block Cipher
 
Idea (international data encryption algorithm)
Idea (international data encryption algorithm)Idea (international data encryption algorithm)
Idea (international data encryption algorithm)
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS Protocol
 
Cryptography in Python
Cryptography in PythonCryptography in Python
Cryptography in Python
 

Semelhante a CNIT 141: 2. Randomness

The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbelleurobsdcon
 
Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Cloudflare
 
Random number generators
Random number generatorsRandom number generators
Random number generatorsBob Landstrom
 
BTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation CeremonyBTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation CeremonyJoshua McDougall
 
Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Dan Kaminsky
 
What is pseudo random number
What is pseudo random numberWhat is pseudo random number
What is pseudo random numberAkshay Tikekar
 
Intel Random Number Generator
Intel Random Number GeneratorIntel Random Number Generator
Intel Random Number GeneratorXequeMateShannon
 
Solving 800-90 Entropy Requirements in Software
Solving 800-90 Entropy Requirements in SoftwareSolving 800-90 Entropy Requirements in Software
Solving 800-90 Entropy Requirements in SoftwareRay Potter
 
Applied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphersApplied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphersVlad Garbuz
 
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz «Applied cryptanalysis stream ciphers» by Vladimir Garbuz
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz 0xdec0de
 
CNIT 125 Ch 4. Security Engineering (Part 2)
CNIT 125 Ch 4. Security Engineering (Part 2)CNIT 125 Ch 4. Security Engineering (Part 2)
CNIT 125 Ch 4. Security Engineering (Part 2)Sam Bowne
 
Erlang, random numbers, and the security: London Erlang User Group Talk Slide...
Erlang, random numbers, and the security: London Erlang User Group Talk Slide...Erlang, random numbers, and the security: London Erlang User Group Talk Slide...
Erlang, random numbers, and the security: London Erlang User Group Talk Slide...Kenji Rikitake
 
Anon p2p slides
Anon p2p slidesAnon p2p slides
Anon p2p slideschintaan
 
Random thoughts on IoT
Random thoughts on IoTRandom thoughts on IoT
Random thoughts on IoTMark Carney
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attackSeth Wahle
 
Encryption Deep Dive
Encryption Deep DiveEncryption Deep Dive
Encryption Deep DiveDiego Pacheco
 
Quantum cryptography by Girisha Shankar, Sr. Manager, Cisco
Quantum cryptography by Girisha Shankar, Sr. Manager, CiscoQuantum cryptography by Girisha Shankar, Sr. Manager, Cisco
Quantum cryptography by Girisha Shankar, Sr. Manager, CiscoVishnu Pendyala
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootYashin Mehaboobe
 

Semelhante a CNIT 141: 2. Randomness (20)

The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
 
Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014
 
OWASP Much ado about randomness
OWASP Much ado about randomnessOWASP Much ado about randomness
OWASP Much ado about randomness
 
Random number generators
Random number generatorsRandom number generators
Random number generators
 
BTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation CeremonyBTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation Ceremony
 
nabdullin_brcrdu_dark
nabdullin_brcrdu_darknabdullin_brcrdu_dark
nabdullin_brcrdu_dark
 
Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)
 
What is pseudo random number
What is pseudo random numberWhat is pseudo random number
What is pseudo random number
 
Intel Random Number Generator
Intel Random Number GeneratorIntel Random Number Generator
Intel Random Number Generator
 
Solving 800-90 Entropy Requirements in Software
Solving 800-90 Entropy Requirements in SoftwareSolving 800-90 Entropy Requirements in Software
Solving 800-90 Entropy Requirements in Software
 
Applied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphersApplied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphers
 
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz «Applied cryptanalysis stream ciphers» by Vladimir Garbuz
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz
 
CNIT 125 Ch 4. Security Engineering (Part 2)
CNIT 125 Ch 4. Security Engineering (Part 2)CNIT 125 Ch 4. Security Engineering (Part 2)
CNIT 125 Ch 4. Security Engineering (Part 2)
 
Erlang, random numbers, and the security: London Erlang User Group Talk Slide...
Erlang, random numbers, and the security: London Erlang User Group Talk Slide...Erlang, random numbers, and the security: London Erlang User Group Talk Slide...
Erlang, random numbers, and the security: London Erlang User Group Talk Slide...
 
Anon p2p slides
Anon p2p slidesAnon p2p slides
Anon p2p slides
 
Random thoughts on IoT
Random thoughts on IoTRandom thoughts on IoT
Random thoughts on IoT
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attack
 
Encryption Deep Dive
Encryption Deep DiveEncryption Deep Dive
Encryption Deep Dive
 
Quantum cryptography by Girisha Shankar, Sr. Manager, Cisco
Quantum cryptography by Girisha Shankar, Sr. Manager, CiscoQuantum cryptography by Girisha Shankar, Sr. Manager, Cisco
Quantum cryptography by Girisha Shankar, Sr. Manager, Cisco
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to Root
 

Mais de Sam Bowne

3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)Sam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-HellmanSam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1Sam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android ApplicationsSam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)Sam Bowne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis MethodologySam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated EncryptionSam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)Sam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data CollectionSam Bowne
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers Sam Bowne
 
6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)Sam Bowne
 

Mais de Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers
 
6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)
 

Último

This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Shubhangi Sonawane
 
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...KokoStevan
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPoojaSen20
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.MateoGardella
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 

Último (20)

This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 

CNIT 141: 2. Randomness

  • 1. CNIT 141 Cryptography for Computer Networks 2. Randomness
  • 2. Topics • Random or Non-Random? • Randomness as a Probability Distribution • Entropy: A Measure of Uncertainty • Random Number Generators (RNGs) and
 Pseudorandom Number Generators (PRNGs) • Real-World PRNGs • How Things Can Go Wrong
  • 4. What is Randomness? • Is 11010110 more random than 00000000 ? • Both are equally likely, as exact values • But if the first one is described as "three zeroes and five ones" it's more likely • So if we see something that "looks like" 11010110 • That is more likely to be truly random than 00000000
  • 6. Probability • A fair coin • 50% chance of head, 50% chance of tails • A fair die • 1/6 chance of 1, 1/6 of 2, ... up to 6 • Total is always 100% • Uniform distribution • Equal chance of every outcome
  • 7. Entropy: A Measure of Uncertainty
  • 8. Definition of Entropy • Distribution has probabilities p1, p2, ... pN • Entropy is - p1 log(p1) - p2 log(p2) ... - pN log(pN) • log is to base 2
  • 9. Examples • One random bit: probabilities 1/2, 1/2 • Entropy is - 1/2 log(1/2) - 1/2 log(1/2) log(1/2) = -1, so this is - 1/2 (-1) - 1/2 (-1) = 1 bit • Also called information content
  • 10. Examples • One random byte: probabilities 1/256, 1/256, ... 1/256 (256 equal values) • Entropy is - 1/256 log(1/256) - 1/256 log(1/256) ... 
 (256 terms) log(1/256) = -8, so this is - 1/256 (-8) - 1/256 (-8) ... (256 terms) 
 = 8 bits
  • 11. Examples • One non-random bit: probabilities 100% of 0, 0% of 1 • Entropy is - 1 log(1) - 0 log(0) log(1) = 0, ignore second term, so this is 0 bits
  • 15.
  • 16. Random Number Generators (RNGs) and 
 Pseudorandom Number Generators (PRNGs)
  • 17. RNGs and PRNGs • To generate randomness, computers need • A source of entropy • Provided by a Random Number Generator (RNG) • An algorithm to produce random bits from the entropy • Pseudorandom Number Generator (PRNG)
  • 18. RNG • Randomness comes from the environment • Analog, chaotic, unpredictable • Temperature, acoustic noise, random electrical fluctuations • Sensors: I/O devices, network or disk activity, logs, running processes, keypresses, mouse movements
  • 19. QRNG • Quantum Random Noise Generator • Radioactive decay, vacuum polarization, photons
  • 20. PRNG • Pseudorandom Noise Generator • Create many artificial random bits • From a few truly random bits • Continues working even if physical source stops (e.g., the mouse stops moving)
  • 21. How PRNGs Work • PRNG receives random bits from RNG • at regular intervals • Updates the entropy pool • Mixes pool's bits together when updating • To remove bias
  • 22. DRBG • The PRNG uses a Deterministic Random Bit Generator (DRBG) • Expands some bits from the entropy pool into a much longer sequence • Deterministic: not randomized • Always produces the same stream of bits from the same input
  • 23. PRNG Operations • init() • Initializes the entropy pool and the internal state of the PRNG • refresh() • Updates the entropy pool using R (data from the RNG), called reseeding • R is called the seed • next() • Returns N pseudorandom bits and updates the entropy pool
  • 24. Security Concerns • Backtracking resistance • Also called forward secrecy • Previously generated bits are impossible to recover • Prediction resistance • Future bits are impossible to predict
  • 25. • NSA stores exabytes of captured encrypted traffic • 1 EB is 1 million TB • Waiting for cryptographic keys to be found
  • 26.
  • 27. Achieving Resistance • Backtracking resistance • refresh and next operations must be irreversible, so • If attacker obtains the entropy pool, they still can't determine previously generated bits • Prediction resistance • PRNG must refresh regularly with R values that the attacker cannot find or guess
  • 28. Fortuna • A PRNG designed in 2003 by Neils Ferguson and Bruce Schneier • Used in Windows • Uses 32 entropy pools, a 16-byte key, and a 16-byte counter • Mac OS and iOS use Yarrow • Designed in 1998 by Kelsey and Schneier
  • 29. Security Failures • If RNGs fail to produce enough random bits • Fortuna might not notice, and produce lower- quality pseudorandom bits • Or stop delivering bits • If seed files are stolen or re-used, • Fortuna will produce identical sequences of bits
  • 30. Cryptographic vs. Non- Cryptographic PRNGs • Most PRNGs provided for programming languages are non-cryptographic • Only concerned with statistical randomness, not predictability • Often use Mersenne Twister algorithm • Cryptographic PRNGs are unpredictable
  • 32. Unix-Based Systems • /dev/urandom gets data from the crypto PRNG • Non-blocking: always returns data, even if entropy is low • /dev/random • Blocking: refuses to return data if entropy is low
  • 33. Blocking • Blocking turned out to be a bad idea • Entropy estimates are unreliable • Attackers can fool them • /dev/random runs out of entropy quickly • Producing denial of service while waiting for more entropy • In practice, /dev/urandom is better
  • 34. • Links Ch 2b, Ch 2c
  • 35. Linux Commands • To see entropy pool • for i in {1..100}; do cat /proc/sys/kernel/ random/entropy_avail; sleep 2; done • To consume entropy • dd if=/dev/random bs=8 count=8 | base64
  • 38. Windows • CryptGenRandom() function • Now replaced by BcryptGenRandom() • Takes entropy from the kernel mode driver cng.sys (formerly ksedd.sys) • Loosely based on Fortuna
  • 39. Intel RDRAND • Hardware RNG introduced in 2012 with Ivy Bridge • Uses RDRAND assembly language instruction • Only partially documented • Some people fear that it has an NSA backdoor
  • 40. • Talk given in 2007 • Link Ch 2d
  • 41.
  • 42. • Dual_EC_DRBG is 1000x slower that other options • Championed by the NSA • Schneier said to avoid it in 2007 • Link Ch 2f
  • 43. • TOP SECRET leaks from Snowden • New York Times, 2013 (Link Ch 2h)
  • 44.
  • 46. How Things Can Go Wrong
  • 47. Poor Entropy Sources • Netscape's SSL in 1996 • Seeded from process ID and system time in microseconds • Predictable values • Total entropy only 47 bits, but should have had 128
  • 48. • In 2012, researchers tested 7.1 million 1024- bit RSA public keys • 27,000 of them had a shared prime factor (p or q) • Link Ch 2i
  • 49. Insufficient Entropy 
 at Boot Time • Cause: devices generated public keys early after bootup, before collecting enough entropy
  • 50. Non-Cryptographic PRNG • Old version of MediaWiki, used for Wikipedia • mt_rand is a Mersenne Twister
  • 51. Sampling Bug with
 Strong Randomness • Cryptocat had an off-by-one error • Values had 45 bits of entropy instead of 53