Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Why Random Matters

duongkai
December 20, 2013
0
68

Why Random Matters

Presentation @OWASP @Hackerspace.vn 21/12/2013

duongkai

December 20, 2013
Tweet

More Decks by duongkai

See All by duongkai
Common crypto flaws in finance mobile apps
duongkai
0
73
Tetcon-2015 Using TLS correctly
duongkai
2
350
How to use SSL/TLS correctly
duongkai
1
170
5S - Xây dựng và thực hiện
duongkai
0
150
Crypto-101 @hackerspace 26/07/2013
duongkai
1
94
How to scale large database
duongkai
3
190
Trao đổi email
duongkai
0
150
+TetCon.2013_Hacking.Oracle.2012.pdf
duongkai
0
120

Featured

See All Featured
Into the Great Unknown - MozCon
thekraken
32
1.5k
Why Our Code Smells
bkeepers
PRO
334
57k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
What's new in Ruby 2.0
geeforr
343
31k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
The Invisible Side of Design
smashingmag
298
50k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
Teambox: Starting and Learning
jrom
133
8.8k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
RailsConf 2023
tenderlove
29
900
Typedesign – Prime Four
hannesfritz
40
2.4k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k

Transcript

  1. None

  2. Why Random Matters K4i

  3. Overview  Why random (RNG) matters  Poking a “de-facto”

    PRNG  How can we use correctly

  4. Why Random (RNG) Matters  Random in real life

  5. Why Random (RNG) Matters Random in Computing environment: producing an

    unpredictable result is desirable  Gambling  Statistical sampling  Cryptography  Computer simulation

  6. If There Is Something WRONG??? You will see in News

  7. None
  8. None
  9. None
  10. None
  11. None

  12. Poking A “de-facto” PRNG

  13. RNG Theory It can be sleepy

  14. Entropy, entropy, entropy

  15. RNG Theory  Random Number Generator: is a computational or

    physical device designed to generate a sequence of numbers or symbols that lack any pattern, i.e. appear random.  In computing environment, we often see Pseudo-Random numbers (PRNG)

  16. RNG Theory A pseudorandom number generator (PRNG), also known as

    a deterministic random bit generator (DRBG)  A secret seed  Deterministic algorithm  Satisfy statistical test

  17. RNG Theory  In modern OS, we have random source

    (/dev/random).  We must trust in secure manner  Use as a seed of PRNG

  18. Poking “de-facto” PRNG  The Mersenne twister is a pseudorandom

    number generator (PRNG). It is the "industry standard" PRNG.  The default PRNG for R, Python, Ruby, IDL, Free Pascal, PHP, Maple, MATLAB, the GNU Multiple Precision Arithmetic Library, and the GNU Scientific Library. It is also available in C++ since C++11. Add-on implementations are provided by the Boost C++ Libraries, Glib, and the NAG Numerical Library.

  19. But it is NOT suitable for CRYPTO!

  20. Demo 1 Do-It-Yourself This PRNG

  21. Demo 2 Make the fun

  22. Demo 3 Make the fun again

  23. Demo 4 I see the serious problem

  24. How Can We Use Correctly

  25. Do you know WHAT you WANT?

  26. Choose The Right One Don’t re-invent the wheel

  27. Use OS Random Source As a Seed

  28. Example  Cryptography applications  Cryptographically secure pseudorandom number generator

     Key generation  Nonces  One-time pads  Salts

  29. PyCrypto case study  PyCrypto Random library  Fortuna Algorithm

     OSRNG

  30. Demo 5 Using Random function in Cryptography library

  31. Die Luft der Freiheit weht Q&A