Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Why Random Matters

duongkai
December 20, 2013
0
68

Why Random Matters

Presentation @OWASP @Hackerspace.vn 21/12/2013

duongkai

December 20, 2013
Tweet

More Decks by duongkai

See All by duongkai
Common crypto flaws in finance mobile apps
duongkai
0
72
Tetcon-2015 Using TLS correctly
duongkai
2
350
How to use SSL/TLS correctly
duongkai
1
170
5S - Xây dựng và thực hiện
duongkai
0
150
Crypto-101 @hackerspace 26/07/2013
duongkai
1
94
How to scale large database
duongkai
3
190
Trao đổi email
duongkai
0
150
+TetCon.2013_Hacking.Oracle.2012.pdf
duongkai
0
120

Featured

See All Featured
Code Reviewing Like a Champion
maltzj
519
39k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Build The Right Thing And Hit Your Dates
maggiecrowley
32
2.4k
Designing on Purpose - Digital PM Summit 2013
jponch
115
6.9k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
107
49k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
How to train your dragon (web standard)
notwaldorf
88
5.7k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
800
Visualization
eitanlees
145
15k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k

Transcript

  1. None

  2. Why Random Matters K4i

  3. Overview  Why random (RNG) matters  Poking a “de-facto”

    PRNG  How can we use correctly

  4. Why Random (RNG) Matters  Random in real life

  5. Why Random (RNG) Matters Random in Computing environment: producing an

    unpredictable result is desirable  Gambling  Statistical sampling  Cryptography  Computer simulation

  6. If There Is Something WRONG??? You will see in News

  7. None
  8. None
  9. None
  10. None
  11. None

  12. Poking A “de-facto” PRNG

  13. RNG Theory It can be sleepy

  14. Entropy, entropy, entropy

  15. RNG Theory  Random Number Generator: is a computational or

    physical device designed to generate a sequence of numbers or symbols that lack any pattern, i.e. appear random.  In computing environment, we often see Pseudo-Random numbers (PRNG)

  16. RNG Theory A pseudorandom number generator (PRNG), also known as

    a deterministic random bit generator (DRBG)  A secret seed  Deterministic algorithm  Satisfy statistical test

  17. RNG Theory  In modern OS, we have random source

    (/dev/random).  We must trust in secure manner  Use as a seed of PRNG

  18. Poking “de-facto” PRNG  The Mersenne twister is a pseudorandom

    number generator (PRNG). It is the "industry standard" PRNG.  The default PRNG for R, Python, Ruby, IDL, Free Pascal, PHP, Maple, MATLAB, the GNU Multiple Precision Arithmetic Library, and the GNU Scientific Library. It is also available in C++ since C++11. Add-on implementations are provided by the Boost C++ Libraries, Glib, and the NAG Numerical Library.

  19. But it is NOT suitable for CRYPTO!

  20. Demo 1 Do-It-Yourself This PRNG

  21. Demo 2 Make the fun

  22. Demo 3 Make the fun again

  23. Demo 4 I see the serious problem

  24. How Can We Use Correctly

  25. Do you know WHAT you WANT?

  26. Choose The Right One Don’t re-invent the wheel

  27. Use OS Random Source As a Seed

  28. Example  Cryptography applications  Cryptographically secure pseudorandom number generator

     Key generation  Nonces  One-time pads  Salts

  29. PyCrypto case study  PyCrypto Random library  Fortuna Algorithm

     OSRNG

  30. Demo 5 Using Random function in Cryptography library

  31. Die Luft der Freiheit weht Q&A