Safe randomness: theory and practice

Transcript

1. Safe randomness: theory and practice
   ҆શͳϥϯμϜωεͷཧ࿦ͱ࣮ફ
   Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 1
   

   View Slide

2. Kenji Rikitake
   Γ͖͚ͨ ͚Μ͡
   7-SEP-2018
   Builderscon Tokyo 2018
   Kyoseikan, Keio University
   Yokohama City, Kanagawa,
   Japan
   @jj1bdx
   Copyright ©2018 Kenji Rikitake.
   This work is licensed under a
   Creative Commons Attribution
   4.0 International License.
   Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 2
   

   View Slide

3. In this talk I'm going to talk about
   Randomness
   ͜ͷൃදͰ͸ϥϯμϜωεʹ͍ͭͯ࿩͠·͢
   Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 3
   

   View Slide

4. What is randomness?
   ... unpredictability
   ϥϯμϜωεͱ͸༧ଌෆೳੑͷ͜ͱͰ͢
   Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 4
   

   View Slide

5. Randomness is essential for
   secure operation
   ϥϯμϜωε͸҆શͳӡ༻ʹෆՄܽͰ͢
   Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 5
   

   View Slide

6. When randomness needed
   ϥϯμϜωε͕ඞཁͳ࣌
   • Password/key generation / ύεϫʔυ΍伴ͷੜ੒
   • Timing obfuscation / ॲཧ࣌ؒΛӅ͢
   • Using multiple resources equally but
   unpredictably / ෳ਺ͷࢿݯΛಉ͡Α͏ʹɺ͔͠͠
   ༧ଌ͞Εͳ͍Α͏ʹ࢖͍͍ͨ
   Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 6
   

   View Slide

7. In algorithm, randomness is represented as:
   Random numbers
   ΞϧΰϦζϜͰͷϥϯμϜωε͸
   ཚ਺ ʹΑͬͯදݱ͠·͢
   Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 7
   

   View Slide

8. My works on random numbers
   ཚ਺ʹ͍ͭͯԿΛ΍͖͔ͬͯͨ
   Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 8
   

   View Slide

9. Software contribution to Erlang/OTP
   • Improve the random number algorithms
   • ཚ਺ΞϧΰϦζϜͷվળ
   • Erlang/OTP rand module
   • SFMT for Erlang/OTP
   • TinyMT calculation of 256M keys
   Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 9
   

   View Slide

10. Bad algorithm example (JS V8)
    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 10
    

    View Slide

11. Legacy Erlang/OTP random module
    • A 1980s algorithm called AS183
    • Can be fully scanned in 8 hours
    • Became a security issue - deprecated since OTP
    19 (June 2016)
    • 8࣌ؒͰશ਺ݕࡧͰ͖ͯ͠·͏
    • ηΩϡϦςΟ໰୊ʹͳΓOTPόʔδϣϯ19ʢ2016
    ೥6݄ʣΑΓඇਪ঑
    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 11
    

    View Slide

12. ... And hardware contribution
    because software is not enough
    ιϑτ͚ͩͰ͸ෆे෼ͳͷͰϋʔυ΋΍ͬͯ·͢
    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 12
    

    View Slide

13. Why hardware?
    • Randomness is hard to find in a computer
    • Computers are programmed and predictive machines;
    finding randomness inside computers is extremely
    difficult
    • ίϯϐϡʔλͷதʹϥϯμϜωεΛݟ͚ͭΔͷ͸೉͍͠
    • ίϯϐϡʔλ͸ϓϩάϥϜ͞Εͨ௨Γʹɺ༧૝௨Γʹ
    ಈ͘ˠίϯϐϡʔλͷதͰϥϯμϜωεΛݟ͚ͭΔͷ͸
    ඇৗʹ೉͍͠
    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 13
    

    View Slide

14. Randomness sources in a computer
    • CPU clock jitter / CPUΫϩοΫͷ༳Ε
    • Keyboard timing / ΩʔϘʔυଧ伴ͷλΠϛϯά
    • Network packet timing / ύέοτͷλΠϛϯά
    • Storage seeking timing / ετϨʔδͷλΠϛϯά
    • ... Those sources do not give much randomness
    • … ͜ΕΒͷιʔε͔ΒಘΒΕΔϥϯμϜωε͸গྔ
    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 14
    

    View Slide

15. Randomness processing flow
    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 15
    

    View Slide

16. Little randomness available in a system
    γεςϜͷத͔Β͸ϥϯμϜωε͸গ͔͠͠ಘΒΕͳ͍
    A result: only ~0.62bit/sec
    • A dormant Linux server without attached keyboard
    • /proc/sys/kernel/random/entropy_avail
    • Bits of entropy (= randomness) in the system
    • 258 bits / 415.6 seconds (~7 minutes)
    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 16
    

    View Slide

17. Additional randomness needed
    ௥ՃͷϥϯμϜωε͕ඞཁ
    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 17
    

    View Slide

18. Why? Because:
    Security depends on unpredictability
    Secure operations consume randomness
    Availability of randomness is limited
    ηΩϡϦςΟ͸༧ଌෆೳੑʹґଘ͍ͯ͠Δ
    ҆શͳॲཧ͸ϥϯμϜωεΛফඅ͢Δ
    ࢖͑ΔϥϯμϜωε͸༗ݶ
    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 18
    

    View Slide

19. Physical randomness source
    ෺ཧతͳϥϯμϜωεݯ
    • Thermal noise / ೤ࡶԻ
    • Avalanche noise of semiconductor junctions / ൒ಋ
    ମ઀߹෦ͷͳͩΕ߱෬ࡶԻ
    • Timing jitter of oscillation circuits / ൃৼճ࿏ͷλ
    Πϛϯάͷ༳Ε
    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 19
    

    View Slide

20. Physical random
    number generator
    with Arduino UNO
    Displayed at Maker Faire Tokyo
    2016
    This implementation is working
    as a dice: generating numbers of
    1~6 / αΠίϩಉ༷ʹ1͔Β6·
    Ͱͷ਺ࣈΛੜ੒͢Δ
    Generating ~10kbytes/sec
    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 20
    

    View Slide

21. Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 21
    

    View Slide

22. Infinity Noise TRNG
    • Thermal noise based
    • USD35/device
    • Public domain, no patent
    • No MCU on the device / σόΠ
    ε͸MCUΛ࣋ͨͳ͍
    • ~40Kbytes/sec
    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 22
    

    View Slide

23. Infinity Noise TRNG schematics
    FTDI bitbang I/O controls the noise amplifier
    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 23
    

    View Slide

24. How to inject external randomness
    to the operating systems
    • Linux: random(4) ioctl() of RNDGETENTCNT,
    RNDADDENTROPY (User accessible)
    • FreeBSD: random_harvest(9) (Accessible from
    kernel modules only, device driver needed)
    • Other proprietary OSes: unable to find the same
    functions / ͦͷଞͷಠࣗOSͰ͸֎෦͔ΒϥϯμϜ
    ωεΛ஫ೖͰ͖ͳ͍
    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 24
    

    View Slide

25. Whitening for
    uniform distribution
    • Cryptographically strong hash
    functions are used in the
    whitening
    • Whitening is implemented in
    the driver or the post-
    processing software
    • ҉߸Խϋογϡؔ਺Λద༻͠
    ͯग़ྗͷ෼෍ΛҰ༷Խ͢Δॲ
    ཧʢϗϫΠτχϯάʣ͕ඞཁ
    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 25
    

    View Slide

26. How whitening works on Infinity Noise TRNG
    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 26
    

    View Slide

27. How much randomness is enough?
    • USD <100 generator: > ~10kbytes/sec, more than
    sufficient for an active server
    • If you generate a lot of keys/passwords, consider
    dedicated generator of Mbps or Gbps class (they exist
    but expensive)
    • ϋʔυ΢ΣΞੜ੒ث͕͋Ε͹~10kόΠτ/ඵҎ্ʢ௨ৗ
    ͷӡ༻ʹ͸े෼ʣ
    • ຊؾͰେྔʹ伴΍ύεϫʔυΛੜ੒͢ΔͳΒઐ༻ͷ෺
    ཧཚ਺ੜ੒ثΛಋೖ͢΂͠
    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 27
    

    View Slide

28. Experimental systems in our office
    • FreeBSD 11 with Infinity Noise TRNG
    • https://github.com/jj1bdx/infnoise-freebsd
    • https://github.com/jj1bdx/freebsd-dev-trng
    • Ubuntu 18.04 with Infinity Noise TRNG
    • https://github.com/jj1bdx/infnoise-linux
    • Infinity Noise TRNG on Windows 10 also works
    • https://github.com/jj1bdx/infnoise-windows
    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 28
    

    View Slide

29. Summary/·ͱΊ
    • Good randomness is hard to obtain
    • External physical random number generator is
    essential for secure operation
    • Do not invent your own methods
    • ྑ͍ϥϯμϜωεΛಘΔͷ͸೉͍͠
    • ҆શͳӡ༻ʹ͸֎෦ͷ෺ཧཚ਺૷ஔ͕ෆՄܽ
    • ࣗݾྲྀͰ΍Βͳ͍
    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 29
    

    View Slide

30. Other references
    • Presentation slide repository
    • Arduino UNO TRNG: avrhwrng
    • Crowd Supply product page of Infinity Noise TRNG
    • Infinity Noise TRNG (with the schematics)
    • Fifteen Ways to Leave Your Random Module (Erlang
    User Conference 2016)
    • ٙࣅཚ਺ͷ࡞Γํɾ࢖͍ํ ήʔϜ͔Β৘ใηΩϡϦ
    ςΟ·Ͱ
    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 30
    

    View Slide

31. Acknowledgment
    This presentation is supported
    by Pepabo R&D Institute, GMO
    Pepabo, Inc.
    ͜ͷߨԋ͸GMOϖύϘגࣜձࣾ
    ϖύϘݚڀॴͷ͝ࢧԉͰ࣮ݱ͠
    ·ͨ͠
    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 31
    

    View Slide

32. Thanks
    Questions?
    Give the feedback please; use the QR code on your name card
    ϑΟʔυόοΫΛ͓Ͷ͕͍͠·͢ / ωʔϜΧʔυͷQRίʔυΛ࢖͍ͬͯͩ͘͞
    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 32
    

    View Slide