Safe randomness: theory and practice

Transcript

1. Safe randomness: theory and practice ҆શͳϥϯμϜωεͷཧ࿦ͱ࣮ફ Kenji Rikitake / Builderscon

   Tokyo 2018 7-SEP-2018 1

2. Kenji Rikitake Γ͖͚ͨ ͚Μ͡ 7-SEP-2018 Builderscon Tokyo 2018 Kyoseikan, Keio

   University Yokohama City, Kanagawa, Japan @jj1bdx Copyright ©2018 Kenji Rikitake. This work is licensed under a Creative Commons Attribution 4.0 International License. Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 2

3. In this talk I'm going to talk about Randomness ͜ͷൃදͰ͸ϥϯμϜωεʹ͍ͭͯ࿩͠·͢

   Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 3

4. What is randomness? ... unpredictability ϥϯμϜωεͱ͸༧ଌෆೳੑͷ͜ͱͰ͢ Kenji Rikitake / Builderscon

   Tokyo 2018 7-SEP-2018 4

5. Randomness is essential for secure operation ϥϯμϜωε͸҆શͳӡ༻ʹෆՄܽͰ͢ Kenji Rikitake /

   Builderscon Tokyo 2018 7-SEP-2018 5

6. When randomness needed ϥϯμϜωε͕ඞཁͳ࣌ • Password/key generation / ύεϫʔυ΍伴ͷੜ੒ •

   Timing obfuscation / ॲཧ࣌ؒΛӅ͢ • Using multiple resources equally but unpredictably / ෳ਺ͷࢿݯΛಉ͡Α͏ʹɺ͔͠͠ ༧ଌ͞Εͳ͍Α͏ʹ࢖͍͍ͨ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 6

7. In algorithm, randomness is represented as: Random numbers ΞϧΰϦζϜͰͷϥϯμϜωε͸ ཚ਺

   ʹΑͬͯදݱ͠·͢ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 7

8. My works on random numbers ཚ਺ʹ͍ͭͯԿΛ΍͖͔ͬͯͨ Kenji Rikitake / Builderscon

   Tokyo 2018 7-SEP-2018 8

9. Software contribution to Erlang/OTP • Improve the random number algorithms

   • ཚ਺ΞϧΰϦζϜͷվળ • Erlang/OTP rand module • SFMT for Erlang/OTP • TinyMT calculation of 256M keys Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 9

10. Bad algorithm example (JS V8) Kenji Rikitake / Builderscon Tokyo

    2018 7-SEP-2018 10

11. Legacy Erlang/OTP random module • A 1980s algorithm called AS183

    • Can be fully scanned in 8 hours • Became a security issue - deprecated since OTP 19 (June 2016) • 8࣌ؒͰશ਺ݕࡧͰ͖ͯ͠·͏ • ηΩϡϦςΟ໰୊ʹͳΓOTPόʔδϣϯ19ʢ2016 ೥6݄ʣΑΓඇਪ঑ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 11

12. ... And hardware contribution because software is not enough ιϑτ͚ͩͰ͸ෆे෼ͳͷͰϋʔυ΋΍ͬͯ·͢

    Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 12

13. Why hardware? • Randomness is hard to find in a

    computer • Computers are programmed and predictive machines; finding randomness inside computers is extremely difficult • ίϯϐϡʔλͷதʹϥϯμϜωεΛݟ͚ͭΔͷ͸೉͍͠ • ίϯϐϡʔλ͸ϓϩάϥϜ͞Εͨ௨Γʹɺ༧૝௨Γʹ ಈ͘ˠίϯϐϡʔλͷதͰϥϯμϜωεΛݟ͚ͭΔͷ͸ ඇৗʹ೉͍͠ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 13

14. Randomness sources in a computer • CPU clock jitter /

    CPUΫϩοΫͷ༳Ε • Keyboard timing / ΩʔϘʔυଧ伴ͷλΠϛϯά • Network packet timing / ύέοτͷλΠϛϯά • Storage seeking timing / ετϨʔδͷλΠϛϯά • ... Those sources do not give much randomness • … ͜ΕΒͷιʔε͔ΒಘΒΕΔϥϯμϜωε͸গྔ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 14

15. Randomness processing flow Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018

    15

16. Little randomness available in a system γεςϜͷத͔Β͸ϥϯμϜωε͸গ͔͠͠ಘΒΕͳ͍ A result: only

    ~0.62bit/sec • A dormant Linux server without attached keyboard • /proc/sys/kernel/random/entropy_avail • Bits of entropy (= randomness) in the system • 258 bits / 415.6 seconds (~7 minutes) Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 16

17. Additional randomness needed ௥ՃͷϥϯμϜωε͕ඞཁ Kenji Rikitake / Builderscon Tokyo 2018

    7-SEP-2018 17

18. Why? Because: Security depends on unpredictability Secure operations consume randomness

    Availability of randomness is limited ηΩϡϦςΟ͸༧ଌෆೳੑʹґଘ͍ͯ͠Δ ҆શͳॲཧ͸ϥϯμϜωεΛফඅ͢Δ ࢖͑ΔϥϯμϜωε͸༗ݶ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 18

19. Physical randomness source ෺ཧతͳϥϯμϜωεݯ • Thermal noise / ೤ࡶԻ •

    Avalanche noise of semiconductor junctions / ൒ಋ ମ઀߹෦ͷͳͩΕ߱෬ࡶԻ • Timing jitter of oscillation circuits / ൃৼճ࿏ͷλ Πϛϯάͷ༳Ε Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 19

20. Physical random number generator with Arduino UNO Displayed at Maker

    Faire Tokyo 2016 This implementation is working as a dice: generating numbers of 1~6 / αΠίϩಉ༷ʹ1͔Β6· Ͱͷ਺ࣈΛੜ੒͢Δ Generating ~10kbytes/sec Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 20

21. Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 21

22. Infinity Noise TRNG • Thermal noise based • USD35/device •

    Public domain, no patent • No MCU on the device / σόΠ ε͸MCUΛ࣋ͨͳ͍ • ~40Kbytes/sec Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 22

23. Infinity Noise TRNG schematics FTDI bitbang I/O controls the noise

    amplifier Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 23

24. How to inject external randomness to the operating systems •

    Linux: random(4) ioctl() of RNDGETENTCNT, RNDADDENTROPY (User accessible) • FreeBSD: random_harvest(9) (Accessible from kernel modules only, device driver needed) • Other proprietary OSes: unable to find the same functions / ͦͷଞͷಠࣗOSͰ͸֎෦͔ΒϥϯμϜ ωεΛ஫ೖͰ͖ͳ͍ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 24

25. Whitening for uniform distribution • Cryptographically strong hash functions are

    used in the whitening • Whitening is implemented in the driver or the post- processing software • ҉߸Խϋογϡؔ਺Λద༻͠ ͯग़ྗͷ෼෍ΛҰ༷Խ͢Δॲ ཧʢϗϫΠτχϯάʣ͕ඞཁ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 25

26. How whitening works on Infinity Noise TRNG Kenji Rikitake /

    Builderscon Tokyo 2018 7-SEP-2018 26

27. How much randomness is enough? • USD <100 generator: >

    ~10kbytes/sec, more than sufficient for an active server • If you generate a lot of keys/passwords, consider dedicated generator of Mbps or Gbps class (they exist but expensive) • ϋʔυ΢ΣΞੜ੒ث͕͋Ε͹~10kόΠτ/ඵҎ্ʢ௨ৗ ͷӡ༻ʹ͸े෼ʣ • ຊؾͰେྔʹ伴΍ύεϫʔυΛੜ੒͢ΔͳΒઐ༻ͷ෺ ཧཚ਺ੜ੒ثΛಋೖ͢΂͠ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 27

28. Experimental systems in our office • FreeBSD 11 with Infinity

    Noise TRNG • https://github.com/jj1bdx/infnoise-freebsd • https://github.com/jj1bdx/freebsd-dev-trng • Ubuntu 18.04 with Infinity Noise TRNG • https://github.com/jj1bdx/infnoise-linux • Infinity Noise TRNG on Windows 10 also works • https://github.com/jj1bdx/infnoise-windows Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 28

29. Summary/·ͱΊ • Good randomness is hard to obtain • External

    physical random number generator is essential for secure operation • Do not invent your own methods • ྑ͍ϥϯμϜωεΛಘΔͷ͸೉͍͠ • ҆શͳӡ༻ʹ͸֎෦ͷ෺ཧཚ਺૷ஔ͕ෆՄܽ • ࣗݾྲྀͰ΍Βͳ͍ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 29

30. Other references • Presentation slide repository • Arduino UNO TRNG:

    avrhwrng • Crowd Supply product page of Infinity Noise TRNG • Infinity Noise TRNG (with the schematics) • Fifteen Ways to Leave Your Random Module (Erlang User Conference 2016) • ٙࣅཚ਺ͷ࡞Γํɾ࢖͍ํ ήʔϜ͔Β৘ใηΩϡϦ ςΟ·Ͱ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 30

31. Acknowledgment This presentation is supported by Pepabo R&D Institute, GMO

    Pepabo, Inc. ͜ͷߨԋ͸GMOϖύϘגࣜձࣾ ϖύϘݚڀॴͷ͝ࢧԉͰ࣮ݱ͠ ·ͨ͠ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 31

32. Thanks Questions? Give the feedback please; use the QR code

    on your name card ϑΟʔυόοΫΛ͓Ͷ͕͍͠·͢ / ωʔϜΧʔυͷQRίʔυΛ࢖͍ͬͯͩ͘͞ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 32