Pragmatic Crypto #1

Transcript

1. Pragmatic crypto #1: random numbers Marek Majkowski

2. DIYOC • “Don't invent your own crypto.” • "Anyone can

   invent an encryption algorithm they themselves can't break; it's much harder to invent one that no one else can break." - Schneider

3. ToC • Random numbers • Pseudo Random Generators (PRG) •

   Cryptographically Secure PRG (CS-PRG) • Sources of entropy • Hashing • Traditional hashing • Cryptographically Secure Hashing • Message Authentication Code • Key Derivation Functions • Side Channel Attacks

4. Real world bug

5. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug From today (30.12.2005) new password

   policy is going to be used: ◦ Password must contain eight or more characters ◦ Password must not contain username or any part of it ◦ Password should contain characters from three of four specified categories: 1.Small letters [a-z] 2.Capital letters [A-Z] 3.Digits [0-9] 4.Special characters: [!#$%^&*()_+{}:";'<>,.?]

6. Assignment #0 [+] Your task is to guess my super

   secure, completely unpredictable password: https://pragmaticcrypto.herokuapp.com/exercise0/ https://github.com/majek/web4crypto

7. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug Intention 828 = 2014 *

   1012 Constrains 828 ~ 1900 * 1012

8. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug

9. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug No Letters Digits Special 1

   4 2 2 504 * 102 * 152 = 0.140 * 1012 2 5 2 1 505 * 102 * 151 = 0.468 * 1012 3 5 1 2 505 * 101 * 152 = 0.703 * 1012 4 6 1 1 506 * 101 * 151 = 2.243 * 1012 Σ = 3.656 * 1012

10. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug No Letters Digits Special 1

    4 2 2 504 * 102 * 152 = 0.140 * 1012 2 5 2 1 505 * 102 * 151 = 0.468 * 1012 3 5 1 2 505 * 101 * 152 = 0.703 * 1012 4 6 1 1 506 * 101 * 151 = 2.243 * 1012 75% Σ = 1.311 * 1012

11. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug Intention 2014 * 1012 Constrains

    1900 * 1012 Weak algo 100% 3.656 * 1012 Weak algo 75% 1.311 * 1012

12. PRG

13. PRG

14. PRG 0 1 0 1 1 0 0 1 1

    0 0 1 1 1 0 0 1 1 0 1 f(state) state value
15. None

16. random.random() C, Java, VB LCG Python, Ruby, PHP Mersenne Twister

    Javascript* Marsaglia’s MWC DVD, GSM, Bluetooth LFSR • https://en.wikipedia.org/wiki/Linear_congruential_generator • https://en.wikipedia.org/wiki/Multiply-with-carry

17. Linear Congruential Generator • https://en.wikipedia.org/wiki/Linear_congruential_generator

18. Linear Congruential Generator • https://en.wikipedia.org/wiki/Linear_congruential_generator

19. Assignment #1 [ ] This is my PRNG code: def

    _lcg(state): return (1103515245*state + 12345) % (2**31) def lcg_generator(seed): state = seed while True: state = _lcg(state) yield state with open('/dev/urandom', 'rb') as f: seed, = struct.unpack('I', f.read(4)) gen = lcg_generator(seed) [ ] See - my PRNG is initialized using super secure seed! [ ] First value of the PRNG is: 123456 [+] Your task is to predict the second value of my LCG PRNG: https://pragmaticcrypto.herokuapp.com/exercise1/

20. • http://www.smogon.com/forums/group.php?do=discuss&gmid=1699 Assignment #2* https://pragmaticcrypto.herokuapp.com/exercise2/ [ ] This is my

    PRNG code: def _lcg(state): return (1103515245*state + 12345) % (2**31) def lcg_generator(seed): state = seed while True: state = _lcg(state) yield state with open('/dev/urandom', 'rb') as f: seed, = struct.unpack('I', f.read(4)) gen = lcg_generator(seed) [ ] Second value of the PRNG is: 12345 [+] Your task is to recover the first value of my LCG PRNG:

21. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug

22. • http://msdn.microsoft.com/en-us/library/f7s023d2(v=vs.80).aspx Real world bug

23. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html • http://web.archive.org/web/20110430001326/http://15seconds.com/issue/051110.htm Real world bug Intention 2014 *

    1012 Constrains 1900 * 1012 Weak algo 100% 3.656 * 1012 Weak algo 75% 1.311 * 1012 Weak PRNG 232 = 4294 * 106

24. Real world bug • http://www.trusteer.com/files/Google_Chrome_3.0_Beta_Math.random_vulnerability.pdf • CVE-2010-3804

25. • http://www.strongpasswordgenerator.com/ Real world bug

26. CS-PRG

27. CS-PRG • OpenSSL.RAND_bytes(num) • RC4 • Salsa20 • Sosemanuk •

    http://spark-university.s3.amazonaws.com/stanford-crypto/slides/02-stream-v2-annotated.pdf

28. CS-PRG Language Method State size C, Java, VB LCG 32

    Python Mersenne Twister 32 DVD; GSM; Bluetooth LFSR 40 OpenSSL.RAND_bytes unnamed 8192 RC4 1024 Salsa 20 128 or 256 Sosemanuk 128 or 256 • http://spark-university.s3.amazonaws.com/stanford-crypto/slides/02-stream-v2-annotated.pdf • http://src.gnu-darwin.org/src/crypto/openssl/crypto/rand/md_rand.c.html

29. Entropy • https://en.wikipedia.org/wiki/Entropy_(computing)

30. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug

31. • http://msdn.microsoft.com/en-us/library/f7s023d2(v=vs.80).aspx Real world bug

32. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug

33. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug

34. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug Intention 2014 * 1012 Constrains

    1900 * 1012 Weak algo 100% 3.656 * 1012 Weak algo 75% 1.311 * 1012 Weak PRNG 4294 * 106 Weak seed 24*60*60*1000 = 86.4 * 106

35. • Random seed?

36. • http://hg.python.org/cpython/file/3.2/Lib/random.py#l111 Assignment #3 [ ] 29777 seconds ago I

    generated a password. [ ] You will never crack it! [ ] Oh, I used python random module, and I initialized the [ ] seed like python does on some platforms: random.seed(int(time.time() * 256)) [ ] The password was generated like that: secret = ''.join(random.choice(string.ascii_letters) for i in range(12)) [+] Your task is to guess the password: https://pragmaticcrypto.herokuapp.com/exercise3/

37. Entropy • Geiger counter • http://www.ciphergoth.org/crypto/unbiasing/

38. Entropy • Hardware Random Number Generator • /dev/random • /dev/urandom

    • Intel RdRand • https://en.wikipedia.org/wiki/Entropy_(computing) • https://en.wikipedia.org/wiki/RdRand • http://en.wikipedia.org/wiki/Hardware_random_number_generator • http://www.ciphergoth.org/crypto/unbiasing/

39. Real world bug • http://research.swtch.com/openssl • http://www.digitaloffense.net/tools/debian-openssl/

40. Real world bug • 29c3 talk http://www.youtube.com/watch?v=IuSnY_O8DqQ

41. Real world bug • http://seclists.org/fulldisclosure/2003/Aug/824

42. Real world bug • http://eprint.iacr.org/2006/086.pdf

43. Conclusion • Never use built-in “Math.random()” • It’s (almost) always

    predictable • CS-PRG are rarely built-in • Must be seeded with good entropy • Testing entropy sources is hard

44. • http://web.archive.org/web/20110430001326/http://15seconds.com/issue/051110.htm Real world bug Intention 2014 * 1012 Constrains

    1900 * 1012 Weak algo 100% 3.656 * 1012 Weak algo 75% 1.311 * 1012 Weak PRNG 4294 * 106 Weak seed 86.4 * 106 Seed and PRNG 64 * 103

45. Real world bug Intention 2014 * 1012 50.8 Constrains 1900

    * 1012 50.7 Weak algo 100% 3.656 * 1012 41.7 Weak algo 75% 1.311 * 1012 40.2 Weak PRNG 4294 * 106 32 Weak seed 86.4 * 106 26 Seed and PRNG 64 * 103 16