Pragmatic Crypto #1

D4e1d473a995ef37b3e03e9e6006c3e3?s=47 majek04
March 13, 2013

Pragmatic Crypto #1

Pragmatic crypto seminar part 1

D4e1d473a995ef37b3e03e9e6006c3e3?s=128

majek04

March 13, 2013
Tweet

Transcript

  1. Pragmatic crypto #1: random numbers Marek Majkowski

  2. DIYOC • “Don't invent your own crypto.” • "Anyone can

    invent an encryption algorithm they themselves can't break; it's much harder to invent one that no one else can break." - Schneider
  3. ToC • Random numbers • Pseudo Random Generators (PRG) •

    Cryptographically Secure PRG (CS-PRG) • Sources of entropy • Hashing • Traditional hashing • Cryptographically Secure Hashing • Message Authentication Code • Key Derivation Functions • Side Channel Attacks
  4. Real world bug

  5. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug From today (30.12.2005) new password

    policy is going to be used: ◦ Password must contain eight or more characters ◦ Password must not contain username or any part of it ◦ Password should contain characters from three of four specified categories: 1.Small letters [a-z] 2.Capital letters [A-Z] 3.Digits [0-9] 4.Special characters: [!#$%^&*()_+{}:";'<>,.?]
  6. Assignment #0 [+] Your task is to guess my super

    secure, completely unpredictable password: https://pragmaticcrypto.herokuapp.com/exercise0/ https://github.com/majek/web4crypto
  7. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug Intention 828 = 2014 *

    1012 Constrains 828 ~ 1900 * 1012
  8. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug

  9. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug No Letters Digits Special 1

    4 2 2 504 * 102 * 152 = 0.140 * 1012 2 5 2 1 505 * 102 * 151 = 0.468 * 1012 3 5 1 2 505 * 101 * 152 = 0.703 * 1012 4 6 1 1 506 * 101 * 151 = 2.243 * 1012 Σ = 3.656 * 1012
  10. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug No Letters Digits Special 1

    4 2 2 504 * 102 * 152 = 0.140 * 1012 2 5 2 1 505 * 102 * 151 = 0.468 * 1012 3 5 1 2 505 * 101 * 152 = 0.703 * 1012 4 6 1 1 506 * 101 * 151 = 2.243 * 1012 75% Σ = 1.311 * 1012
  11. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug Intention 2014 * 1012 Constrains

    1900 * 1012 Weak algo 100% 3.656 * 1012 Weak algo 75% 1.311 * 1012
  12. PRG

  13. PRG

  14. PRG 0 1 0 1 1 0 0 1 1

    0 0 1 1 1 0 0 1 1 0 1 f(state) state value
  15. None
  16. random.random() C, Java, VB LCG Python, Ruby, PHP Mersenne Twister

    Javascript* Marsaglia’s MWC DVD, GSM, Bluetooth LFSR • https://en.wikipedia.org/wiki/Linear_congruential_generator • https://en.wikipedia.org/wiki/Multiply-with-carry
  17. Linear Congruential Generator • https://en.wikipedia.org/wiki/Linear_congruential_generator

  18. Linear Congruential Generator • https://en.wikipedia.org/wiki/Linear_congruential_generator

  19. Assignment #1 [ ] This is my PRNG code: def

    _lcg(state): return (1103515245*state + 12345) % (2**31) def lcg_generator(seed): state = seed while True: state = _lcg(state) yield state with open('/dev/urandom', 'rb') as f: seed, = struct.unpack('I', f.read(4)) gen = lcg_generator(seed) [ ] See - my PRNG is initialized using super secure seed! [ ] First value of the PRNG is: 123456 [+] Your task is to predict the second value of my LCG PRNG: https://pragmaticcrypto.herokuapp.com/exercise1/
  20. • http://www.smogon.com/forums/group.php?do=discuss&gmid=1699 Assignment #2* https://pragmaticcrypto.herokuapp.com/exercise2/ [ ] This is my

    PRNG code: def _lcg(state): return (1103515245*state + 12345) % (2**31) def lcg_generator(seed): state = seed while True: state = _lcg(state) yield state with open('/dev/urandom', 'rb') as f: seed, = struct.unpack('I', f.read(4)) gen = lcg_generator(seed) [ ] Second value of the PRNG is: 12345 [+] Your task is to recover the first value of my LCG PRNG:
  21. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug

  22. • http://msdn.microsoft.com/en-us/library/f7s023d2(v=vs.80).aspx Real world bug

  23. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html • http://web.archive.org/web/20110430001326/http://15seconds.com/issue/051110.htm Real world bug Intention 2014 *

    1012 Constrains 1900 * 1012 Weak algo 100% 3.656 * 1012 Weak algo 75% 1.311 * 1012 Weak PRNG 232 = 4294 * 106
  24. Real world bug • http://www.trusteer.com/files/Google_Chrome_3.0_Beta_Math.random_vulnerability.pdf • CVE-2010-3804

  25. • http://www.strongpasswordgenerator.com/ Real world bug

  26. CS-PRG

  27. CS-PRG • OpenSSL.RAND_bytes(num) • RC4 • Salsa20 • Sosemanuk •

    http://spark-university.s3.amazonaws.com/stanford-crypto/slides/02-stream-v2-annotated.pdf
  28. CS-PRG Language Method State size C, Java, VB LCG 32

    Python Mersenne Twister 32 DVD; GSM; Bluetooth LFSR 40 OpenSSL.RAND_bytes unnamed 8192 RC4 1024 Salsa 20 128 or 256 Sosemanuk 128 or 256 • http://spark-university.s3.amazonaws.com/stanford-crypto/slides/02-stream-v2-annotated.pdf • http://src.gnu-darwin.org/src/crypto/openssl/crypto/rand/md_rand.c.html
  29. Entropy • https://en.wikipedia.org/wiki/Entropy_(computing)

  30. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug

  31. • http://msdn.microsoft.com/en-us/library/f7s023d2(v=vs.80).aspx Real world bug

  32. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug

  33. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug

  34. • http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug Intention 2014 * 1012 Constrains

    1900 * 1012 Weak algo 100% 3.656 * 1012 Weak algo 75% 1.311 * 1012 Weak PRNG 4294 * 106 Weak seed 24*60*60*1000 = 86.4 * 106
  35. • Random seed?

  36. • http://hg.python.org/cpython/file/3.2/Lib/random.py#l111 Assignment #3 [ ] 29777 seconds ago I

    generated a password. [ ] You will never crack it! [ ] Oh, I used python random module, and I initialized the [ ] seed like python does on some platforms: random.seed(int(time.time() * 256)) [ ] The password was generated like that: secret = ''.join(random.choice(string.ascii_letters) for i in range(12)) [+] Your task is to guess the password: https://pragmaticcrypto.herokuapp.com/exercise3/
  37. Entropy • Geiger counter • http://www.ciphergoth.org/crypto/unbiasing/

  38. Entropy • Hardware Random Number Generator • /dev/random • /dev/urandom

    • Intel RdRand • https://en.wikipedia.org/wiki/Entropy_(computing) • https://en.wikipedia.org/wiki/RdRand • http://en.wikipedia.org/wiki/Hardware_random_number_generator • http://www.ciphergoth.org/crypto/unbiasing/
  39. Real world bug • http://research.swtch.com/openssl • http://www.digitaloffense.net/tools/debian-openssl/

  40. Real world bug • 29c3 talk http://www.youtube.com/watch?v=IuSnY_O8DqQ

  41. Real world bug • http://seclists.org/fulldisclosure/2003/Aug/824

  42. Real world bug • http://eprint.iacr.org/2006/086.pdf

  43. Conclusion • Never use built-in “Math.random()” • It’s (almost) always

    predictable • CS-PRG are rarely built-in • Must be seeded with good entropy • Testing entropy sources is hard
  44. • http://web.archive.org/web/20110430001326/http://15seconds.com/issue/051110.htm Real world bug Intention 2014 * 1012 Constrains

    1900 * 1012 Weak algo 100% 3.656 * 1012 Weak algo 75% 1.311 * 1012 Weak PRNG 4294 * 106 Weak seed 86.4 * 106 Seed and PRNG 64 * 103
  45. Real world bug Intention 2014 * 1012 50.8 Constrains 1900

    * 1012 50.7 Weak algo 100% 3.656 * 1012 41.7 Weak algo 75% 1.311 * 1012 40.2 Weak PRNG 4294 * 106 32 Weak seed 86.4 * 106 26 Seed and PRNG 64 * 103 16