Safe randomness: theory and practice

by Kenji Rikitake

Slide 1

Slide 1 text

Safe randomness: theory and practice ҆શͳϥϯμϜωεͷཧ࿦ͱ࣮ફ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 1

Slide 2

Slide 2 text

Kenji Rikitake Γ͖͚ͨ ͚Μ͡ 7-SEP-2018 Builderscon Tokyo 2018 Kyoseikan, Keio University Yokohama City, Kanagawa, Japan @jj1bdx Copyright ©2018 Kenji Rikitake. This work is licensed under a Creative Commons Attribution 4.0 International License. Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 2

Slide 3

Slide 3 text

In this talk I'm going to talk about Randomness ͜ͷൃදͰ͸ϥϯμϜωεʹ͍ͭͯ࿩͠·͢ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 3

Slide 4

Slide 4 text

What is randomness? ... unpredictability ϥϯμϜωεͱ͸༧ଌෆೳੑͷ͜ͱͰ͢ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 4

Slide 5

Slide 5 text

Randomness is essential for secure operation ϥϯμϜωε͸҆શͳӡ༻ʹෆՄܽͰ͢ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 5

Slide 6

Slide 6 text

When randomness needed ϥϯμϜωε͕ඞཁͳ࣌ • Password/key generation / ύεϫʔυ΍伴ͷੜ੒ • Timing obfuscation / ॲཧ࣌ؒΛӅ͢ • Using multiple resources equally but unpredictably / ෳ਺ͷࢿݯΛಉ͡Α͏ʹɺ͔͠͠ ༧ଌ͞Εͳ͍Α͏ʹ࢖͍͍ͨ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 6

Slide 7

Slide 7 text

In algorithm, randomness is represented as: Random numbers ΞϧΰϦζϜͰͷϥϯμϜωε͸ ཚ਺ ʹΑͬͯදݱ͠·͢ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 7

Slide 8

Slide 8 text

My works on random numbers ཚ਺ʹ͍ͭͯԿΛ΍͖͔ͬͯͨ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 8

Slide 9

Slide 9 text

Software contribution to Erlang/OTP • Improve the random number algorithms • ཚ਺ΞϧΰϦζϜͷվળ • Erlang/OTP rand module • SFMT for Erlang/OTP • TinyMT calculation of 256M keys Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 9

Slide 10

Slide 10 text

Bad algorithm example (JS V8) Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 10

Slide 11

Slide 11 text

Legacy Erlang/OTP random module • A 1980s algorithm called AS183 • Can be fully scanned in 8 hours • Became a security issue - deprecated since OTP 19 (June 2016) • 8࣌ؒͰશ਺ݕࡧͰ͖ͯ͠·͏ • ηΩϡϦςΟ໰୊ʹͳΓOTPόʔδϣϯ19ʢ2016 ೥6݄ʣΑΓඇਪ঑ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 11

Slide 12

Slide 12 text

... And hardware contribution because software is not enough ιϑτ͚ͩͰ͸ෆे෼ͳͷͰϋʔυ΋΍ͬͯ·͢ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 12

Slide 13

Slide 13 text

Why hardware? • Randomness is hard to find in a computer • Computers are programmed and predictive machines; finding randomness inside computers is extremely difficult • ίϯϐϡʔλͷதʹϥϯμϜωεΛݟ͚ͭΔͷ͸೉͍͠ • ίϯϐϡʔλ͸ϓϩάϥϜ͞Εͨ௨Γʹɺ༧૝௨Γʹ ಈ͘ˠίϯϐϡʔλͷதͰϥϯμϜωεΛݟ͚ͭΔͷ͸ ඇৗʹ೉͍͠ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 13

Slide 14

Slide 14 text

Randomness sources in a computer • CPU clock jitter / CPUΫϩοΫͷ༳Ε • Keyboard timing / ΩʔϘʔυଧ伴ͷλΠϛϯά • Network packet timing / ύέοτͷλΠϛϯά • Storage seeking timing / ετϨʔδͷλΠϛϯά • ... Those sources do not give much randomness • … ͜ΕΒͷιʔε͔ΒಘΒΕΔϥϯμϜωε͸গྔ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 14

Slide 15

Slide 15 text

Randomness processing ﬂow Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 15

Slide 16

Slide 16 text

Little randomness available in a system γεςϜͷத͔Β͸ϥϯμϜωε͸গ͔͠͠ಘΒΕͳ͍ A result: only ~0.62bit/sec • A dormant Linux server without attached keyboard • /proc/sys/kernel/random/entropy_avail • Bits of entropy (= randomness) in the system • 258 bits / 415.6 seconds (~7 minutes) Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 16

Slide 17

Slide 17 text

Additional randomness needed ௥ՃͷϥϯμϜωε͕ඞཁ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 17

Slide 18

Slide 18 text

Why? Because: Security depends on unpredictability Secure operations consume randomness Availability of randomness is limited ηΩϡϦςΟ͸༧ଌෆೳੑʹґଘ͍ͯ͠Δ ҆શͳॲཧ͸ϥϯμϜωεΛফඅ͢Δ ࢖͑ΔϥϯμϜωε͸༗ݶ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 18

Slide 19

Slide 19 text

Physical randomness source ෺ཧతͳϥϯμϜωεݯ • Thermal noise / ೤ࡶԻ • Avalanche noise of semiconductor junctions / ൒ಋ ମ઀߹෦ͷͳͩΕ߱෬ࡶԻ • Timing jitter of oscillation circuits / ൃৼճ࿏ͷλ Πϛϯάͷ༳Ε Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 19

Slide 20

Slide 20 text

Physical random number generator with Arduino UNO Displayed at Maker Faire Tokyo 2016 This implementation is working as a dice: generating numbers of 1~6 / αΠίϩಉ༷ʹ1͔Β6· Ͱͷ਺ࣈΛੜ੒͢Δ Generating ~10kbytes/sec Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 20

Slide 21

Slide 21 text

Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 21

Slide 22

Slide 22 text

Inﬁnity Noise TRNG • Thermal noise based • USD35/device • Public domain, no patent • No MCU on the device / σόΠ ε͸MCUΛ࣋ͨͳ͍ • ~40Kbytes/sec Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 22

Slide 23

Slide 23 text

Inﬁnity Noise TRNG schematics FTDI bitbang I/O controls the noise ampliﬁer Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 23

Slide 24

Slide 24 text

How to inject external randomness to the operating systems • Linux: random(4) ioctl() of RNDGETENTCNT, RNDADDENTROPY (User accessible) • FreeBSD: random_harvest(9) (Accessible from kernel modules only, device driver needed) • Other proprietary OSes: unable to ﬁnd the same functions / ͦͷଞͷಠࣗOSͰ͸֎෦͔ΒϥϯμϜ ωεΛ஫ೖͰ͖ͳ͍ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 24

Slide 25

Slide 25 text

Whitening for uniform distribution • Cryptographically strong hash functions are used in the whitening • Whitening is implemented in the driver or the post- processing software • ҉߸Խϋογϡؔ਺Λద༻͠ ͯग़ྗͷ෼෍ΛҰ༷Խ͢Δॲ ཧʢϗϫΠτχϯάʣ͕ඞཁ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 25

Slide 26

Slide 26 text

How whitening works on Inﬁnity Noise TRNG Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 26

Slide 27

Slide 27 text

How much randomness is enough? • USD <100 generator: > ~10kbytes/sec, more than sufﬁcient for an active server • If you generate a lot of keys/passwords, consider dedicated generator of Mbps or Gbps class (they exist but expensive) • ϋʔυ΢ΣΞੜ੒ث͕͋Ε͹~10kόΠτ/ඵҎ্ʢ௨ৗ ͷӡ༻ʹ͸े෼ʣ • ຊؾͰେྔʹ伴΍ύεϫʔυΛੜ੒͢ΔͳΒઐ༻ͷ෺ ཧཚ਺ੜ੒ثΛಋೖ͢΂͠ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 27

Slide 28

Slide 28 text

Experimental systems in our office • FreeBSD 11 with Infinity Noise TRNG • https://github.com/jj1bdx/infnoise-freebsd • https://github.com/jj1bdx/freebsd-dev-trng • Ubuntu 18.04 with Infinity Noise TRNG • https://github.com/jj1bdx/infnoise-linux • Infinity Noise TRNG on Windows 10 also works • https://github.com/jj1bdx/infnoise-windows Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 28

Slide 29

Slide 29 text

Summary/·ͱΊ • Good randomness is hard to obtain • External physical random number generator is essential for secure operation • Do not invent your own methods • ྑ͍ϥϯμϜωεΛಘΔͷ͸೉͍͠ • ҆શͳӡ༻ʹ͸֎෦ͷ෺ཧཚ਺૷ஔ͕ෆՄܽ • ࣗݾྲྀͰ΍Βͳ͍ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 29

Slide 30

Slide 30 text

Other references • Presentation slide repository • Arduino UNO TRNG: avrhwrng • Crowd Supply product page of Inﬁnity Noise TRNG • Inﬁnity Noise TRNG (with the schematics) • Fifteen Ways to Leave Your Random Module (Erlang User Conference 2016) • ٙࣅཚ਺ͷ࡞Γํɾ࢖͍ํ ήʔϜ͔Β৘ใηΩϡϦ ςΟ·Ͱ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 30

Slide 31

Slide 31 text

Acknowledgment This presentation is supported by Pepabo R&D Institute, GMO Pepabo, Inc. ͜ͷߨԋ͸GMOϖύϘגࣜձࣾ ϖύϘݚڀॴͷ͝ࢧԉͰ࣮ݱ͠ ·ͨ͠ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 31

Slide 32

Slide 32 text

Thanks Questions? Give the feedback please; use the QR code on your name card ϑΟʔυόοΫΛ͓Ͷ͕͍͠·͢ / ωʔϜΧʔυͷQRίʔυΛ࢖͍ͬͯͩ͘͞ Kenji Rikitake / Builderscon Tokyo 2018 7-SEP-2018 32