Slide 1

Slide 1 text

Pragmatic crypto #1: random numbers Marek Majkowski

Slide 2

Slide 2 text

DIYOC • “Don't invent your own crypto.” • "Anyone can invent an encryption algorithm they themselves can't break; it's much harder to invent one that no one else can break." - Schneider

Slide 3

Slide 3 text

ToC • Random numbers • Pseudo Random Generators (PRG) • Cryptographically Secure PRG (CS-PRG) • Sources of entropy • Hashing • Traditional hashing • Cryptographically Secure Hashing • Message Authentication Code • Key Derivation Functions • Side Channel Attacks

Slide 4

Slide 4 text

Real world bug

Slide 5

Slide 5 text

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug From today (30.12.2005) new password policy is going to be used: ◦ Password must contain eight or more characters ◦ Password must not contain username or any part of it ◦ Password should contain characters from three of four specified categories: 1.Small letters [a-z] 2.Capital letters [A-Z] 3.Digits [0-9] 4.Special characters: [!#$%^&*()_+{}:";'<>,.?]

Slide 6

Slide 6 text

Assignment #0 [+] Your task is to guess my super secure, completely unpredictable password: https://pragmaticcrypto.herokuapp.com/exercise0/ https://github.com/majek/web4crypto

Slide 7

Slide 7 text

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug Intention 828 = 2014 * 1012 Constrains 828 ~ 1900 * 1012

Slide 8

Slide 8 text

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug

Slide 9

Slide 9 text

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug No Letters Digits Special 1 4 2 2 504 * 102 * 152 = 0.140 * 1012 2 5 2 1 505 * 102 * 151 = 0.468 * 1012 3 5 1 2 505 * 101 * 152 = 0.703 * 1012 4 6 1 1 506 * 101 * 151 = 2.243 * 1012 Σ = 3.656 * 1012

Slide 10

Slide 10 text

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug No Letters Digits Special 1 4 2 2 504 * 102 * 152 = 0.140 * 1012 2 5 2 1 505 * 102 * 151 = 0.468 * 1012 3 5 1 2 505 * 101 * 152 = 0.703 * 1012 4 6 1 1 506 * 101 * 151 = 2.243 * 1012 75% Σ = 1.311 * 1012

Slide 11

Slide 11 text

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug Intention 2014 * 1012 Constrains 1900 * 1012 Weak algo 100% 3.656 * 1012 Weak algo 75% 1.311 * 1012

Slide 12

Slide 12 text

PRG

Slide 13

Slide 13 text

PRG

Slide 14

Slide 14 text

PRG 0 1 0 1 1 0 0 1 1 0 0 1 1 1 0 0 1 1 0 1 f(state) state value

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

random.random() C, Java, VB LCG Python, Ruby, PHP Mersenne Twister Javascript* Marsaglia’s MWC DVD, GSM, Bluetooth LFSR • https://en.wikipedia.org/wiki/Linear_congruential_generator • https://en.wikipedia.org/wiki/Multiply-with-carry

Slide 17

Slide 17 text

Linear Congruential Generator • https://en.wikipedia.org/wiki/Linear_congruential_generator

Slide 18

Slide 18 text

Linear Congruential Generator • https://en.wikipedia.org/wiki/Linear_congruential_generator

Slide 19

Slide 19 text

Assignment #1 [ ] This is my PRNG code: def _lcg(state): return (1103515245*state + 12345) % (2**31) def lcg_generator(seed): state = seed while True: state = _lcg(state) yield state with open('/dev/urandom', 'rb') as f: seed, = struct.unpack('I', f.read(4)) gen = lcg_generator(seed) [ ] See - my PRNG is initialized using super secure seed! [ ] First value of the PRNG is: 123456 [+] Your task is to predict the second value of my LCG PRNG: https://pragmaticcrypto.herokuapp.com/exercise1/

Slide 20

Slide 20 text

• http://www.smogon.com/forums/group.php?do=discuss&gmid=1699 Assignment #2* https://pragmaticcrypto.herokuapp.com/exercise2/ [ ] This is my PRNG code: def _lcg(state): return (1103515245*state + 12345) % (2**31) def lcg_generator(seed): state = seed while True: state = _lcg(state) yield state with open('/dev/urandom', 'rb') as f: seed, = struct.unpack('I', f.read(4)) gen = lcg_generator(seed) [ ] Second value of the PRNG is: 12345 [+] Your task is to recover the first value of my LCG PRNG:

Slide 21

Slide 21 text

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug

Slide 22

Slide 22 text

• http://msdn.microsoft.com/en-us/library/f7s023d2(v=vs.80).aspx Real world bug

Slide 23

Slide 23 text

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html • http://web.archive.org/web/20110430001326/http://15seconds.com/issue/051110.htm Real world bug Intention 2014 * 1012 Constrains 1900 * 1012 Weak algo 100% 3.656 * 1012 Weak algo 75% 1.311 * 1012 Weak PRNG 232 = 4294 * 106

Slide 24

Slide 24 text

Real world bug • http://www.trusteer.com/files/Google_Chrome_3.0_Beta_Math.random_vulnerability.pdf • CVE-2010-3804

Slide 25

Slide 25 text

• http://www.strongpasswordgenerator.com/ Real world bug

Slide 26

Slide 26 text

CS-PRG

Slide 27

Slide 27 text

CS-PRG • OpenSSL.RAND_bytes(num) • RC4 • Salsa20 • Sosemanuk • http://spark-university.s3.amazonaws.com/stanford-crypto/slides/02-stream-v2-annotated.pdf

Slide 28

Slide 28 text

CS-PRG Language Method State size C, Java, VB LCG 32 Python Mersenne Twister 32 DVD; GSM; Bluetooth LFSR 40 OpenSSL.RAND_bytes unnamed 8192 RC4 1024 Salsa 20 128 or 256 Sosemanuk 128 or 256 • http://spark-university.s3.amazonaws.com/stanford-crypto/slides/02-stream-v2-annotated.pdf • http://src.gnu-darwin.org/src/crypto/openssl/crypto/rand/md_rand.c.html

Slide 29

Slide 29 text

Entropy • https://en.wikipedia.org/wiki/Entropy_(computing)

Slide 30

Slide 30 text

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug

Slide 31

Slide 31 text

• http://msdn.microsoft.com/en-us/library/f7s023d2(v=vs.80).aspx Real world bug

Slide 32

Slide 32 text

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug

Slide 33

Slide 33 text

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug

Slide 34

Slide 34 text

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug Intention 2014 * 1012 Constrains 1900 * 1012 Weak algo 100% 3.656 * 1012 Weak algo 75% 1.311 * 1012 Weak PRNG 4294 * 106 Weak seed 24*60*60*1000 = 86.4 * 106

Slide 35

Slide 35 text

• Random seed?

Slide 36

Slide 36 text

• http://hg.python.org/cpython/file/3.2/Lib/random.py#l111 Assignment #3 [ ] 29777 seconds ago I generated a password. [ ] You will never crack it! [ ] Oh, I used python random module, and I initialized the [ ] seed like python does on some platforms: random.seed(int(time.time() * 256)) [ ] The password was generated like that: secret = ''.join(random.choice(string.ascii_letters) for i in range(12)) [+] Your task is to guess the password: https://pragmaticcrypto.herokuapp.com/exercise3/

Slide 37

Slide 37 text

Entropy • Geiger counter • http://www.ciphergoth.org/crypto/unbiasing/

Slide 38

Slide 38 text

Entropy • Hardware Random Number Generator • /dev/random • /dev/urandom • Intel RdRand • https://en.wikipedia.org/wiki/Entropy_(computing) • https://en.wikipedia.org/wiki/RdRand • http://en.wikipedia.org/wiki/Hardware_random_number_generator • http://www.ciphergoth.org/crypto/unbiasing/

Slide 39

Slide 39 text

Real world bug • http://research.swtch.com/openssl • http://www.digitaloffense.net/tools/debian-openssl/

Slide 40

Slide 40 text

Real world bug • 29c3 talk http://www.youtube.com/watch?v=IuSnY_O8DqQ

Slide 41

Slide 41 text

Real world bug • http://seclists.org/fulldisclosure/2003/Aug/824

Slide 42

Slide 42 text

Real world bug • http://eprint.iacr.org/2006/086.pdf

Slide 43

Slide 43 text

Conclusion • Never use built-in “Math.random()” • It’s (almost) always predictable • CS-PRG are rarely built-in • Must be seeded with good entropy • Testing entropy sources is hard

Slide 44

Slide 44 text

• http://web.archive.org/web/20110430001326/http://15seconds.com/issue/051110.htm Real world bug Intention 2014 * 1012 Constrains 1900 * 1012 Weak algo 100% 3.656 * 1012 Weak algo 75% 1.311 * 1012 Weak PRNG 4294 * 106 Weak seed 86.4 * 106 Seed and PRNG 64 * 103

Slide 45

Slide 45 text

Real world bug Intention 2014 * 1012 50.8 Constrains 1900 * 1012 50.7 Weak algo 100% 3.656 * 1012 41.7 Weak algo 75% 1.311 * 1012 40.2 Weak PRNG 4294 * 106 32 Weak seed 86.4 * 106 26 Seed and PRNG 64 * 103 16