Pragmatic crypto #1: random numbers Marek Majkowski

DIYOC • “Don't invent your own crypto.” • "Anyone can invent an encryption algorithm they themselves can't break; it's much harder to invent one that no one else can break." - Schneider

ToC • Random numbers • Pseudo Random Generators (PRG) • Cryptographically Secure PRG (CS-PRG) • Sources of entropy • Hashing • Traditional hashing • Cryptographically Secure Hashing • Message Authentication Code • Key Derivation Functions • Side Channel Attacks

Real world bug

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug From today (30.12.2005) new password policy is going to be used: ◦ Password must contain eight or more characters ◦ Password must not contain username or any part of it ◦ Password should contain characters from three of four specified categories: 1.Small letters [a-z] 2.Capital letters [A-Z] 3.Digits [0-9] 4.Special characters: [!#$%^&*()_+{}:";'<>,.?]

Assignment #0 [+] Your task is to guess my super secure, completely unpredictable password: https://pragmaticcrypto.herokuapp.com/exercise0/ https://github.com/majek/web4crypto

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug Intention 828 = 2014 * 1012 Constrains 828 ~ 1900 * 1012

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug No Letters Digits Special 1 4 2 2 504 * 102 * 152 = 0.140 * 1012 2 5 2 1 505 * 102 * 151 = 0.468 * 1012 3 5 1 2 505 * 101 * 152 = 0.703 * 1012 4 6 1 1 506 * 101 * 151 = 2.243 * 1012 Σ = 3.656 * 1012

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug No Letters Digits Special 1 4 2 2 504 * 102 * 152 = 0.140 * 1012 2 5 2 1 505 * 102 * 151 = 0.468 * 1012 3 5 1 2 505 * 101 * 152 = 0.703 * 1012 4 6 1 1 506 * 101 * 151 = 2.243 * 1012 75% Σ = 1.311 * 1012

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug Intention 2014 * 1012 Constrains 1900 * 1012 Weak algo 100% 3.656 * 1012 Weak algo 75% 1.311 * 1012

PRG

PRG

PRG 0 1 0 1 1 0 0 1 1 0 0 1 1 1 0 0 1 1 0 1 f(state) state value

No content

random.random() C, Java, VB LCG Python, Ruby, PHP Mersenne Twister Javascript* Marsaglia’s MWC DVD, GSM, Bluetooth LFSR • https://en.wikipedia.org/wiki/Linear_congruential_generator • https://en.wikipedia.org/wiki/Multiply-with-carry

Linear Congruential Generator • https://en.wikipedia.org/wiki/Linear_congruential_generator

Linear Congruential Generator • https://en.wikipedia.org/wiki/Linear_congruential_generator

Assignment #1 [ ] This is my PRNG code: def _lcg(state): return (1103515245*state + 12345) % (2**31) def lcg_generator(seed): state = seed while True: state = _lcg(state) yield state with open('/dev/urandom', 'rb') as f: seed, = struct.unpack('I', f.read(4)) gen = lcg_generator(seed) [ ] See - my PRNG is initialized using super secure seed! [ ] First value of the PRNG is: 123456 [+] Your task is to predict the second value of my LCG PRNG: https://pragmaticcrypto.herokuapp.com/exercise1/

• http://www.smogon.com/forums/group.php?do=discuss&gmid=1699 Assignment #2* https://pragmaticcrypto.herokuapp.com/exercise2/ [ ] This is my PRNG code: def _lcg(state): return (1103515245*state + 12345) % (2**31) def lcg_generator(seed): state = seed while True: state = _lcg(state) yield state with open('/dev/urandom', 'rb') as f: seed, = struct.unpack('I', f.read(4)) gen = lcg_generator(seed) [ ] Second value of the PRNG is: 12345 [+] Your task is to recover the first value of my LCG PRNG:

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug

• http://msdn.microsoft.com/en-us/library/f7s023d2(v=vs.80).aspx Real world bug

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html • http://web.archive.org/web/20110430001326/http://15seconds.com/issue/051110.htm Real world bug Intention 2014 * 1012 Constrains 1900 * 1012 Weak algo 100% 3.656 * 1012 Weak algo 75% 1.311 * 1012 Weak PRNG 232 = 4294 * 106

Real world bug • http://www.trusteer.com/files/Google_Chrome_3.0_Beta_Math.random_vulnerability.pdf • CVE-2010-3804

• http://www.strongpasswordgenerator.com/ Real world bug

CS-PRG

CS-PRG • OpenSSL.RAND_bytes(num) • RC4 • Salsa20 • Sosemanuk • http://spark-university.s3.amazonaws.com/stanford-crypto/slides/02-stream-v2-annotated.pdf

CS-PRG Language Method State size C, Java, VB LCG 32 Python Mersenne Twister 32 DVD; GSM; Bluetooth LFSR 40 OpenSSL.RAND_bytes unnamed 8192 RC4 1024 Salsa 20 128 or 256 Sosemanuk 128 or 256 • http://spark-university.s3.amazonaws.com/stanford-crypto/slides/02-stream-v2-annotated.pdf • http://src.gnu-darwin.org/src/crypto/openssl/crypto/rand/md_rand.c.html

Entropy • https://en.wikipedia.org/wiki/Entropy_(computing)

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug

• http://msdn.microsoft.com/en-us/library/f7s023d2(v=vs.80).aspx Real world bug

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug

• http://blogger.popcnt.org/2007/08/how-bad-password-generator-can-ruin.html Real world bug Intention 2014 * 1012 Constrains 1900 * 1012 Weak algo 100% 3.656 * 1012 Weak algo 75% 1.311 * 1012 Weak PRNG 4294 * 106 Weak seed 24*60*60*1000 = 86.4 * 106

• Random seed?

• http://hg.python.org/cpython/file/3.2/Lib/random.py#l111 Assignment #3 [ ] 29777 seconds ago I generated a password. [ ] You will never crack it! [ ] Oh, I used python random module, and I initialized the [ ] seed like python does on some platforms: random.seed(int(time.time() * 256)) [ ] The password was generated like that: secret = ''.join(random.choice(string.ascii_letters) for i in range(12)) [+] Your task is to guess the password: https://pragmaticcrypto.herokuapp.com/exercise3/

Entropy • Geiger counter • http://www.ciphergoth.org/crypto/unbiasing/

Entropy • Hardware Random Number Generator • /dev/random • /dev/urandom • Intel RdRand • https://en.wikipedia.org/wiki/Entropy_(computing) • https://en.wikipedia.org/wiki/RdRand • http://en.wikipedia.org/wiki/Hardware_random_number_generator • http://www.ciphergoth.org/crypto/unbiasing/

Real world bug • http://research.swtch.com/openssl • http://www.digitaloffense.net/tools/debian-openssl/

Real world bug • 29c3 talk http://www.youtube.com/watch?v=IuSnY_O8DqQ

Real world bug • http://seclists.org/fulldisclosure/2003/Aug/824

Real world bug • http://eprint.iacr.org/2006/086.pdf

Conclusion • Never use built-in “Math.random()” • It’s (almost) always predictable • CS-PRG are rarely built-in • Must be seeded with good entropy • Testing entropy sources is hard

• http://web.archive.org/web/20110430001326/http://15seconds.com/issue/051110.htm Real world bug Intention 2014 * 1012 Constrains 1900 * 1012 Weak algo 100% 3.656 * 1012 Weak algo 75% 1.311 * 1012 Weak PRNG 4294 * 106 Weak seed 86.4 * 106 Seed and PRNG 64 * 103

Real world bug Intention 2014 * 1012 50.8 Constrains 1900 * 1012 50.7 Weak algo 100% 3.656 * 1012 41.7 Weak algo 75% 1.311 * 1012 40.2 Weak PRNG 4294 * 106 32 Weak seed 86.4 * 106 26 Seed and PRNG 64 * 103 16