Let's Get Random - Under The Hood of PHP 7's CSPRNG - php[tek] 2018

Transcript

1. joind.in/talk/d4f3a @SammyK #phptek PHP[TEK] 2018 Wifi: Sheraton Conference Pass: phptek2018

   Twitter: #phptek Rate the Talks https:/ /joind.in/event/phptek-2018

2. Random Under the hood of PHP 7’s Let’s get CSPRNG

   Sammy Kaye Powers 2018-05-31

3. joind.in/talk/d4f3a @SammyK #phptek Thanks to Our Sponsors

4. joind.in/talk/d4f3a @SammyK #phptek Slides Get the joind.in/talk/d4f3a

5. joind.in/talk/d4f3a @SammyK #phptek CSPRNG? What is the PHP 7

6. joind.in/talk/d4f3a @SammyK #phptek random_int() random_bytes()

7. joind.in/talk/d4f3a @SammyK #phptek ext/standard/random.c

8. joind.in/talk/d4f3a @SammyK #phptek The end

9. joind.in/talk/d4f3a @SammyK #phptek Random? What is

10. joind.in/talk/d4f3a @SammyK #phptek

11. joind.in/talk/d4f3a @SammyK #phptek

12. joind.in/talk/d4f3a @SammyK #phptek

13. joind.in/talk/d4f3a @SammyK #phptek Meaning Is there to these “random” things?

14. joind.in/talk/d4f3a @SammyK #phptek Experiment I did an on myself

15. joind.in/talk/d4f3a @SammyK #phptek

16. joind.in/talk/d4f3a @SammyK #phptek 42

17. joind.in/talk/d4f3a @SammyK #phptek

18. joind.in/talk/d4f3a @SammyK #phptek

19. joind.in/talk/d4f3a @SammyK #phptek

20. joind.in/talk/d4f3a @SammyK #phptek

21. joind.in/talk/d4f3a @SammyK #phptek

22. joind.in/talk/d4f3a @SammyK #phptek

23. joind.in/talk/d4f3a @SammyK #phptek

24. joind.in/talk/d4f3a @SammyK #phptek

25. joind.in/talk/d4f3a @SammyK #phptek Every wher

26. joind.in/talk/d4f3a @SammyK #phptek Finish this sentence On the way home

    I got a flat ____. tire

27. joind.in/talk/d4f3a @SammyK #phptek Think of a two-digit number both digits

    different from each other both digits odd between 1 and 100

28. joind.in/talk/d4f3a @SammyK #phptek Are you thinking of… 37

29. joind.in/talk/d4f3a @SammyK #phptek

30. joind.in/talk/d4f3a @SammyK #phptek 11 random? What makes a number

31. joind.in/talk/d4f3a @SammyK #phptek 2, 4, 6, 8, __ 10

32. joind.in/talk/d4f3a @SammyK #phptek 1337, 42, 0, _ ?

33. joind.in/talk/d4f3a @SammyK #phptek 1337, 42, 0, 1337, 42, 0, 1337,

    __ 42

34. joind.in/talk/d4f3a @SammyK #phptek Random? What is isn’t Deterministic

35. joind.in/talk/d4f3a @SammyK #phptek “True” Random Measurement of atmospheric noise Count

    of the number of electrons coming off of a radioactive material
36. None

37. joind.in/talk/d4f3a @SammyK #phptek Can I haz random number?

38. joind.in/talk/d4f3a @SammyK #phptek

39. joind.in/talk/d4f3a @SammyK #phptek

40. joind.in/talk/d4f3a @SammyK #phptek *sigh* Take this. 42

41. joind.in/talk/d4f3a @SammyK #phptek

42. joind.in/talk/d4f3a @SammyK #phptek 0

43. joind.in/talk/d4f3a @SammyK #phptek 2,4,8, 7,5,1 ?

44. joind.in/talk/d4f3a @SammyK #phptek Number Generator …or “PRNG” for short Pseudorandom

45. joind.in/talk/d4f3a @SammyK #phptek Pseudorandom? How’s that different than just random?

    Deterministic

46. joind.in/talk/d4f3a @SammyK #phptek 2,4,8, 7,5,1 Generator Linear Congruential

47. joind.in/talk/d4f3a @SammyK #phptek Generator Linear Congruential

48. joind.in/talk/d4f3a @SammyK #phptek

49. joind.in/talk/d4f3a @SammyK #phptek The modulus The multiplier The increment The

    seed

50. joind.in/talk/d4f3a @SammyK #phptek

51. joind.in/talk/d4f3a @SammyK #phptek

52. joind.in/talk/d4f3a @SammyK #phptek 2,4,8, 7,5,

53. joind.in/talk/d4f3a @SammyK #phptek 2,4,8, 7,5, Deterministic

54. joind.in/talk/d4f3a @SammyK #phptek https://xkcd.com/221/

55. joind.in/talk/d4f3a @SammyK #phptek

56. joind.in/talk/d4f3a @SammyK #phptek

57. joind.in/talk/d4f3a @SammyK #phptek 8,7,5, 1,2,

58. joind.in/talk/d4f3a @SammyK #phptek 1,2,4, 8,7, BUT!

59. joind.in/talk/d4f3a @SammyK #phptek

60. 5,1,2,4,8,7,5, 1,2,4,8,7,5,1, 2,4,8,7,5,1,2, 4,8,7,5,1,2,4, 8,7,5,1,2,4,8, 7,5,1,2,4, Predictable

61. joind.in/talk/d4f3a @SammyK #phptek LCG lcg_value() PHP has a combined

62. joind.in/talk/d4f3a @SammyK #phptek PRNG? Is there a better

63. joind.in/talk/d4f3a @SammyK #phptek Twister Mersenne mt_rand()

64. joind.in/talk/d4f3a @SammyK #phptek

65. mt_rand() 724937621,955931554,1407935661,821438740,109344 9922,603009103,1540988686,1028238631,798475733, 1057939018,671583233,1853117923,98760648,112245 3373,534404057,900958085,1712824654,476385742,2 9956470,362833620,424798798,746223917,942003531 ,320462445,673296853,1351199651,141566289,16454 09515,995047403,1216151582,1115999460,175322091 7,1312071810,1553254094,1622498991,2080099801,1 704834715,1537620663,1357630828,1317892558,

    219,937-1

66. joind.in/talk/d4f3a @SammyK #phptek

67. mt_rand(0,99) 83,9,64,28,62,48,83,47,46,53,37,26,21,91,61,32,58,1,89,60,65,97,42,56,6,47,76,1 2,98,11,36,61,62,60,43,67,6,16,73,15,39,38,56,19,66,56,98,72,91,24,57,94,8,26,7 3,55,17,14,84,89,39,11,13,48,71,98,89,63,9,95,74,9,81,85,97,24,14,14,77,22,96,4 3,61,91,61,58,19,71,8,49,18,92,38,34,9,36,91,59,14,4,58,59,29,74,52,41,36,67,82 ,67,11,0,58,51,37,4,45,56,35,50,78,91,27,39,80,27,28,95,2,82,51,72,27,41,43,74, 7,82,59,89,72,9,22,61,75,27,64,16,77,57,31,29,59,47,14,67,89,33,94,33,94,22,11, 62,9,13,61,45,78,29,3,11,99,91,52,79,63,64,43,99,53,22,16,10,53,57,15,84,16,30, 17,10,3,35,0,45,83,11,70,66,37,14,59,41,46,52,53,53,62,56,41,82,40,99,8,92,96,2 2,22,43,35,60,45,77,26,96,45,51,62,77,64,23,52,17,17,97,93,57,43,56,45,62,42,24

    ,62,1,59,38,70,13,34,32,48,47,1,42,48,18,2,59,47,53,10,3,66,68,93,4,53,85,20,77 ,63,43,45,16,15,77,73,89,11,64,76,30,46,91,1,85,96,19,63,70,62,35,58,95,63,38,7 8,83,8,97,22,2,28,51,25,29,98,62,74,59,95,79,74,66,47,35,83,56,49,25,32,25,46,1 3,69,77,30,94,24,31,68,23,64,47,28,33,65,69,16,0,98,37,85,93,60,24,10,54,50,42, 64,11,9,13,15,84,3,23,73,83,83,72,9,2,28,23,90,73,2,47,45,93,4,32,25,75,61,98,7 3,79,66,23,20,83,11,45,67,40,39,45,0,65,40,78,74,8,79,86,38,10,87,60,99,30,35,5 0,16,29,24,19,29,16,40,57,87,26,90,1,63,63,34,44,8,36,25,38,50,10,15,17,14,40,6 ,53,88,18,36,46,69,2,13,0,83,59,92,59,34,34,24,40,99,41,6,79,65,98,9,36,31,8,4, 89,98,91,80,42,10,26,72,40,50,39,25,33,45,24,70,54,89,91,53,23,12,20,40,21,25,5 5,48,11,3,84,42,5,7,21,58,85,18,52,92,94,69,20,49,3,8,55,57,4,38,52,37,64,55,82 ,98,5,75,84,35,14,99,74,23,41,69,55,53,22,52,6,68,35,38,73,52,22,52,86,79,15,38 ,3,20,99,36,23,77,33,80,16,97,54,88,11,77,77,99,70,26,5,75,87,4,23,8,50,79,61,5 5,80,25,58,79,25,56,9,81,6,42,27,90,58,6,62,74,25,79,81,61,23,54,92,53,16,66,22 ,49,77,97,84,25,49,32,49,65,51,1,93,63,68,69,67,10,44,99,44,42,89,35,24, 624 = busted

68. echo mt_rand(0,99); 11

69. echo mt_rand(0,99); 9

70. echo mt_rand(0,99); 60

71. mt_srand(10); echo mt_rand(0,99); 21

72. mt_srand(10); echo mt_rand(0,99); 21

73. mt_srand(10); echo mt_rand(0,99); 21

74. joind.in/talk/d4f3a @SammyK #phptek CSRF Take for example Tokens

75. joind.in/talk/d4f3a @SammyK #phptek Cross-site request forgery (CSRF) tokens help prevent

    unauthorized requests on a user’s behalf.

76. joind.in/talk/d4f3a @SammyK #phptek A CSRF token must be unique and

    unpredictable.

77. joind.in/talk/d4f3a @SammyK #phptek

78. joind.in/talk/d4f3a @SammyK #phptek

79. joind.in/talk/d4f3a @SammyK #phptek

80. joind.in/talk/d4f3a @SammyK #phptek I’ll just let PHP seed mt_rand() for

    me. Bad idea jeans *Old SNL skit reference

81. joind.in/talk/d4f3a @SammyK #phptek

82. joind.in/talk/d4f3a @SammyK #phptek What about rand() you ask?

83. joind.in/talk/d4f3a @SammyK #phptek Nope

84. joind.in/talk/d4f3a @SammyK #phptek rand() mt_rand() …in PHP 7.0 & below

85. joind.in/talk/d4f3a @SammyK #phptek rand() Uses the system PRNG (unreliable &

    inconsistent) Is a PRNG (totes predictable) Uniform distribution issues

86. joind.in/talk/d4f3a @SammyK #phptek Uniform Distribution

87. joind.in/talk/d4f3a @SammyK #phptek 0 0.05 0.1 0.15 0.2 1 2

    3 4 5 6

88. joind.in/talk/d4f3a @SammyK #phptek 0 0.1 0.2 0.3 0.4 1 2

    3 4 5 6

89. joind.in/talk/d4f3a @SammyK #phptek Uniform Distribution == True Random

90. joind.in/talk/d4f3a @SammyK #phptek mt_rand() Implements the MT algorithm incorrectly Is

    a PRNG (totes predictable) Has a modulo bias

91. joind.in/talk/d4f3a @SammyK #phptek Modulo Bias

92. joind.in/talk/d4f3a @SammyK #phptek 6 % 3 = 0 8 %

    3 = 2 Modulo Operator

93. joind.in/talk/d4f3a @SammyK #phptek Random # between 0 & 1 n

    % 2 = 0 or 1 Use mod 2

94. joind.in/talk/d4f3a @SammyK #phptek rand_src() = 1, 2, or 3 2

    % 2 = 0 3 % 2 = 1 1 is more likely 1 % 2 = 1

95. joind.in/talk/d4f3a @SammyK #phptek rand() mt_rand() …in PHP 7.1 & above

96. joind.in/talk/d4f3a @SammyK #phptek mt_rand() Fixes bug in MT algorithm implementation

    Is a PRNG (totes predictable)

97. joind.in/talk/d4f3a @SammyK #phptek They’re totes samezies! rand() mt_rand() ===

98. joind.in/talk/d4f3a @SammyK #phptek

99. joind.in/talk/d4f3a @SammyK #phptek rand() mt_rand() Both suffer from modulo bias

    &

100. joind.in/talk/d4f3a @SammyK #phptek Seeds aren’t impossible to predict

101. joind.in/talk/d4f3a @SammyK #phptek Entropy *Could be it’s own talk

102. joind.in/talk/d4f3a @SammyK #phptek A measure of how accurately we’re able

     to predict the next value in a sequence.* * oversimplification

103. joind.in/talk/d4f3a @SammyK #phptek High entropy harder to predict Low entropy

     easier to predict

104. joind.in/talk/d4f3a @SammyK #phptek High entropy harder to predict Good for

     random number generation

105. joind.in/talk/d4f3a @SammyK #phptek Cryptographically Pseudorandom Secure Number Generator

106. joind.in/talk/d4f3a @SammyK #phptek CSPRNG or…

107. joind.in/talk/d4f3a @SammyK #phptek “See Spring” or…

108. Unicorn Magical

109. Uses seeds that are really really really really ridiculously hard

     to guess

110. joind.in/talk/d4f3a @SammyK #phptek High Entropy wee!

111. joind.in/talk/d4f3a @SammyK #phptek impossible It’s values are to predict in

     practice 42 82 Suitable for use in cryptographic contexts.

112. mythical Where can we find this creature?

113. joind.in/talk/d4f3a @SammyK #phptek CSPRNG options in 5.x

114. joind.in/talk/d4f3a @SammyK #phptek openssl_random_pseudo_bytes() mcrypt_create_iv() /dev/urandom

115. joind.in/talk/d4f3a @SammyK #phptek openssl_random_pseudo_bytes() mcrypt_create_iv() /dev/urandom

116. joind.in/talk/d4f3a @SammyK #phptek Since the UNIX fork() system call duplicates

     the entire process state, a random number generator which does not take this issue into account will produce the same sequence of random numbers in both the parent and the child […], leading to cryptographic disaster… https://wiki.openssl.org/index.php/Random_fork-safety

117. joind.in/talk/d4f3a @SammyK #phptek OpenSSL’s be like 42 CSPRNG 82 82

118. joind.in/talk/d4f3a @SammyK #phptek OpenSSL cannot fix the fork-safety problem because

     its not in a position to do so. However, there are [solutions] available and they are listed below. https://wiki.openssl.org/index.php/Random_fork-safety

119. joind.in/talk/d4f3a @SammyK #phptek Don't use RAND_bytes https://wiki.openssl.org/index.php/Random_fork-safety

120. joind.in/talk/d4f3a @SammyK #phptek Instead, you can read directly from /dev/random,

     /dev/urandom or /dev/srandom; or use CryptGenRandom on Windows systems. https://wiki.openssl.org/index.php/Random_fork-safety

121. joind.in/talk/d4f3a @SammyK #phptek mcrypt_create_iv() /dev/urandom openssl_random_pseudo_bytes()

122. joind.in/talk/d4f3a @SammyK #phptek

123. joind.in/talk/d4f3a @SammyK #phptek

124. joind.in/talk/d4f3a @SammyK #phptek

125. joind.in/talk/d4f3a @SammyK #phptek /dev/urandom openssl_random_pseudo_bytes() mcrypt_create_iv()

126. joind.in/talk/d4f3a @SammyK #phptek open_basedir=/foo/dir

127. joind.in/talk/d4f3a @SammyK #phptek openssl_random_pseudo_bytes() mcrypt_create_iv() /dev/urandom

128. joind.in/talk/d4f3a @SammyK #phptek CSPRNG New goodness 7

129. joind.in/talk/d4f3a @SammyK #phptek CSPRNG random_int() random_bytes()

130. random_int(0,99) 6,17,6,9,17,53,58,98,46,44,62,9,76,65,46,21,42,5,65,34,11,96,85,7,46,89,98,9,9, 80,8,76,87,18,24,68,16,61,27,39,30,32,4,83,83,23,96,27,13,47,6,99,16,40,2,75,27 ,3,79,68,75,60,50,70,63,17,75,29,79,57,9,48,18,86,95,25,40,52,20,86,6,48,94,27, 76,14,9,27,62,14,68,58,12,18,63,19,84,47,7,13,63,28,66,55,2,75,44,92,11,85,51,1 7,42,57,22,4,53,7,3,76,48,55,95,7,45,33,87,36,11,17,66,6,46,87,57,48,22,31,65,5 ,26,10,47,82,97,74,25,32,63,60,29,53,13,24,56,54,52,86,67,4,94,35,48,73,35,45,2 4,74,74,83,49,70,41,49,20,60,29,49,30,35,38,63,4,86,72,97,26,22,36,95,59,94,24, 89,73,46,14,73,51,93,93,39,13,80,9,30,24,20,30,63,20,64,97,29,7,2,82,96,42,61,5 3,28,49,12,90,71,58,72,63,49,32,69,76,50,62,88,31,26,72,79,19,15,3,39,27,80,16,

     65,62,53,82,59,23,85,95,41,68,86,3,92,76,91,88,12,20,96,14,35,50,94,24,23,44,55 ,78,65,81,7,1,86,32,58,46,97,43,78,9,51,1,6,79,73,49,13,40,21,90,14,9,70,95,88, 37,85,14,7,29,42,55,81,46,39,41,45,81,11,93,26,89,4,98,35,30,36,74,97,18,85,97, 23,52,64,88,20,89,12,25,19,21,21,50,60,50,43,84,1,52,5,19,2,86,38,51,48,30,55,9 0,93,97,52,84,29,58,96,78,37,24,14,72,81,9,82,26,83,83,17,35,15,9,87,95,51,71,4 8,9,45,13,61,98,3,18,96,99,28,74,47,58,71,89,68,57,51,86,90,38,21,72,72,30,22,1 3,88,25,48,45,62,59,81,32,10,54,82,60,90,17,98,41,73,98,60,22,99,66,32,41,82,62 ,91,3,85,91,21,17,98,19,48,50,24,67,3,14,62,55,35,99,95,83,76,12,51,77,61,24,24 ,60,15,31,47,24,27,97,98,70,6,24,25,20,23,67,72,55,47,19,53,50,38,22,76,37,63,8 2,67,52,3,75,84,84,71,49,79,26,89,11,77,55,92,32,81,38,23,54,9,40,80,75,20,7,58 ,37,72,75,59,46,32,41,82,90,72,59,5,42,2,94,44,44,4,15,37,29,24,10,51,18,8,42,5 6,9,68,31,99,7,77,59,8,74,80,11,15,93,81,5,72,44,49,39,25,4,18,98,0,93,42,78,36 ,57,47,16,49,2,85,6,31,17,81,10,54,40,95,68,31,80,29,41,86,32,9,58,96,62,79,25, 6,45,56,54,0,61,74,90,12,34,11,56,3,41,39,84,32,30,42,81,36,43,5,

131. joind.in/talk/d4f3a @SammyK #phptek bin2hex(random_bytes(16)) f7f5289027cb6c5116d 2d3cc78e5819c

132. joind.in/talk/d4f3a @SammyK #phptek You’re not strong until you’re crypto-strong!

133. CSPRNG under the hood

134. None

135. joind.in/talk/d4f3a @SammyK #phptek On Windows: CryptGenRandom On BSD: arc4random_buf() On

     Linux: getrandom(2) syscall Read directly from /dev/urandom

136. Fail Closed

137. joind.in/talk/d4f3a @SammyK #phptek /dev/urandom So what is this thing?

138. /dev/urandom Gathers environmental noise from the system like… …device drivers,

     inter-keyboard timings, inter-interrupt timings from some interrupts, and other events which are both (a) non-deterministic and (b) hard for an outside observer to measure. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/char/random.c

139. joind.in/talk/d4f3a @SammyK #phptek CSPRNG random_bytes() random_int() 7 /dev/urandom Powered by

140. joind.in/talk/d4f3a @SammyK #phptek Still on 5.x? paragonie/random_compat Polyfill for PHP

     7 CSPRNG

141. joind.in/talk/d4f3a @SammyK #phptek TL;DR Never use LCG, MT, or any

     other PRNG in cryptographic contexts Only use a CSPRNG like /dev/urandom for crypto Use random_bytes() & random_int() in PHP (or install paragonie/random_compat)

142. joind.in/talk/d4f3a @SammyK #phptek More Resources

143. joind.in/talk/d4f3a @SammyK #phptek Recommendation for the Entropy Sources Used for

     Random Bit Generation Final Draft - NIST SP 800-90B https://csrc.nist.gov/publications/detail/sp/800-90b/final

144. joind.in/talk/d4f3a @SammyK #phptek New & improved man pages for /dev/urandom

     http://man7.org/linux/man-pages/man7/random.7.html

145. joind.in/talk/d4f3a @SammyK #phptek Myths about /dev/urandom Thomas Hühn https://www.2uo.de/myths-about-urandom/

146. joind.in/talk/d4f3a @SammyK #phptek Cracking Random Number Generators Three-part blog post

     series James Roper https://jazzy.id.au/2010/09/20/cracking_random_number_generators_part_1.html

147. joind.in/talk/d4f3a @SammyK #phptek How I Met Your Girlfriend DEF CON

     18 Samy Kamkar https://www.youtube.com/watch?v=fWk_rMQiDGc

148. joind.in/talk/d4f3a @SammyK #phptek Weak RNG in PHP session ID generation

     leads to session hijacking Andreas Bogk http://seclists.org/fulldisclosure/2010/Mar/519

149. joind.in/talk/d4f3a @SammyK #phptek

150. joind.in/talk/d4f3a @SammyK #phptek Thanks @hfronz! ❤

151. joind.in/talk/d4f3a @SammyK #phptek Sammy Kaye Powers Thanks! /talk/d4f3a @SammyK SammyK.me

     Host of @PHPRoundtable Thanks @hfronz! ❤