Embed Size (px)
Citation preview
On randomnessComputer Security 2014 – Ymir Vigfusson
Some slides borrowed from Luis von Ahn‘s 15-251 class @ CMU
2
Plan for today
Suppose we want to communicate securely when an adversary can intercept us and do MITM attacks Think back to the problem the Enigma tried
to solve We‘ve learned that one-time pad is secure▪ But we cannot practically exchange keys that long
Issue: Machines are inherently deterministic▪ Strength of encryption scheme at best as good as
the key▪ The building block of modern encryption is
randomness
We will learn how this is done today assuming we have random numbers at our disposal The famous RSA protocol
3
Plan for today
Part 1: Assuming we have random numbers, how can we do secure message exchange? That is, how does RSA work?
Part 2: But how can we create random numbers? Computers make do with pseudo-random
numbers
Part 3: Pitfalls of pseudo-random number generators (PRNGs) PHP session IDs Various Internet attacks (including on RSA)
How do you compute…
58
First idea:
5 52 53 54 55 56 57 58
= 5*5= 52*5
using few multiplications?
How do you compute…
58
Better idea:
5 52 54 58
= 5*5= 52*52= 54*54
Used only 3 multsinstead of 7 !!!
Repeated squaring calculatesa2k
in k multiply operations
compare with(2k – 1) multiply
operationsused by the naïve
method
How do you compute…
513
516
too high! what now?
assume no divisions allowed…
Use repeated squaring again?
5 52 54 58
How do you compute…
513
Use repeated squaring again?
5 52 54 58
Note that 13 = 8+4+1
So a13 = a8 * a4 * a1
Two more multiplies!
1310 = (1101)2
To compute am
Suppose 2k ≤ m < 2k+1
a a2 a4 a8
This takes k multiplies
Now write m as a sum of distinct powers of 2
am = a2k * a2i1 * … * a2it
a2k. . .
say, m = 2k + 2i1 + 2i2 … + 2it
at most k more multiplies
Hence, we can compute am (mod n)
while performing at most 2 log2 m multiplies
where each time we multiplytogether numbers
with log2 n + 1 bits
How do you compute…
513 (mod 11)
First idea: Compute 513 using 5 multiplies
5 52 54 58 512 513
= 58*54= 512*5
then take the answer mod 11
= 1 220 703 125
1220703125 (mod 11) = 4
How do you compute…
513 (mod 11)
Better idea: keep reducing the answer mod 11
5 52 54 58 512 513
11 3 11 911 81 11 36 11 1511 4 11 3 11 4
25
Pretty good! We‘ll come back to this in a bit
Zn = {0, 1, 2, …, n-1}
Zn* = {x Zn | GCD(x,n) =1}
Now, recall the following:
Examples:
Z8 = {1, 3, 5, 7}Z11 = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10}
Euler Phi Function Φ(n)
Φ(n) = size of Zn*
p prime Φ(p) = p-1
p, q distinct primes Φ(pq) = (p-1)(q-1)
How do you compute…
5121242653 (mod 11)
The current best idea would stillneed about 54 calculations
answer = 4
We can actually do better using Φ(n):
Importantly, we can do this fast!
for a Zn*, ax n ax mod Φ(n)
Euler’s Theorem
For a Zn*, a Φ(n) = 1 mod n
Corollary: Fermat’s Little Theorem
For p prime, a Zp* ap-1 = 1 mod p
Key result needed, and the key to RSA
Pick secret, random large primes: p,q Multiply n = p*q
“Publish”: n
(n) = (p) (q) = (p-1)*(q-1)Pick random e Z*
(n)
“Publish”: e
Compute d = inverse of e in Z*(n)
Hence, e*d = 1 [ mod (n) ]“Private Key”: d
RSA algorithm
n,e is my public key. Use it to
send me a message.
p,q random primese random Z*
(n)
n = p*qe*d = 1 [ mod (n) ]
n, e
p,q prime, e random Z*(n)
n = p*qe*d = 1 [ mod (n) ]
message m
me [mod n]
(me)d n m
?
p=11,q=3 primes, e = 3
n = p*q = 33
message m=7
?
?
How hard is cracking RSA?
If we can factor products of two large primes, can we crack RSA?
If we know n and Φ(n), can we crack RSA?
How about the other way? Does cracking RSA mean we must do one of these two?
We don’t know (yet)…
22
Part 2: Can we create random numbers? RSA relies fundamentally on availability of
random numbers Random primes p and q, and random exponent e
However, computers by themselves cannot generate random numbers! They are, as we said before, fundamentally
deterministic Need external sources, and to use those sparingly
Khan academy has a nice introduction to the topic https://
www.khanacademy.org/computing/computer-science/cryptography/crypt/v/random-vs-pseudorandom-number-generators
23
How do we create random numbers? You could buy an exciting book!
http://www.amazon.com/Million-Random-Digits-Normal-Deviates/dp/0833030477
You could hook up a Lava lamp!
... or a Geiger counter
Not terribly practical!
24
How do we create random numbers? In practice we use pseudo-random
number generators (PRNGs)
Rely on external sources for initial randomness Here is the diagram for the Linux PRNGs:
25
How do we create random numbers? PRNG PDF
26
Part 3: Weaknesses in PRNGs
In 2012, two research groups looked at gcd(n1,n2) for RSA public keys on the Internet (e.g. SSL/SSH) If any pair of keys share a prime, easy to
crack!
A wide range of devices (routers, firewalls, VPN...) had these weak keys Too little entropy on the devices to
generate strong keys
27
Weaknesses in PRNGs
Dual_EC_DRBG NSA backdoor PRNG designed in 2000s based on elliptic curves Makes use of some magic values P and Q. ▪ Shown in 2007 that if someone deliberately created these
values, they could decrypt traffic after seeing only 32 random bytes
RSA adopts Dual_EC_DRBG as default in BSAFE in 2004▪ Not used by OpenSSL and others, however.
Standardized by NIST in 2005 Snowden‘s leaks in 2013 reveal NSA placed a backdoor▪ „NSA became the only editor of the standard“▪ Paid $10m to RSA to have the company use it as a default
Presidential advisory committee investigating NSA‘s conduct
„Nothing up my sleeve numbers“
28
Internet Cookies
29
Internet Cookies
A user spends effort logging into syndis.is
Web server could require log-in information in each following packet to ensure credentials Cumbersome and expensive
Instead, syndis.is hands out a temporary „badge“ (cookie) to the user User submits copy of the cookie on every request Doesn‘t matter if the user gets a new IP address –
nice!
What if badges were numbered 1, 2, 3, ... ? Need to have cookie strings unpredictable!
30
PHP 5.3.1 Session ID generationFrom php-5.3.1/ext/session/session.c:PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS)…gettimeofday(&tv, NULL);…/* maximum 15+19+19+10 bytes */spprintf(&buf, 0, "%.15s%ld%ld%0.8F", remote_addr, tv.tv_sec, (long int)tv.tv_usec, php_combined_lcg() * 10);…return buf;
31
How much entropy?
Client IP address 4 bytes
Variable Entropy
Client IP address 32-bits
Current epoch 32-bits
Current microseconds (0-1,000,000)
<20-bits
Random value from php_combined_lcg()
64-bits
Total 148-bits
32
Let‘s dissect the components
Can we guess the current epoch?
Session IDs are normally generated when someone logs in
On social networking sites, user appears be visible On Facebook and Gmail, dot turns green „Who‘s logged on“ updated
Can find offset of our time vs. server time using HTTP HEAD request
HEAD / HTTP/1.0
HTTP/1.1 200 OKDate: Mon, 12 Jul 2010 04:30:45 GMTServer: Apache/2.2.3 (CentOS)Last-Modified: Sat, 15 May 2010 00:50:56 GMTRetag: "d664e-66-6267dc00"Accept-Ranges: bytesContent-Length: 102Connection: closeContent-Type: text/html; Charset=UTF-8
33
Let‘s dissect the components
Can we find the victim‘s IP address?
Attacker may already know the address Victim behind common proxy, such as
proxy.emory.edu
Can lure the victim into clicking a link Obtain IP address (Could even do something more nefarious)
So we can usually know the IP address
34
What do we have?
We reduced 148-bits (prehashed) Know 64 of these bits, so 84-bits remaining
Still a feat to crack...
What about the remaining session ID components?
35
How much entropy?
Client IP address 4 bytes
Variable Entropy
Client IP address 32-bits
Current epoch 32-bits
Current microseconds (0-1,000,000)
<20-bits
Random value from php_combined_lcg()
64-bits
Total 84-bits
36
Dissecting the PRNG
php_combined_lcg() uses a LCG Linear Congruential Generator, standard PRNG
PHPAPI double php_combined_lcg(void) { php_int32 q, z; if (!LCG(seeded)) { lcg_seed(); } MODMULT(53668, 40014, 12211, 2147483563L, LCG(s1)); MODMULT(52774, 40692, 3791, 2147483399L, LCG(s2)); z = LCG(s1) - LCG(s2); if (z < 1) { z += 2147483562; } return z * 4.656613e-10;}
static void lcg_seed(void) { struct timeval tv; if (gettimeofday(&tv, NULL) == 0) { LCG(s1) = tv.tv_sec ^ (~tv.tv_usec); } else { LCG(s1) = 1; } LCG(s2) = (long) getpid(); LCG(seeded) = 1;}
Pids on UNIX usually 15-bitsCould maybe even find it out...
What‘s going on here?
37
Timestamp manipulation
LCG(s1) = tv.tv_sec ^ (~tv.tv_usec);
1100111001000010110000110010101
1111111111110111010010101110010
tv.tv_sec
Most uncertainMost certain
~tv.tv_usec
XOR
0011000110110101100010011100111
=
Timestamp provides only 20 bits of entropy!
38
Dissecting the PRNG
We have narrowed down the internal state of the random number generator (LCG) to 15+20 bits Specifically variables s1 and s2
How do we make use of this information?
39
PHP 5.3.1 Session ID generationFrom php-5.3.1/ext/session/session.c:PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS)…gettimeofday(&tv, NULL);…/* maximum 15+19+19+10 bytes */spprintf(&buf, 0, "%.15s%ld%ld%0.8F", remote_addr, tv.tv_sec, (long int)tv.tv_usec, php_combined_lcg() * 10);…return buf;
40
Dissecting the PRNG
We just create a session by ourselves! A part of our session ID will be the current
value of php_combined_lcg()
We can then brute force the value that lcg_seed() produced initially We thus know the values of s1 and s2 In other words, we know what
php_combined_lcg() will return before it does!
Important: We calculate the PRNG state locally. No need to send requests to the server
41
How much is left for each session? Client IP address
4 bytesVariable Entropy
Client IP address 32-bits
Current epoch 32-bits
Current microseconds (0-1,000,000)
<20-bits
Random value from php_combined_lcg()
64-bits
Total 20-bits
42
PHP attack, summary
The session ID in PHP 5.3.1 has four components.
Client IP address: known by attacker Timestamp in sec: known by attacker Microseconds: unknown
Must brute-force these ~20 bits with individual packets PRNG output:
We create a new session to see the next value of php_combined_lcg()
We brute-force the seed used offline▪ Only (20+15)-bits actually needed because of a bug
We determine how many sessions have been opened on the server to make a good guess
Only need to do this once between PHP restarts!
We could predict future session cookies... pretty bad!
43
Optional lab: Blackjack! (+5%)
We‘ve put information in „blackjack.login“ in your home directory
Goal: Win $10,000,000 credits! You start off with $10,000
Standard blackjack rules. Grade is min(10, credits / 10M) You get one free refill (delaying inevitable
gambler‘s ruin)
Information and scoreboard: http://hhg.to/blackjack.php
