Upload
aron-hudson
View
226
Download
0
Embed Size (px)
Citation preview
CSC 382: Computer Security Slide #1
CSC 382: Computer Security
Applying Cryptography
CSC 382: Computer Security Slide #2
Topics
1. Hash Algorithms
2. Key Sizes
3. Key Generation
4. Information Theory
5. Randomness
6. PRNGs
7. Entropy Gathering
8. Practical Sources of Randomness
9. Cryptographic APIs
CSC 382: Computer Security Slide #3
State of Hash Functions
Avoid the following widely-used hash algorithms:– MD5, SHA-1
We don’t have a theory of how to design hashes.– No hash algorithm has been secure for 10 years.– Too optimistic in the past: MD5 and SHA-1 would
have been secure with twice as many rounds.
What can we do?– Design protocols (digital signatures, SSL, etc.) so that
they can switch hash functions easily.– Use SHA-256 for now.– Look at new hashes: FORK-256, DHA-256, VSH
CSC 382: Computer Security Slide #4
Key Sizes: Symmetric Ciphers
Advanced Encryption Standard– AES supports 128-, 192-, and 256-bit keys.– 128-bit keys should be good enough for all time
provided no attack better than brute force discovered.
Bit size means different things for symmetric and public key ciphers.
CSC 382: Computer Security Slide #5
Key Sizes: Public Key CiphersBit size measures different characteristics for different public key algorithms.
Public key cipher security dependent on advances in number theory and computing approaches like quantum computing.
Recommended size is 2048-bits for RSA, DSA, and Diffie-Hellman.
ECC uses much smaller keys.
CSC 382: Computer Security Slide #6
Key Generation
Goal: generate difficult to guess keys
Given set of K potential keys, choose one randomly.– Equivalent to selecting a random number between 0 and
K–1 inclusive.
Difficulty: generating random numbers– Computer generated numbers are pseudo-random, that is,
generated by an algorithm.
CSC 382: Computer Security Slide #7
Information
The amount of information in a message is the minimal number of bits needed to encode all possible meanings.
Example: day of the week– Encode in <3 bits– 000 Sunday to 110 Saturday, with 111 unused– ASCII strings “Sunday” through “Saturday”
use more bits, but don’t encode more information.
CSC 382: Computer Security Slide #8
Information
Information:
H = log2(M),where M is the number of equiprobablepossibilities for the state of the system.
Example: Coin flip (2 equiprobable results)
H = log2(2)
= 1 bit
CSC 382: Computer Security Slide #9
Information Content of English
For random English letters,
log2(26) bits/letter
For large samples of English text,
1.3 bits/letter
For bzipped English text,
7.95+ bits/letter
CSC 382: Computer Security Slide #10
What is a Random Number?
1. Is 3 a random number?
2. How about 107483?
3. Or 3.1415927?
CSC 382: Computer Security Slide #11
What is Randomness?
A byte stream is random if– H is approximately 8 bits/byte
How can we get a random byte stream?– Compression is a good randomizing function.– Cryptography is a good randomizing function.
Statistical tests for randomness– 0s occur about as often as 1s.– Pairs of 0s occur about half as often as single 0s
and as often as pairs of 1s.
CSC 382: Computer Security Slide #12
PRNGs
1. Determinism and Randomness
2. Seeding the PRNG
3. Linear Congruential
4. CSPNRGs
5. Blum-Blum-Shub
6. Tiny
7. Attacks on PNRGs
CSC 382: Computer Security Slide #13
Determinism
Computers are deterministic.
– They can’t produce random numbers.
– “Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin.” – John vonNeumann
CSC 382: Computer Security Slide #14
Pseudo-random Numbers
Pseudo-random numbers appear to be random to certain statistical tests.– Tests can be derived from compression.– If you can compress sequence, it’s not random.
Software generated pseudo-random sequences are periodic and predictable.
CSC 382: Computer Security Slide #15
Seeds
Input used to generate initial PR number.
Should be computationally infeasible to predict– Generate seed from random, not PR, data.
– Large seed: 32 bits too small; only 232 combinations.
Sequence still repeats, but starts from different point for each different seed.– Identical sequences produced for identical seeds.
– Period needs to be large for security.
CSC 382: Computer Security Slide #16
Linear Congruential Generator
nk = (ank–1 + b) mod m
m Modulus (a large prime integer)a Multiplier (integer from 2..m-1)b Increment
n0 Sequence initializer (seed)
CSC 382: Computer Security Slide #17
Linear Congruential Generator
Why must m be prime?– Prevents sequence from becoming all zeros.
Why must m be large?– Maximum period is m.
What’s important about a and b?– Constants a and b determine if LCG will have a
full period (m) or repeat sooner.
CSC 382: Computer Security Slide #18
LCG Example in Python#!/usr/bin/env pythonimport sysdef lcg(x): return a*x % 13i = 0; li=[]a, x = map(int, sys.argv[1:3])while(i < 10): x = lcg(x) li.append(str(x)) i += 1print ", ".join(li)
>./prng.py 5 211, 4, 8, 2, 11, 4, 8, 2, 11, 4>./prng.py 6 20, 1, 7, 4, 12, 8, 10, 9, 3, 6
CSC 382: Computer Security Slide #19
Linear Congruential Generator
Choice of a criticalMany choices of a produce a full period.
• Sequence is permutation of integers 1..m-1• Ex: 2, 6, 7, 11 for m=13
For production LCGs, m=232-1 commona = 16807 is well studied full period multiplier
LCGs are statistically randombut predictable, giving away state with result.
LCGs are not cryptographically useful.
CSC 382: Computer Security Slide #20
Secure PRNGs
Cryptographically Secure PRNGs:1. Statistically appear random.2. Difficult to predict next member of sequence
from previous members.3. Difficult to extract internal state of PRNG from
observing output.
Similar to stream ciphers.May be re-seeded at runtime, unlike PRNGs.
CSC 382: Computer Security Slide #21
Blum Blum Shub
xn+1 = xn2 mod M
Blum Number M– Product of two large primes, p and q– p mod 4 = 3, q mod 4 = 3
Seed– Choose random integer x, relatively prime to M.
– x0 = x2 mod M
CSC 382: Computer Security Slide #22
Blum Blum Shub
Random Output:– LSB of xn+1
– Can safely use log2M bits.
Provably secure– Distinguishing output bits from random bits is
as difficult as factoring M for large M.
Slow– Requires arbitrary precision software math libs.
CSC 382: Computer Security Slide #23
Strong Mixing Functions
Strong mixing function: function of 2 or more inputs with each bit of output depending on some nonlinear function of all input bits.
Examples: AES, DES, MD5, SHA-1Use on UNIX-based systems:
(date; ps gaux) | md5
where “ps gaux” lists all information about all processes on system.
CSC 382: Computer Security Slide #24
Attacks on PNRGsDirect Cryptanalytic
– Distinguish between PRNG output and random output with better than 50% accuracy.
Input-Based– Use knowledge of PRNG input to predict output.– Insert input into PRNG to control output.
State Compromise Extension– Extend previously successful attack that has recovered
internal state to recover either or both:• past unknown PRNG outputs• future PRNG outputs after additional inputs given to
PRNG
CSC 382: Computer Security Slide #25
ASF On-line Gambling
Re-seed PRNG before each shuffle– always start with ordered deck.
Shuffling– Fair: 52! 2226 combinations– 32-bit seed: 232 combinations– ms seed: 86,400,000 combinations– synchronize time: 200,000 combinations
Predict deck based on 5 known cards.
CSC 382: Computer Security Slide #26
ASF PRNG Flaws
1. PRNG algorithm used small seed (32 bits.)
2. Non-cryptographic PRNG used.
3. Seed generated by poor source of randomness.
CSC 382: Computer Security Slide #27
Entropy Collection
1. Hardware Solutions
2. Software Solutions
3. Poor Entropy Collection
4. Entropy Estimation
CSC 382: Computer Security Slide #28
Hardware SourcesRadioactive Decay
– Hotbits: 256 bits/s– http://www.fourmilab.ch/hotbits/
Thermal Noise– Comscire QNG Model J1000KU, 1 Mbit/s– Pentium III RNG
LavaRnd– SGI used LavaLite; LavaRnd uses lenscapped digicam– http://www.lavarnd.org/– up to 200 kbits/s
CSC 382: Computer Security Slide #29
Software Sources
Less Secure, More Convenient– Software sufficiently complex to be almost
impossible to predict.
User Input: Push, don’t Pull– Record time stamp when keystroke or mouse
event occurs.– Don’t poll most recent user input every .1s
• Far fewer possible timestamps.
CSC 382: Computer Security Slide #30
Software Sources: /dev/random
Idea: use multiple random software sources.– Store randomness in pool for user requests.– Use hash functions (i.e., strong mixing functions) to
distill data from multiple sources.
/dev/random can use random sources such as– CPU load– disk seeks– kernel interrupts– keystrokes– network packet arrival times– /dev/audio sans microphone
CSC 382: Computer Security Slide #31
Software Sources: /dev/random
/dev/random– each bit is truly random.– blocks unless enough random bits are available.
/dev/urandom– supplies requested number of bits immediately.– reuses current state of pool—lower quality
randomness.– cryptographically secure RNG.
CSC 382: Computer Security Slide #32
When to use /dev/{u}random?
Use true entropy for– Generating long-term cryptographic keys.– Seeding cryptographically secure RNGs.– But true randomness is in low supply so
Use cryptographically secure RNGs– For everything else.
CSC 382: Computer Security Slide #33
Poor Entropy: Netscape 1.1
SSL encryption– generates random 40- or 128-bit session key
– Netscape 1.1 seeded PRNG with
• time of day
• PID and PPID
– All visible to attacker on same machine.
Remote attack broke keys in 30 seconds– guessed limited randomness in PID/PPID.
– packet sniffing can determine time of day.
CSC 382: Computer Security Slide #34
Cryptographic APIs
1. Cryptlib
2. OpenSSL
3. Crypt++
4. BSAFE
5. Cryptix
6. Crypt:: CPAN modules
CSC 382: Computer Security Slide #35
Supported Ciphers
1. Range of MAC algorithmsAlmost all include MD5, SHA-1
2. Range of symmetric algorithmsAlmost all include AES, DES
3. Range of public key algorithmsAlmost all include RSA, Diffie-Hellman, DSA
CSC 382: Computer Security Slide #36
Cryptographic APIs
Cryptlib– easy to use– free for noncommercial use
OpenSSL– poorly documented– open source– popular
CSC 382: Computer Security Slide #37
Cryptographic APIs
Crypto++– C++ library– open source
BSAFE– well documented– most popular commercial library– commercial SDK from RSA
CSC 382: Computer Security Slide #38
Cryptographic APIs
Cryptix– open source Java library
Python Cryptographic Toolkit– open source crypt, hash, rand modules– http://www.amk.ca/python/code/crypto
Crypt:: CPAN modules for perl– well documented– many different libraries
CSC 382: Computer Security Slide #39
Key Points
1. Keys generated must be truly random.2. Algorithmic PRNG techniques:
– Linear congruential generators: non-crypto.– Blum Blum Shub cryptographic PRNG.
3. Computer RNGs:– Hardware RNGs: thermal noise, decays.– Software RNGs: disk seeks, interrupts.
4. High quality open source cryptography libraries exist for most languages.
CSC 382: Computer Security Slide #40
References1. Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005.2. D. Eastlake, “Randomness Recommendations for Security,” RFC 1750,
http://www.ietf.org/rfc/rfc1750.txt, 1994.3. Ian Goldberg and David Wagner, “Randomness and the Netscape Browser,” Doctor
Dobbs’ Journal, 1996. http://www.cs.berkeley.edu/~daw/papers/ddj-netscape.html4. Michael Howard and David LeBlanc, Writing Secure Code, 2nd edition, Microsoft Press,
2003.5. Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, Handbook of Applied
Cryptography, http://www.cacr.math.uwaterloo.ca/hac/, CRC Press, 1996.6. S. K. Park, K. W. Miller, “Random number generators: good ones are hard to find,”
Communications of the ACM, Volume 31 Issue 10 , October 1988.7. Tom Schneider, “Information Theory Primer,”
http://www.lecb.ncifcrf.gov/~toms/paper/primer/, 2000.8. Bruce Schneier, Applied Cryptography, 2nd edition, Wiley, 1996.9. John Viega and Gary McGraw, Building Secure Software, Addison-Wesley, 2002.10. John Viega and Matt Messier, Secure Programming Cookbook for C and C++, O’Reilly,
2003.11. Joss Visser, “Kernel based random number generation in HP-UX 11.00,”
http://www.josvisser.nl/hpux11-random/hpux11-random.html, 2003.12. David Wheeler, Secure Programming for UNIX and Linux HOWTO,
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/index.html, 2003.