51
Random Number Generators for Cryptographic Applications (Part 1) Werner Schindler Federal Office for Information Security (BSI), Bonn Bonn, January 17, 2008

Random Number Generators for Cryptographic Applications (Part 1) Werner Schindler Federal Office for Information Security (BSI), Bonn Bonn, January 17,

  • View
    220

  • Download
    0

Embed Size (px)

Citation preview

Random Number Generators for Cryptographic Applications

(Part 1)

Werner Schindler

Federal Office for Information Security (BSI), Bonn

Bonn, January 17, 2008

Schindler 17.01.2008 Slide 2

Outline (Part 1)

Introduction and motivationGeneral requirements on random number

generators (RNGs)RNG ClassificationCharacteristic properties and differences

Deterministic RNGs Physical RNGs Non-physical true RNGs

Schindler 17.01.2008 Slide 3

Random numbers are used ...

as random session keys

to generate RSA prime factors

in DSA, ECDSA (ephemeral keys)

in zero-knowledge-proofs

in challenge-response-protocols

as IV vectors for block ciphers

by TPMs

...

Schindler 17.01.2008 Slide 4

Protocol information

Cryptographic protocols usually demand ...

„generate a random session key“ „generate a random prime“ „generate a random 64-bit challenge“ ...

... but they do not specify the generation process.

Schindler 17.01.2008 Slide 5

What properties should random numbers possess?

Usually, no clear requirements are specified.

Unexpressed silent requirement: The random numbers should assume all admissible values with equal probability and should be independent from predecessors and successors.

This yet characterizes an ideal random number generator.

Schindler 17.01.2008 Slide 6

Classification (I)

RNG

deterministic non-deterministic (true)

pure hybrid

pure hybridpure hybrid

physical non-physical

Schindler 17.01.2008 Slide 7

Classification (II)

Deterministic random number generators are also known as pseudorandom number generators.

Hybrid DRNGs and hybrid TRNGs contain design elements from both from deterministic and non-deterministic RNGs. Their security yet essentially is based upon on the deterministic, resp. on the non-deterministic part.

Schindler 17.01.2008 Slide 8

Example 1: Challenge-response mechanism

smart card terminal

C := Enc(M;kC)

C = Enc(M;kC)?

M

C

generates random number U

M := U || time

yesno

STOP

Schindler 17.01.2008 Slide 9

Example 2: IV for a block cipher (CBC mode)

T = B1 || B2 || ...

AES k

C1

...

C2

AES k

|| || ...

plaintext

IV

The (pseudo-)randomly chosen IV is transmitted in clear.

Schindler 17.01.2008 Slide 10

Example 3: Simplified fragment of a key exchange protocol

Alice Bob

generates message Tgenerates random session key krnd

C :=AES(T;krnd)

computes krnd with dB

decrypts C with krnd

krndeB (mod nB)|| C

(dB,eB,nB): Bob‘s RSA key

Schindler 17.01.2008 Slide 11

Requirements (I)

Example 1:

To prevent replay attacks random numbers U1,U2,... should be mutually distinct with overwhelming probability. (Depending on the full protocol and the application additional requirements may be necessary.)

Example 2:

The IVs should have similar statistical properties asoutput values from ideal RNGs (to prevent replay and correlation attacks).

Schindler 17.01.2008 Slide 12

Requirements (II)

Is condition R1 sufficient for Example 3?

R1: The random numbers should not show statistical weaknesses.

Note: Condition R1 can be checked by statistical tests.

Schindler 17.01.2008 Slide 13

Example 3 (II)

Bob Charles Dick EveAlice

krnd,4eD (mod nD) || C4

krnd,3eC (mod nC) || C3

krnd,2eC (mod nC) || C2

krnd,1eB (mod nB) || C1

Schindler 17.01.2008 Slide 14

General Requirements (III)

R2: The knowledge of subsequences of random numbers shall not allow to practically compute predecessors or successors or to guess them with non-negligibly larger probability than without knowledge of these subsequences ( privileged attacker Charles!).

Schindler 17.01.2008 Slide 15

Observation

Requirement R2 is indispensable for sensitive applications (e.g. for the generation of session keys).

The minimum requirements on the random numbers depend on the intended application !

Schindler 17.01.2008 Slide 16

Deterministic Random Number Generators

(DRNGs)

Schindler 17.01.2008 Slide 17

Pure DRNG (schematic design)

s0 (seed)

internal state sn

f : output function

h : state transition function

sn+1:=h(sn)h

rn:=f(sn)

random number

f

Schindler 17.01.2008 Slide 18

DRNGs: Advantages

no dedicated hardware requiredsoftware implementation (required e.g. for stream ciphers): identical seeds

yield identical random numbers

low costs

Schindler 17.01.2008 Slide 19

DRNGs: Disadvantages

For pure DRNGs the random numbers are completely determined by the seed.

Output sequences of DRNGs (pseudorandom numbers) cannot be truly independent. They can at most behave as output sequences of an ideal random number generator with regard to particular aspects.

The internal state has to be protected even if the device is not active.

Schindler 17.01.2008 Slide 20

DRNG: Design

Note: In order to meet R2 (unpredictability of predecessors and successors)

the state transition function and / or the output function must be sufficiently complex.

it must be practically infeasible to guess the seed

Hence DRNGs are typically composed of cryptographic primitives (block ciphers, hash functions etc.).

Schindler 17.01.2008 Slide 21

Example 1

internal state: sn = (rn,k)

sn+1 = (Enc (rn, k), k) =: (rn+1,k)

(typical smart card design)

Enc: block cipher (e.g. AES, Triple-DES) k: key (to be kept secret)

(rn,k) rn

(Enc(rn,k), k)

Schindler 17.01.2008 Slide 22

Example 1: Security evaluation (I)

Requirement R1:A strong block cipher should not exhibit any

statistical weaknesses. Example 1 meets R1

Requirement R2:Assumption: The attacker knows ri ,ri+1,…,ri+j

Task: Find ri+j+1 = Enc(ri+j,k):

Note that ri+1 = Enc(ri,k), …, ri+j = Enc(ri+j-1,k)

specific chosen-plaintext attack on Enc

Schindler 17.01.2008 Slide 23

Example 1: Security evaluation (II)

Goal: Find ri-1 = Enc-1(ri,k):

Note that ri+j-1 = Enc-1(ri+j,k), …, ri= Enc-1(ri+1,k)

specific chosen-plaintext attack on Enc-1 If Enc and Enc-1 are secure against chosen-

plaintext attacks the DRNG in Example 1 meets Requirement R2.

Example: Enc = AES, Enc = Triple-DES Counterexample: Enc = DES. This security proof is typical for DRNGs (= tracing

back to recognised properties of well-known cryptographic primitives).

Schindler 17.01.2008 Slide 24

Attack Scenario

An attacker learns the current internal state (e.g., by a successful hardware attack on a smart card or because he has access to the PC where the DRNG is implemented). The attacker can easily compute all following random numbers.What about the preceding random numbers? If this attack scenario is realistic for the intended use of the DRNG it should additionally meet Requirement R3.

Schindler 17.01.2008 Slide 25

Requirements (IV)

R3: It shall not be practically feasible to compute preceding random numbers from the internal state or to guess them with non-negligibly larger probability than without knowledge of the internal state.

The DRNG from Example 1 does not meet R3 (decryption!)To meet R3 the state transition function h must be one-way (e.g., h = hash function)

Schindler 17.01.2008 Slide 26

Requirements (V)

Occasionally, also Requirement R4 is desirable:

R4: It shall not be practically feasible to compute future random numbers from the internal state or to guess them with non-negligible larger probability than without knowledge of the internal state.

Schindler 17.01.2008 Slide 27

Remark

Note: Requirement R4 can only be fulfilled by hybrid DRNGs (regular update of the internal state with random data).

R3 and R4 are DRNG-specific requirements. For physical RNGs R3 and R4 (as R1) usually follow “automatically” when R2 is fulfilled.

Schindler 17.01.2008 Slide 28

Remark

L. Dorrendorf, Z. Gutterman, B. Pinkas (2007) and Z. Gutterman, B. Pinkas, T. Reiman (2006)found weaknesses in the random number generators in Windows 2000 and Linux (/dev/urandom function, not /dev/random), respectively.

The source of these attacks was the violation of Requirement R3.

Schindler 17.01.2008 Slide 29

Cryptographically secure DRNGs

Cryptographically secure DRNGs are based upon intractability assumptions (e.g., factoring is hard). On basis of these intractability assumptions certain properties can be proved (e.g., next-bit security).

NOTE: Usually, only asymptotic security properties can be proved (i.e., for a whole family of DRNGs)

Examples: Blum-Blum-Shub-, RSA-, Rabin-pseudorandom bit generator

Schindler 17.01.2008 Slide 30

RSA pseudorandom generator

Setup: Select distinct primes p,q; n=pq; and 1 < e < (n)

the seed s0

and keep p,q,s0 secret

rn:= sn (mod 2q) with q = 1 (basic version)

sn+1 sne (mod n)

Note: Asymptotically, the exponent q can be enlarged to O(log(log n)).

Schindler 17.01.2008 Slide 31

Blum-Blum Shub DRNG

Setup: Select distinct primes p, q with p,q 3 (mod 4); n=pq

the seed s0 with gcd (s0, n)=1

and keep these data secret

rn:= sn (mod 2q) with q = 1 (basic version)

sn+1 sn2 (mod n)

Note: Asymptotically, the exponent q can be enlarged to O(log(log n)).

Schindler 17.01.2008 Slide 32

Cryptographically secure DRNGs

Practical Relevance: Cryptographically secure DRNGs play little role in practice due to their low output rate.

Schindler 17.01.2008 Slide 33

Warning Warning Warning

Many pseudorandom number generators and several statistical test suites (Diehard test suite etc.) have been proposed in the literature for stochastic simulations.

This has often confused designers of cryptographic mechanisms who are not familiar with random number generators!

DRNGs which are fully appropriate for stochastic simulations may not even meet Requirement R1.

Schindler 17.01.2008 Slide 34

Physical Random Number Generators

(PTRNGs)

Schindler 17.01.2008 Slide 35

PTRNG (schematic design)

noisesource

analog

digitised analog signal(das-random numbers)

digital

internal r.n.

algorithmicpostprocessing

(optional; with or without memory)

external r.n.

external interface

buffer

(optional)

Schindler 17.01.2008 Slide 36

Noise source

The noise source is given by dedicated hardware. The noise source exploits, for example,

noisy diodes free-running oscillators radioactive decay quantum photon effects ...

Schindler 17.01.2008 Slide 37

Requirements R1 - R4

Requirement R1 can be checked with statistical tests.

If the internal random numbers are unpredictable the PTRNG will also meet R2.

Apart from exceptional designs R3 and R4 then are automatically fulfilled.

Entropy quantifies the „degree of uncertainty“.

Schindler 17.01.2008 Slide 38

Entropy (Shannon Entropy)

Definition: Let X denote a random variable that assumes values in a finite set S = {s1, ... ,st}. The (Shannon) entropy of X is given by

Remark: (i) 0 H(X) log2| S |(ii) Shannon entropy is (maybe the most) important representative of a family of entropy definitions.

H(X) = Prob(X= sj)* log2 (Prob(X=sj))j=1

t_

Schindler 17.01.2008 Slide 39

Renyi Entropy

For 0 the term

H(X) = log2 Prob(X= sj)

j=1

t__1-

1

denotes the Renyi entropy of X to parameter .

As a function of the Rényi entropy is monotonously decreasing. The most important parameters are = 1 (Shannon entropy) and = (or more precisely, ; min-entropy). H(X) = min {- log2(Prob(X=sj)) | j t}

Schindler 17.01.2008 Slide 40

Remark (II)

For cryptographic applications the success probability for guessing attacks is a relevant figure.

Shannon entropy may differ significantly from the guess work:

Example: S = {0,1}128, Prob((0,...,0))=2-1 + 2-129,Prob(x)=2-129 for x (0,...,0);H(X)= 1 + 64.5 = 65.5

The min entropy is the most conservative entropy measure.

Schindler 17.01.2008 Slide 41

Remark (II)

Usually, the computation of the min entropy is much more costly than the computation of the Shannon entropy.

However, for physical RNGs the Shannon entropy is yet appropriate ( Part 2)

Schindler 17.01.2008 Slide 42

Non-Physical True

Random Number Generators

(NPTRNGs)

Schindler 17.01.2008 Slide 43

NPTRNG (schematic design)

entropysource

random raw bits internal r.n.

algorithmicpostprocessing

(with or without memory)

external r.n.

external interface

buffer

(optional)

Schindler 17.01.2008 Slide 44

Entropy source (I)

The entropy source is the pendant to the noise source of a PTRNG.

The entropy source typically exploits user‘s interaction (e.g. key strokes, intermediate

times between consecutive key strokes, mouse movement etc.)

system data (time, RAM data, thread number, handle, Windows API functions etc.)

Schindler 17.01.2008 Slide 45

Entropy source (II)

Differences to noise sources:

- usually: (entropy / raw bit) is low requires substantial compression of the raw

data ( algorithmic postprocessing)

- usually: the entropy source is not under the control of the RNG designer ( prevents precise

entropy estimation)

+ no dedicated hardware required

Schindler 17.01.2008 Slide 46

Example 2:Non-physical true RNG

The entropy source interprets key strokes as 6 bit strings

to generate 1020 random raw bits numbers

algorithmic postprocessing: SHA-1(raw data)

Schindler 17.01.2008 Slide 47

Example 3:Non-physical true RNG

The entropy source uses the absolute time time since system start thread numbers handles RAM content

to generate a string of 1024 raw bits.

algorithmic postprocessing: SHA-1(raw data)

Schindler 17.01.2008 Slide 48

Attacks

The one-way property of SHA-1 suggests a typical attack on NPTRNGs:

guess the raw bit string apply the postprocessing algorithm (SHA-1) check the result (e.g. a session key)

The output of non-physical true RNGs may be used ‘directly’ or to seed / reseed DRNGs.

Schindler 17.01.2008 Slide 49

Evaluation of NPTRNGs: General advice

ignore consecutive strokes of the same key the effective range of a k-bit API return value may contain

considerably less than 2k elements, and the values in the effective range may occur with different probabilities ( entropy defect)

for API functions that return time values consider the time resolution of the system the adversary’s knowledge (= preciseness of information)

consider dependencies between data strings (e.g.: absolute time, absolute time at system start, time since system start)

Schindler 17.01.2008 Slide 50

Outline (Part 2)

Design and evaluation criteria for physical RNGs general advice stochastic model entropy online tests, tot test, self test

AIS 31 and ISO 18031Conclusion

Schindler 17.01.2008 Slide 51

Contact

Federal Office for Information Security (BSI)

Prof. Dr. Werner SchindlerGodesberger Allee 185-18953175 Bonn

Tel: +49 (0)3018-9582-5652Fax: +49 (0)3018-10-9582-5652

Werner.Schindler@bsi.bund.dewww.bsi.bund.dewww.bsi-fuer-buerger.de