1 / 27

Chapter 6-1 - Random Numbers Cryptography the use of random numbers for:

Chapter 6-1 - Random Numbers Cryptography the use of random numbers for: - Generating symmetric keys in secret key systems. - Seed numbers for authentication (e.g., El Gamal). - Seed numbers for certain encryptions (e.g., IV in RC4). Can we get random numbers out of a computer? NO!

alika
Télécharger la présentation

Chapter 6-1 - Random Numbers Cryptography the use of random numbers for:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 6-1 - Random Numbers Cryptography the use of random numbers for: - Generating symmetric keys in secret key systems. - Seed numbers for authentication (e.g., El Gamal). - Seed numbers for certain encryptions (e.g., IV in RC4). Can we get random numbers out of a computer? NO! “Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin.” John Von Neumann (1951) Deterministic machines can’t produce random numbers. Chapter 6-1 Random Numbers

  2. Random Numbers Random numbers are needed. We can settle for numbers that are unpredictable and cannot be readily reproduced. That means using Pseudo-Random Numbers Generators (PRNGs) on the computer. The generated numbers must meet certain mathematical criteria that tends to be rather esoteric and complicated. We briefly describe three PRNG criteria: Chapter 6-1 Random Numbers

  3. PRNG Requirements Uniform Distribution - In any sequence of numbers, the frequency of appearance of each number should be approximately the same (flat distribution). Independence - Every number in the sequence is independent of the value of every other number in the sequence such that no value can be inferred from the value of any other number. Completeness – The generator should produce a complete cycle before repeating and the cycle should be very long. Chapter 6-1 Random Numbers

  4. Random Number Generation - Tests A uniform distribution has an output when the numbers occur with constant probability. The occurrence of numbers is compared to a uniform distribution. There is no widely accepted independence test. Rather, we test to see if a set of numbers exhibit dependence and this is testable. These tests are generally conducted by the developers of PRNGs and subjected to rigorous testing and review. Chapter 6-1 Random Numbers

  5. Random Number Generators We need methods to generate high quality random Numbers. Two methods used are: Direct methods (measure a random physical property). Indirect methods (compute a pseudo-random function). There are many source of randomness like white noise, frequency of meteorites entering the atmosphere, etc. The trouble is, nature often is more predictable than we would otherwise think. Chapter 6-1 Random Numbers

  6. Psuedo-Random Number Generators Direct Methods – The number is generated directly from a “random” process. For example: User moves the mouse and the program measures the coordinates at several times to create a random value. (e.g., the RIM Blackberry uses this method for keys). Collect system information and combine it: Process id, clock tics since boot, username, time, internal system counters, system information like page fault counts, etc. – the more the better. Chapter 6-1 Random Numbers

  7. Psuedo-Random Number Generators Indirect Methods – The number is generated indirectly using direct information as a seed input. For example: Generate a seed number (direct) and deterministically compute a random sequence. Clearly the entire sequence is determined by the initial seed. Problem: If the algorithm is known and the seed can be guessed the sequence can be reproduced exactly. The seed must be kept secret and be long enough to defeat brute force attacks. Just like key protection. Chapter 6-1 Random Numbers

  8. Psuedo-Random Numbers - Lehmer Algorithm Produces a sequence of numbers {Xn} and is known as the Linear Congruent Method. Xn+1 = (a x Xn + c) mod m Where: a is the multiplier; 0 < a < m c is the increment; 0 < c < m m is the modulus m > 0 X0 is the initial value for X 0 < X0 < m Chapter 6-1 Random Numbers

  9. Lehmer Algorithm - Example Xn+1 = (a x Xn + c) mod m For a = c = 1, m = 20; X0 = 0 X1 = (1 x 0 + 1)mod 20 = 1, X2 = (1 x 1 + 1)mod 20 = 2, X3 = (1 x 2 + 1)mod 20 = 3, …….X20 = 20, then repeats - not so hot – It turns out that the selection of a, c, X0 are important! Chapter 6-1 Random Numbers

  10. Lehmer Algorithm – Example 2 for a = 7, c = 0, m=32, X0 = 1 X1 = (7x1 + 0) mod 32 = 7 X2 = (7x7 + 0) mod 32 = 49/32; Q = 1, R= 17 X3 = (7x17 + 0) mod 32 = 119/32; Q = 3, R = 23 X4= (7x23 + 0) mod 32 = 161/32, Q = 5, R = 1 looking good so far X5 = (7x1 + 0) mod 32 = 7/32; Q = 0, R = 7 Oops! X6 = obviously we are at the same point as X2 again. This is a period of 4 repeat and is unacceptable. Chapter 6-1 Random Numbers

  11. Lehmer Algorithm – Robust Criteria • Full period generator. For a range of m numbers • 0 < m < 2m, the function should generate all the • numbers up to 2m before repeating. • Testing for duplicates would be easy. • 2. The generator should produce statistically random • numbers in accord with accepted probability tests. • Not easy, but tractable (only have to do it once). • 3. The generator should run fast on modern machines. Chapter 6-1 Random Numbers

  12. Lehmer Algorithm – Robust Criteria The careful selection of a, c, and m will satisfy the criteria. In particular, if m is prime and c = 0, then certain values of a will produce a sequence with a period on m-1 (only 0 is missing). For 32 bit machines, select m = 231 - 1, a prime, let c = 0, and a = 75. X0 is important only in that it should be relatively large And randomly selected so it is not easily guessed. Chapter 6-1 Random Numbers

  13. Conditions for Breaking the Lehmer Generator 1. Knowing the algorithm (e.g., linear congruent method). 2. Knowing the parameters (a, c, and m). 3. Knowing X0, or a single number in the sequence. This is a weakness in the Linear Congruent method. We either should use another method or modify the method. For example: Every n numbers, re-start with a new X0 seeded by, for example, the system clock or the average number of keystrokes typed in the last hour (all this requires s/w). Chapter 6-1 Random Numbers

  14. Psuedo-Random Numbers – Blum Blum Shub See Stallings, page 226. Choose two large prime numbers, p & q such that: p & q = 3mod4. (i.e., each divided by 4 yields a remainder of 3) For example, 7 & 11 are primes that satisfy the criteria. ; 4/7 = Q = 0, R = 7 & 4+3 = 7, so 7 = 3 mod 4 ; 11/7 = Q = 1, R = 4 & 4+3 = so 11 = 3 mod 4 Chapter 6-1 Random Numbers

  15. Psuedo-Random Numbers – Blum Blum Shub Let n = p x q and select another random number s, where s is relatively prime to n (i.e., not a factor of p or q). Then form: X0 = s2 mod n for i = 1 to  Xi = (Xi-1)2 mod n Bi = Xi mod 2 The output is the set of Bi least significant bits. Strength is based on the difficulty in factoring n, which is hard if n is large. Chapter 6-1 Random Numbers

  16. Psuedo-Random Numbers - Crypto Methods Use an encryption system, such as DES, to produce random numbers since a cryptographic system produces an output independent of the input. The American National Standards Institute (ANSI) X9.17 Standard for Pseudo-random number generation uses triple DES (see Stallings, page 225). Reference: Eastlake, D., S. Crocker, and J. Schiller, “Randomness Recommendations for Security,” rfc 1750, December 1994. ftp://ftp.isi.edu/in-notes/rfc1750.txt Chapter 6-1 Random Numbers

  17. Random Numbers – Hardware Generators Intel has produced a hardware Random Number Generator (RNG) for Pentium chips since 1999. Thermal noise is measured as the voltage across two resistors that varies with local electromagnetic radiation, temperature, and power supply fluctuations. The source is used to modulate a fast and slow clock. Drift between the clocks provides the source of random digits. Used as input to a Secure Hash Algorithm (SHA-1). It has passed FIPS 140-1 validation (a gold standard). Chapter 6-1 Random Numbers

  18. Key Generation We have indicated that the key length in symmetric encryption systems is the primary determinant of the strength of the system. Now we will backtrack a little ask if that is the case. What? To make the assumption that the strength lies in the key length examine the difficulty of breaking a key. We assume no weak keys are used. We also assume the difficulty in searching the key space is an order: 2n problem where n is large (order of 112 bits, or more). Chapter 6-1 Random Numbers

  19. Key Generation This is true only if keys are generated by a very good random number generator. Another way of saying this is that the entropy of the key is very large, ideally 2n bits of entropy. What if the entropy of a key is less than the maximum possible entropy (2n). A real key may have much less entropy – it depends on how the key was generated – or, the quality of the random number generator. Chapter 6-1 Random Numbers

  20. Key Quality The bad news: In some cases keys have been generated from a user’s password. The password is used as the initial value (IV) input to the random number generator. If the algorithm is known and the constants are known an adversary only has to break the password to break the key. Passwords used to generate keys need as much entropy as the key! Chapter 6-1 Random Numbers

  21. Password Entropy How much entropy is there in a password? Typically, not much! Passwords are constructed from subset of ASCII characters and English words often appear in passwords. We also know that English has a maximum entropy of 4 bits per character and a minimum of around 1 bit per character. Strictly speaking an ASCII password is not English (may contain #, %, &, etc.), so it might have more entropy that 4 bits per character. Chapter 6-1 Random Numbers

  22. Password Entropy What that means is that an 8 character password composed of English characters has a maximum entropy of 8 char x 4 bits/char, Or 32 bits – not good enough to protect a 128 bit key. 128 bit keys (32 Bytes) need a 32 character password. Using case sensitive alpha, numeric, and punctuation symbols (96 char) increase entropy above 4 bits/char. Howard/LeBlanc estimate a requirement for a 20 character (160 bit) password to protect a 128 bit key (about 6.4 bits/ch entropy(1)). Chapter 6-1 Random Numbers

  23. Password Entropy – Length Requirements • Schneier (2) estimates that protecting a 128 bit key with • a pass phrase made of all English language characters • (i.e., with 1.3 bit/char entropy) requires a 98 character • pass-phrase (i.e., 128 bits/1.3 bits/char = 98.46 char.). • References: • Howard, Michael, and D. LeBlanc, “Writing Secure • Code,” Microsoft Press, Redmond, WA., 2000, page 167. • (2) Schneier, Bruce, “Secrets and Lies,” John Wiley & • Sons, New York, NY, 2000, page 104. Chapter 6-1 Random Numbers

  24. Password Entropy – Length Requirements Not many passwords or pass phrases meet the specified requirements. However, that is not the message. The message is: Basing the key on only the password as input to a generator is not a very smart idea. Instead, the following is a more appropriate strategy: Chapter 6-1 Random Numbers

  25. Other Input Candidates Clock tics since the last bootup. EXOR (idle time, kernel time, interrupt times, other system information). Contents of some internal registers (arithmetic, counters). MD4 hash of user’s process block. Current time. Physical processes (diode noise, radio noise, radiation decay). Arrival rates of network packets. Last n characters typed on the keyboard, time between characters. Random mouse movements. Chapter 6-1 Random Numbers

  26. Bad and Good Generators In Netscape Navigator 1.1, the random number generator produced 128 bit keys with an entropy of 20 bits – and was easily broken. Some windows products have taken the user’s password to generate keys – a really bad idea. srand (Windows) and rand (Unix) are low quality (both Use a Linear Congruence method). The Microsoft .NET class Random is low quality. The RNGcryptoServiceProvider class is high quality. Chapter 6-1 Random Numbers

  27. Bad and Good Generators CryprtGenRandom (Windows) is high quality. CryptGenkey (Windows) is high quality. Know the quality of the generator you use. If you don’t know it, do enough research to determine its quality. Chapter 6-1 Random Numbers

More Related