pseudo-random-number-generators security perspective zvi gutterman [email protected]
Post on 19-Dec-2015
218 views
TRANSCRIPT
Pseudo-Random-Number-Generators Pseudo-Random-Number-Generators
Security PerspectiveSecurity Perspective
Zvi GuttermanZvi Gutterman
[email protected]@cs.huji.ac.il
22
OutlineOutline
MotivationMotivation Who needs random numbers?Who needs random numbers?
RequirementsRequirements Numerical generatorsNumerical generators Physical generatorsPhysical generators ExamplesExamples
Java Object.toString( )Java Object.toString( ) Attacking the Apache Servlet engineAttacking the Apache Servlet engine
Join us (projects) !Join us (projects) !
33
MotivationMotivation
Numerical AlgorithmsNumerical Algorithms SimulationsSimulations ““Monte-Carlo” MethodsMonte-Carlo” Methods
example:
Calculating using Monte-Carlo simulations
44
Motivation (cont.)Motivation (cont.)
SecuritySecurity Example: One-Time PadExample: One-Time Pad Alice and Bob meet once, and set a one-time pad K.Alice and Bob meet once, and set a one-time pad K. Alice encrypt plaintext P with K (using xor) and sends the Alice encrypt plaintext P with K (using xor) and sends the
cipher text C to Bob.cipher text C to Bob. To decrypt P, Bob xor K with C.To decrypt P, Bob xor K with C.
Perfect encryption! (Pad used once, same length as P)Perfect encryption! (Pad used once, same length as P)
As old as Computer-Science ..As old as Computer-Science ..Turing, Von-NeumannTuring, Von-Neumann
Truly Random?
55
RequirementsRequirements UtopiaUtopia
True random generatorsTrue random generators• Hard to findHard to find• Hard to proofHard to proof• Complex implementationComplex implementation
RealityReality Pseudo random number generatorsPseudo random number generators
• Sequence appears randomSequence appears random
““Any one who consider arithmetical methods of Any one who consider arithmetical methods of producing random digits is, of course, in a state of producing random digits is, of course, in a state of sinsin.” .”
John von Neumann [1951]John von Neumann [1951]
66
Requirements – PRNGRequirements – PRNG
Statistical testsStatistical tests Uniform distributionUniform distribution … … (e.g., number of ‘0’ equals number of ‘1’)(e.g., number of ‘0’ equals number of ‘1’)
Non predictableNon predictable Long PeriodLong Period
Fast computingFast computing Low memory consumptionLow memory consumption
77
Numeric GeneratorsNumeric Generators Linear Congruential Generator (LCG)Linear Congruential Generator (LCG)
XXn+1n+1 = (X = (Xnn * a + b) mod m * a + b) mod m
Where –Where – XXnn – current number [x – current number [x0 0 – seed]– seed]XXn+1n+1 – next number – next numbera - multipliera - multiplierb - incrementb - incrementm – modulus m – modulus
[ Lehmer, 1949 ]
88
LCGLCG
Used in -Used in - rand()rand() function in C / C++ (libc) function in C / C++ (libc) Java.util.RandomJava.util.Random ....
The period is at most mThe period is at most m Knuth [TAOCP] study the LCG periodKnuth [TAOCP] study the LCG period
99
LCG – Prediction AlgorithmLCG – Prediction Algorithm
Boyar [1982] algorithm Boyar [1982] algorithm Input: XInput: Xn-kn-k, …, X, …, X00
Output: a,b,mOutput: a,b,m Complexity: LogComplexity: Log22m iterationsm iterations Assumes generator corrections during iterationsAssumes generator corrections during iterations
Krawczyk [1992] Krawczyk [1992] extended for generators of the form:extended for generators of the form: XXnn = P(X = P(Xi-ni-n, … ,X, … ,Xi-1i-1) (mod m)) (mod m) P – polynomial of fixed degree in n variables.P – polynomial of fixed degree in n variables.
1010
BBS – Blum, Blum, ShubBBS – Blum, Blum, Shub
p,q - large prime numbers, congruent to 3 p,q - large prime numbers, congruent to 3 modulo 4.modulo 4.
m = p*qm = p*q k – relatively prime to mk – relatively prime to m Set: XSet: X00 = k = k22 mod m [x mod m [x00 – seed] – seed]
XXn+1n+1 = X = Xnn22 mod m mod m
least-significant-bit(Xleast-significant-bit(Xn+1n+1) is the i) is the ithth pseudo- pseudo-
random-bitrandom-bit
1111
Blum-Blum-Shub PropertiesBlum-Blum-Shub Properties
Cryptographically strong !Cryptographically strong ! As long as the factoring problem remains As long as the factoring problem remains
hard, the (n+1)-hard, the (n+1)-thth bit is not predictable. bit is not predictable. This is true even if n is published (As long as This is true even if n is published (As long as
XXnn are kept secret) are kept secret) Slow ..Slow ..
1212
Other PRNGSOther PRNGS MT – Mersenne Twister MT – Mersenne Twister
(cycle = 2(cycle = 21993719937-1)-1) ANSI X9.17 ANSI X9.17
Based on triple-DESBased on triple-DES Capstone/FortezzaCapstone/Fortezza DSA (Digital Signature Specification)DSA (Digital Signature Specification) Yarrow-160Yarrow-160 FortunaFortuna
And many othersAnd many others
1313
Physical (True?) RNGPhysical (True?) RNG
Radioactive decay Radioactive decay Air Turbulence in disk drivesAir Turbulence in disk drives Lava lampLava lamp
e.g., e.g., http://www.lavarnd.orghttp://www.lavarnd.org
http://www.random.orghttp://www.random.org Intel i8xx chipset Intel i8xx chipset
1414
Example – Java Object.toString()Example – Java Object.toString()
public String toString() {public String toString() {return return
getClass().getName() + getClass().getName() +
"@“ + "@“ +
Integer.toHexString(hashCode( )); Integer.toHexString(hashCode( ));
}} Example:Example:
[email protected]@3179c3
1515
Java Object.hashCode( )Java Object.hashCode( )
From the JavaDoc:From the JavaDoc:• ““As much as is reasonably practical, the As much as is reasonably practical, the
hashCode method defined by class Object hashCode method defined by class Object does return distinct integers for distinct does return distinct integers for distinct objects. (This is typically implemented by objects. (This is typically implemented by converting the internal address of the converting the internal address of the object into an integer, but this object into an integer, but this implementation technique is not required by implementation technique is not required by the Javathe JavaTMTM programming language.)” programming language.)”
1616
hashCode( ) implementation ..hashCode( ) implementation .. void os::init_random(long initval) {void os::init_random(long initval) { _rand_seed = initval;_rand_seed = initval; }}
long os::random() {long os::random() { /* standard, well-known linear congruential random generator with/* standard, well-known linear congruential random generator with * next_rand = (16807*seed) mod (2**31-1)* next_rand = (16807*seed) mod (2**31-1) * see* see * (1) "Random Number Generators: Good Ones Are Hard to Find",* (1) "Random Number Generators: Good Ones Are Hard to Find", * S.K. Park and K.W. Miller, Communications of the ACM 31:10 (Oct 1988),* S.K. Park and K.W. Miller, Communications of the ACM 31:10 (Oct 1988), * (2) "Two Fast Implementations of the 'Minimal Standard' Random * (2) "Two Fast Implementations of the 'Minimal Standard' Random * Number Generator", David G. Carta, Comm. ACM 33, 1 (Jan 1990), pp. 87-88. * Number Generator", David G. Carta, Comm. ACM 33, 1 (Jan 1990), pp. 87-88. */*/ const long a = 16807;const long a = 16807; const long m = 2147483647;const long m = 2147483647; const long q = m / a; assert(q == 127773, "weird math");const long q = m / a; assert(q == 127773, "weird math"); const long r = m % a; assert(r == 2836, "weird math");const long r = m % a; assert(r == 2836, "weird math");
// compute az=2^31p+q// compute az=2^31p+q unsigned long lo = a * (long)(_rand_seed & 0xFFFF);unsigned long lo = a * (long)(_rand_seed & 0xFFFF); unsigned long hi = a * (long)((unsigned long)_rand_seed >> 16);unsigned long hi = a * (long)((unsigned long)_rand_seed >> 16); lo += (hi & 0x7FFF) << 16;lo += (hi & 0x7FFF) << 16;
// if q overflowed, ignore the overflow and increment q// if q overflowed, ignore the overflow and increment q if (lo > m) {if (lo > m) { lo &= m;lo &= m; ++lo;++lo; }} lo += hi >> 15;lo += hi >> 15;
// if (p+q) overflowed, ignore the overflow and increment (p+q)// if (p+q) overflowed, ignore the overflow and increment (p+q) if (lo > m) {if (lo > m) { lo &= m;lo &= m; ++lo;++lo; }} return (_rand_seed = lo);return (_rand_seed = lo); }}
next_rand = (16807*seed) mod (2**31-1)next_rand = (16807*seed) mod (2**31-1)
1717
Object.toString( ) Object.toString( )
Actually:Actually:
getClass().getName() + getClass().getName() +
"@“ + "@“ +
Integer.toHexString( Integer.toHexString( LCGLCG ); );
We need to “guess” the object order of calling We need to “guess” the object order of calling toString( )toString( )
1818
toString & hashCode remarkstoString & hashCode remarks
PRNG used in many protocols & systemsPRNG used in many protocols & systems Documentation may misleadDocumentation may mislead Reverse-engineering is importantReverse-engineering is important
Can be used for fingerprinting?Can be used for fingerprinting?
1919
Example - HTTP 1.1Example - HTTP 1.1
Defined in RFC 2068Defined in RFC 2068 Main e-commerce protocol todayMain e-commerce protocol today Stateless !Stateless !
But we need a state …But we need a state …
2020
HTTP Server sideHTTP Server side
CGI
SOAP ASP
Java
PHP
HTTP
2121
2222
HTTPHTTPcookie cookie demodemo
National National car rentalcar rental
2323
Attack motivationAttack motivation
Can I get someone else profile in Can I get someone else profile in Amazon?Amazon?
Can I use the Amazon one-click option to Can I use the Amazon one-click option to order books for you?order books for you?
Can I change your car reservation?Can I change your car reservation?
2424
Java Servlets Java Servlets
JCP: Servlet 2.4 JCP: Servlet 2.4 released 24 November, 2003released 24 November, 2003 Java Session FrameworkJava Session Framework Must use: jsessionid as parameter (url or cookie)Must use: jsessionid as parameter (url or cookie)
Implementation Implementation Apache Tomcat (25% market share, Apr-2003)Apache Tomcat (25% market share, Apr-2003)
• J2EE 1.4 recommendation + Bundled in the SDK!J2EE 1.4 recommendation + Bundled in the SDK! CommercialCommercial
• Resin, IBM WebSphere, OracleResin, IBM WebSphere, Oracle
2525
CatalinaCatalina
Java Apache web server = Tomcat Java Apache web server = Tomcat Tomcat Servlet Engine = CatalinaTomcat Servlet Engine = Catalina Version 5.0.xx (November 2003)Version 5.0.xx (November 2003)
2626
Tomcat – Brute ForceTomcat – Brute Force
Session id – 16 BytesSession id – 16 Bytes 16 bytes = 128 bit16 bytes = 128 bit
Brute-force attackBrute-force attack 22128128
optionsoptions Very, very longVery, very long
• 10102222 CPU years .. CPU years ..
2727
Tomcat SessionID AttackTomcat SessionID Attack
Open source …Open source … GoodGood And Bad ..And Bad ..
2828
Catalina – new SessionIDCatalina – new SessionID
1.1. 128 bits = RandomEngine.Get next 128 bits = RandomEngine.Get next random bitsrandom bits
2.2. Hash bits = MD5 (Bits)Hash bits = MD5 (Bits)
3.3. Sessionid = Bits Sessionid = Bits Ascii representation Ascii representation
2929
Catalina AlgorithmCatalina Algorithm
Seed Initialization Seed Initialization C = current time in milliseconds (64 bit)C = current time in milliseconds (64 bit) Ent = Entropy (default: toString() of Ent = Entropy (default: toString() of
org.apache.catalina.StandardManager)org.apache.catalina.StandardManager) Seed = f(C,Ent)Seed = f(C,Ent) Random.setSeed(Seed)Random.setSeed(Seed)
Or –Or – Open /dev/urandom if existsOpen /dev/urandom if exists
3030
Catalina AttackCatalina Attack
Get valid session IDGet valid session ID reverse ASCII back to bit reverse ASCII back to bit
representationrepresentation Check session id against all possible Check session id against all possible
seedsseeds
A <2A <24040 attack when assuming the server attack when assuming the server uptime is at most one yearuptime is at most one year
3131
Catalina Attack - RemarksCatalina Attack - Remarks
Once broken we can get all valid session-Once broken we can get all valid session-id immediately!id immediately!
The server do not know about it !!The server do not know about it !!The attack is valid until the next resetThe attack is valid until the next resetThis is a non targeted attackThis is a non targeted attack
3232
Additional Security Steps ..
3333
Projects & ResearchProjects & Research
Attacking existing PRNG based schemes. examples:Attacking existing PRNG based schemes. examples: HTTP Servers – PHP, Apache, ASP HTTP Servers – PHP, Apache, ASP Linux kernel based PRNGLinux kernel based PRNG SSL (?)SSL (?) ....
Building better theoretical understandingsBuilding better theoretical understandings
Preliminary reading list:Preliminary reading list:http://www.cs.huji.ac.il/~zvikaghttp://www.cs.huji.ac.il/~zvikag
Contact: [email protected]: [email protected]