Issues of Random Numbers and Cryptography Dr. Suzanne Buchele
Uses of Random Numbers in Cryptography There are many uses of random numbers in cryptography session keys one-time pad nonces in authentication protocols to prevent replay public key generation In all cases it is critical that these values be: statistically random, uniform distribution, independent unpredictability of future values from previous values Care must be taken when generating random numbers!
Why is Randomness an Issue? Examples of problems with “randomness”: Example: typing “random” keys at a keyboard People tend to type characters near the center of the keyboard People tend to alternate left and right hands when typing “randomly” People tend to not repeat any characters in a row Other patterns Why is this an issue? If you can guess (by reducing the keyspace to search) a random number, you may be guessing: A cryptographic key A “seed” from which you can deduce cryptographic keys
Types of Random Numbers used in Cryptography Pseudo Random Numbers A deterministic algorithm is used to produce a single or sequence of numbers that have randomized properties Usually takes as input a seed Not random – completely deterministic The same algorithm using the same seed will always produce the same output “random” numbers True Random Numbers Random numbers that come from a source that is really, or is effectively, random Examples: electrical activity, system clock, thermal noise
Pseudorandom Numbers Pseudorandom numbers are what are typically used in computer systems Are created by PseudoRandom Number Generators (PRNGs) Deterministic algorithm Many different algorithms possible Some better than others Input to algorithm is a “seed” Itself a “random” number (huh?) Output is a either fixed length (PRF – PseudoRandom Function) or open-ended sequence (PRNG) of pseudo-random numbers.
Problems with Pseudorandom Numbers and Cryptography Problem: they are deterministic If seed is guessed, then entire sequence of pseudorandom numbers is compromised Imagine a KDC that is using a pseudorandom number generator to create session keys If seed is compromised, then all session keys are compromised! Risk management… The consequences are catastrophic. Therefore, this is a potential target for attackers that have time and resources at their disposal Therefore, we need to pay attention to this risk.
PseudoRandom Number Generator Requirements Randomness- Uniformity: No matter where you are in the generation of a pseudorandom sequence of bits, for the next bit the probability of 0 and the probability of 1 should be essentially the same (and = 0.5) Scalability: Any small or large subsequence drawn from the entire pseudorandom sequence should be “random” Consistency: The PRNG should behave similarly randomly across most starting values of seeds
PseudoRandom Number Generator Requirements (cont) Unpredictability- Forward Unpredictability: If the seed is unknown, no matter where you are in the generation of a pseudorandom sequence of bits, you should not be able to deduce upcoming bits from any number (or all) of the proceeding bits Backward Unpredictability: No matter where you are in the generation of a pseudorandom sequence of bits, you should not be able to deduce the seed from any knowledge of the generated bits.
PseudoRandom Number Generator Requirements (cont) A good pseudorandom number generator should produce bits that pass statistical tests of randomness NIST and ICSA both have suites of tests that can be run, for example: Frequency test – the total number of 1’s and 0’s should be approximately the same. Checked against expected random properties using statistical tests. Runs test – the total number of uninterrupted sequences of identical bits bounded before and after with a bit of the opposite value. For various lengths of runs, checked against expected number of such sequences in a truly random sequence using statistical tests Pattern checking – searches are performed, looking for certain numbers and patterns, or any relationship between ordering of bits ICSA = International Computer Security Organization – started as a consortium, now is a division of Verizon
PseudoRandom Number Generator Requirements (cont) In addition, a good pseudorandom number generator used to produce cryptographic keys should be produced using known best practices, for example: The entire key should be produced from random data Not just a part of it that is then somehow expanded The seed used for the PRNG should be unpredictable Preferrably using a TRNG The PRNG algorithm used should be cryptographically secure Although all PRNG algorithms have their advantages and disadvantages
PRNG Algorithms Common algorithms: Recall all PRNG algorithms are deterministic Given same seed, will always produce same “random” numbers Common algorithms: Linear Congruential Method Fibonacci method Blum Blum Shub Generator Symmetric Block cipher methods
Linear Congruential Method A common iterative technique using a recurrence relation of the form: Xn+1 = (aXn + c) mod m Given suitable values of the parameters a, c, and m, can produce a long random-like sequence Criteria to choose the parameters include: generated sequence should appear random function generates a full-period efficient implementation with 32-bit or 64-bit arithmetic Drawback: an attacker can reconstruct sequence given a small number of values
Linear Congruential Method (cont) Xn+1 = (aXn + c) mod m E.g. for a = c = 7, m = 10, and X0 = 7, the sequence is: 7, 6, 9, 0, 7, 6, 9, 0, 7, 6, 9, 0, ... Linear congruential sequences always get in a repeating cycle, called a period In this example the period is of length 4 The period cannon have more than m elements Therefore, we want to choose m large m often chosen to be (close to) the largest representable integer of the system (e.g. 232 or 264 or 232 – 1 or 263 - 3 Mathematical analysis is used to determine good values for a, c, X0, with constraints of efficiency E.g. if c=0 algorithm is faster, but period tends to be shorter
Fibonacci or other Linear Recurrence Relation Methods Fibonacci Sequence: Xn+1 = (Xn + Xn-1) mod m Can be used to generate random numbers Period length is often greater than m! Generated sequences have been proven to be not statistically random, however Other general linear recurrence relations, e.g.: Xn+1 = (Xn-j + Xn-k) mod m For some values of j and k, performs well statistically Drawback: an attacker can reconstruct sequence given a small number of values
Blum Blum Shub Generator Based on public key algorithms Performs integer computation, and then uses the least significant bit from each result of the iterative eq.: xi = xi-12 mod n where n=p*q, and the primes p and q both equal 3 mod 4 (have remainder of 3 when divided by 4) Security rests on difficulty of factoring N as in public key cryptography Has the strongest proof of its cryptographic strength of any PRNG algorithm passes next-bit test Drawback: slow, bc very large numbers must be used too slow for cipher use, but o.k. for key or seed generation Next bit test: there is not a polynomial time algorithm that that can predict with a probability greater than ½ what the next bit will be, no matter how many previous bits are given
Using Symmetric Block Ciphers as PRNGs For cryptographic applications, can use a block cipher to generate random numbers The purpose of block ciphers is to randomize input bits! Often for creating session keys from master key Two modes: CTR Xi = EK[Vi] OFB Xi = EK[Xi-1] In both CTR and OFB, the seed consists of two parts: the encryption key value and a value V that will be updated after each block of pseudorandom numbers is generated. In the CTR case, the value of V is incremented by 1 after each encryption. In the case of OFB, the value of V is updated to equal the value of the preceding PRNG block. In both cases, pseudorandom bits are produced on block at a time (128-bit blocks for AES 128, or 64 bit blocks for DES, etc.)
Another Block Cipher PRNG: ANSI X9.17 PRNG Uses three 3DES modules Inputs: Two DES keys, the same for all three 3DES units and for each stage of the algorithm Rep of the current date/time Dti Seed value Vi (updated throughout) Output: A 64 bit pseudorandom number, and The next seed value Vi+1 Considered one of the cryptographically strongest PRNGs
True Random Number Generators A TRNG is a non-deterministic method to produce random values Typically use unpredictable natural processes such as thermal or radiation sources Examples: Forcing computer flip-flops into a metastable state in which its behavior cannot be predicted, and then measuring if it switches to 0 or 1 (handout) Using a light-saturated CCD camera as a chaotic source Using a sound digitizer with no input sound, measure of noise (take lower bits) Use fluctuations in rotational speed of disk drives, chaotic due to small fluctuations in air turbulence Mouse movement, current processor characteristics, etc.
TRNGs (cont) TRNGs use real natural processes, since the best source is natural randomness in real world Idea: find a regular but random event and monitor it do generally need special h/w to do this eg. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors, etc. Such hardware exists in some new CPU's Can have problems of bias or uneven distribution in signal have to compensate for this when you sample, often by passing bits through a hash function best to only use a few noisiest bits from each sample (e.g. The low-order bits) RFC4086 recommends using multiple sources + hash RFC 4086 (RFC = Request For Comments)
TRNGs and PRNGS Often a TRNG will be used to supply a seed for a PRNG. If a TRNG is available, why not use it instead of a PRNG? Good PRNGs are “provably random”, especially if given a random key TRNGs are often slow, especially if pass through a deskewing or other algorithm to remove possible bias Ideal compromise – use a TRNG to generate a small random seed for a good PRNG