Attacks on PRNGs - By Nupura Neurgaonkar CS-265 (Prof. Mark Stamp)

Slides:



Advertisements
Similar presentations
Asymmetric Encryption Prof. Ravi Sandhu. 2 © Ravi Sandhu PUBLIC KEY ENCRYPTION Encryption Algorithm E Decryption Algorithm D Plain- text Plain- text Ciphertext.
Advertisements

Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Network Security. Confidentiality Using Symmetric Encryption John wrote the letters of the alphabet under the letters in its first lines and tried it.
CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 15 Implementation Flaws Part 3: Randomness and Timing Issues.
Stream cipher diagram + + Recall: One-time pad in Chap. 2.
RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem
Pseudorandom Number Generators
On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Cryptography and Network Security Chapter 7
Computer Security CS 426 Lecture 3
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.
Pseudorandom Number Generators. Randomness and Security Many cryptographic protocols require the parties to generate random numbers. All the hashing algorithms.
Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
CS526Topic 3: One-time Pad and Perfect Secrecy 1 Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream.
© Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro Computer Security: Principles and Practice Slides.
Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Network Security (A Very Brief Introduction)
Security and Random Number Generators
Calculating Discrete Logarithms John Hawley Nicolette Nicolosi Ryan Rivard.
KAIS T A lightweight secure protocol for wireless sensor networks 윤주범 ELSEVIER Mar
Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings.
Cryptography and Network Security (CS435)
9/01/2010CS 686 Stream Cipher EJ Jung CS 686 Special Topics in CS Privacy and Security.
One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
Network Security Lecture 19 Presented by: Dr. Munam Ali Shah.
Information Security Lab. Dept. of Computer Engineering 182/203 PART I Symmetric Ciphers CHAPTER 7 Confidentiality Using Symmetric Encryption 7.1 Placement.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Day 37 8: Network Security8-1. 8: Network Security8-2 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key:
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
Stream Cipher July 2011.
Pseudo-random generators Random Number Generating There are three types of generators table look-up generators hardware generators algorithmic (software)
Network Security Lecture 20 Presented by: Dr. Munam Ali Shah.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 2 – Cryptographic.
Computer Security Cryptography. Cryptography Now and Before  In the past – mainly used for confidentiality  Today –Still used for confidentiality –Data.
Chapter 7 – Confidentiality Using Symmetric Encryption.
Chapter 7 Confidentiality Using Symmetric Encryption.
Cryptography and Network Security Key Distribution for Symmetric Encryption.
Lecture 14 Page 1 CS 236 Online Race Conditions A common cause of security bugs Usually involve multiprogramming or multithreaded programs Caused by different.
Randomness in Cryptography: A Deadly Pitfall Nick Christoforidis & Konstantinos Rousis Information Security Module CITY College.
Network Security Lecture 18 Presented by: Dr. Munam Ali Shah.
Chapter 3 – Public Key Cryptography and RSA (A). Private-Key Cryptography traditional private/secret/single-key cryptography uses one key shared by both.
PRNGs Pseudo-random number generation. Randomness and Cryptography Randomness and pseudo-randomness are useful in cryptography: –To generate random and.
Fall 2006CS 395: Computer Security1 Confidentiality Using Symmetric Encryption.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
Chapter 7 – Confidentiality Using Symmetric Encryption.
Slide 1 Vitaly Shmatikov CS 378 Stream Ciphers. slide 2 Stream Ciphers uRemember one-time pad? Ciphertext(Key,Message)=Message  Key Key must be a random.
Real-life cryptography Pfeiffer Alain.  Types of PRNG‘s  History  General Structure  User space  Entropy types  Initialization process  Building.
Key Wrap Algorithm.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
Chapter 7: Confidentiality Using Symmetric Encryption
A cryptographically secure pseudorandom number generator for Julia
Topic 5: Constructing Secure Encryption Schemes
CMSC 414 Computer and Network Security Lecture 3
Cryptography and Network Security Chapter 7
Pseudorandom Numbers Network Security.
Cryptography Lecture 15.
By: Anthony Gervasi & Adam Dickinson
Presentation transcript:

Attacks on PRNGs - By Nupura Neurgaonkar CS-265 (Prof. Mark Stamp)

What is Pseudo Random Number Generator (PRNG)? It is a mechanism for generating random numbers on a computer that are indistinguishable from truly random numbers. Many applications don’t have source of truly random bits; instead they use PRNGs to generate these numbers. Pseudo random because it is not possible to generate truly random numbers from deterministic thing like computer.

Why Study PRNGs ? They are used everywhere in cryptography. Random numbers are in session keys, public key generation, initialization vector and many other places. PRNG is a single point of failure for many real-world cryptosystems. If random numbers are insecure then the entire application is insecure. Many systems use badly-designed PRNGs, or use them in ways that make various attacks easier than they need be.

Characteristics of good PRNGs ? Should generate on average as many 1’s as 0’s Should be random enough to hide patterns and correlation Should have a large period Should not produce preferred strings Knowledge of some outputs should not help predict past or future outputs

PRNG Model Collect Collect unpredictable inputs. inputs are collected in a “seed pool”. State (secret state) After collecting sufficient seed data, move to a stable state. Generate Generate random outputs by performing various operations on the seed data.

RSA PRNG To generate a bit stream of size l Choose two prime numbers p = 11 and q = 19, (n= p*q = 209) m = (p-1)(q-1), (m = 180) Choose e such that gcd(e,m) is 1. (e = 7) Select X 0 (seed) such that 1 < X 0 < n (let X 0 = 72) For i = 1 to l do Xi = (Xi-1)^e mod n Zi = least significant bit of Xi X1 = 72^7 mod 209 X1 = 184 Z1 = 0 X2 = 200 Z2 = 0 X3 = 205Z3 = …………

Classes of Attacks on PRNGs Direct Attack: When the attacker can directly distinguish between PRNG numbers and random numbers (cryptanalyze the PRNG). Input Based Attack: When the attacker is able to use knowledge of PRNG inputs to cryptanalyze the PRNG. State Compromise Extension Attacks: When the attacker can guess some information due to an earlier breach of security.

Direct Attacks When the attacker can directly cryptanalyze the PRNG. Applicable to most PRNGs. They occur when outputs are predictable, biased and have definite patterns and correlation. Not applicable when the attacker is not able to directly see the output of the PRNG. E.g.:- A PRNG used to generate triple-DES keys. Here the output of the PRNG is never directly seen by an attacker.

Input Based Attacks Also called as Exhaustive seeding search attacks. The attacker uses knowledge of inputs to cyptanalyze the PRNG output. The attacker finds out the seed bytes that initialized the generator. The attacker can use same input again and again to repeat the same output forever. There are many poor sources for seed material, such as clock values, network statistics.

State Compromise Attacks Attacker tries to guess the internal state of the generator Design criteria is to make internal state of PRNG large enough to make exhaustive state search impractical. Backtracking attacks : Uses the compromise of PRNG state S to learn about all previous PRNG outputs. Permanent compromise attack: Once S has been compromised, all future and past outputs of the PRNG are vulnerable. Iterative guessing attacks : Uses the knowledge of state S that was compromised at time t and the intervening PRNG outputs to guess the state S’ at time t+Δ.

Netscape’s Implementation of SSL SSL protects communications by encrypting messages with a secret key--a large, random number known only to the sender and receiver. (Key size 40 bits) Netscape 1.1 uses MD5 algorithm that will be presumably known to any adversary. The seed generated depends only on the values of three quantities: the time of day, the process ID, and the parent process ID. An attacker can easily discover the pid and ppid values using the ps command. All that remains is to guess the time of day. Most popular Ethernet sniffing tools (including tcpdump) record the precise time they see each packet. Using the output from such a program, the attacker can guess the time of day on the system running the Netscape browser to within a second. It was attacked in 30 hours using spare CPU cycles from many machines

Conclusions Random number are the basis for many cryptographic applications. Attacks on many cryptographic applications are possible by attacks on PRNGs. There is no reliable “independent” function to generate random numbers. Present day computers can only approximate random numbers, using pseudo-random numbers generated by Pseudo Random Number Generators.

Questions??

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.