Presentation is loading. Please wait.

Presentation is loading. Please wait.

Issues of Random Numbers and Cryptography

Published byHoratio Parsons Modified over 6 years ago

Similar presentations

Presentation on theme: "Issues of Random Numbers and Cryptography"— Presentation transcript:

1 Issues of Random Numbers and Cryptography
Dr. Suzanne Buchele

2 Uses of Random Numbers in Cryptography
There are many uses of random numbers in cryptography session keys one-time pad nonces in authentication protocols to prevent replay public key generation In all cases it is critical that these values be: statistically random, uniform distribution, independent unpredictability of future values from previous values Care must be taken when generating random numbers!

3 Why is Randomness an Issue?
Examples of problems with “randomness”: Example: typing “random” keys at a keyboard People tend to type characters near the center of the keyboard People tend to alternate left and right hands when typing “randomly” People tend to not repeat any characters in a row Other patterns Why is this an issue? If you can guess (by reducing the keyspace to search) a random number, you may be guessing: A cryptographic key A “seed” from which you can deduce cryptographic keys

4 Types of Random Numbers used in Cryptography
Pseudo Random Numbers A deterministic algorithm is used to produce a single or sequence of numbers that have randomized properties Usually takes as input a seed Not random – completely deterministic The same algorithm using the same seed will always produce the same output “random” numbers True Random Numbers Random numbers that come from a source that is really, or is effectively, random Examples: electrical activity, system clock, thermal noise

5 Pseudorandom Numbers Pseudorandom numbers are what are typically used in computer systems Are created by PseudoRandom Number Generators (PRNGs) Deterministic algorithm Many different algorithms possible Some better than others Input to algorithm is a “seed” Itself a “random” number (huh?) Output is a either fixed length (PRF – PseudoRandom Function) or open-ended sequence (PRNG) of pseudo-random numbers.

6 Problems with Pseudorandom Numbers and Cryptography
Problem: they are deterministic If seed is guessed, then entire sequence of pseudorandom numbers is compromised Imagine a KDC that is using a pseudorandom number generator to create session keys If seed is compromised, then all session keys are compromised! Risk management… The consequences are catastrophic. Therefore, this is a potential target for attackers that have time and resources at their disposal Therefore, we need to pay attention to this risk.

7 PseudoRandom Number Generator Requirements
Randomness- Uniformity: No matter where you are in the generation of a pseudorandom sequence of bits, for the next bit the probability of 0 and the probability of 1 should be essentially the same (and = 0.5) Scalability: Any small or large subsequence drawn from the entire pseudorandom sequence should be “random” Consistency: The PRNG should behave similarly randomly across most starting values of seeds

8 PseudoRandom Number Generator Requirements (cont)
Unpredictability- Forward Unpredictability: If the seed is unknown, no matter where you are in the generation of a pseudorandom sequence of bits, you should not be able to deduce upcoming bits from any number (or all) of the proceeding bits Backward Unpredictability: No matter where you are in the generation of a pseudorandom sequence of bits, you should not be able to deduce the seed from any knowledge of the generated bits.

9 PseudoRandom Number Generator Requirements (cont)
A good pseudorandom number generator should produce bits that pass statistical tests of randomness NIST and ICSA both have suites of tests that can be run, for example: Frequency test – the total number of 1’s and 0’s should be approximately the same. Checked against expected random properties using statistical tests. Runs test – the total number of uninterrupted sequences of identical bits bounded before and after with a bit of the opposite value. For various lengths of runs, checked against expected number of such sequences in a truly random sequence using statistical tests Pattern checking – searches are performed, looking for certain numbers and patterns, or any relationship between ordering of bits ICSA = International Computer Security Organization – started as a consortium, now is a division of Verizon

10 PseudoRandom Number Generator Requirements (cont)
In addition, a good pseudorandom number generator used to produce cryptographic keys should be produced using known best practices, for example: The entire key should be produced from random data Not just a part of it that is then somehow expanded The seed used for the PRNG should be unpredictable Preferrably using a TRNG The PRNG algorithm used should be cryptographically secure Although all PRNG algorithms have their advantages and disadvantages

11 PRNG Algorithms Common algorithms:
Recall all PRNG algorithms are deterministic Given same seed, will always produce same “random” numbers Common algorithms: Linear Congruential Method Fibonacci method Blum Blum Shub Generator Symmetric Block cipher methods

12 Linear Congruential Method
A common iterative technique using a recurrence relation of the form: Xn+1 = (aXn + c) mod m Given suitable values of the parameters a, c, and m, can produce a long random-like sequence Criteria to choose the parameters include: generated sequence should appear random function generates a full-period efficient implementation with 32-bit or 64-bit arithmetic Drawback: an attacker can reconstruct sequence given a small number of values

13 Linear Congruential Method (cont)
Xn+1 = (aXn + c) mod m E.g. for a = c = 7, m = 10, and X0 = 7, the sequence is: 7, 6, 9, 0, 7, 6, 9, 0, 7, 6, 9, 0, ... Linear congruential sequences always get in a repeating cycle, called a period In this example the period is of length 4 The period cannon have more than m elements Therefore, we want to choose m large m often chosen to be (close to) the largest representable integer of the system (e.g. 232 or 264 or 232 – 1 or Mathematical analysis is used to determine good values for a, c, X0, with constraints of efficiency E.g. if c=0 algorithm is faster, but period tends to be shorter

14 Fibonacci or other Linear Recurrence Relation Methods
Fibonacci Sequence: Xn+1 = (Xn + Xn-1) mod m Can be used to generate random numbers Period length is often greater than m! Generated sequences have been proven to be not statistically random, however Other general linear recurrence relations, e.g.: Xn+1 = (Xn-j + Xn-k) mod m For some values of j and k, performs well statistically Drawback: an attacker can reconstruct sequence given a small number of values

15 Blum Blum Shub Generator
Based on public key algorithms Performs integer computation, and then uses the least significant bit from each result of the iterative eq.: xi = xi-12 mod n where n=p*q, and the primes p and q both equal 3 mod 4 (have remainder of 3 when divided by 4) Security rests on difficulty of factoring N as in public key cryptography Has the strongest proof of its cryptographic strength of any PRNG algorithm passes next-bit test Drawback: slow, bc very large numbers must be used too slow for cipher use, but o.k. for key or seed generation Next bit test: there is not a polynomial time algorithm that that can predict with a probability greater than ½ what the next bit will be, no matter how many previous bits are given

16 Using Symmetric Block Ciphers as PRNGs
For cryptographic applications, can use a block cipher to generate random numbers The purpose of block ciphers is to randomize input bits! Often for creating session keys from master key Two modes: CTR Xi = EK[Vi] OFB Xi = EK[Xi-1] In both CTR and OFB, the seed consists of two parts: the encryption key value and a value V that will be updated after each block of pseudorandom numbers is generated. In the CTR case, the value of V is incremented by 1 after each encryption. In the case of OFB, the value of V is updated to equal the value of the preceding PRNG block. In both cases, pseudorandom bits are produced on block at a time (128-bit blocks for AES 128, or 64 bit blocks for DES, etc.)

17 Another Block Cipher PRNG: ANSI X9.17 PRNG
Uses three 3DES modules Inputs: Two DES keys, the same for all three 3DES units and for each stage of the algorithm Rep of the current date/time Dti Seed value Vi (updated throughout) Output: A 64 bit pseudorandom number, and The next seed value Vi+1 Considered one of the cryptographically strongest PRNGs

18 True Random Number Generators
A TRNG is a non-deterministic method to produce random values Typically use unpredictable natural processes such as thermal or radiation sources Examples: Forcing computer flip-flops into a metastable state in which its behavior cannot be predicted, and then measuring if it switches to 0 or 1 (handout) Using a light-saturated CCD camera as a chaotic source Using a sound digitizer with no input sound, measure of noise (take lower bits) Use fluctuations in rotational speed of disk drives, chaotic due to small fluctuations in air turbulence Mouse movement, current processor characteristics, etc.

19 TRNGs (cont) TRNGs use real natural processes, since the best source is natural randomness in real world Idea: find a regular but random event and monitor it do generally need special h/w to do this eg. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors, etc. Such hardware exists in some new CPU's Can have problems of bias or uneven distribution in signal have to compensate for this when you sample, often by passing bits through a hash function best to only use a few noisiest bits from each sample (e.g. The low-order bits) RFC4086 recommends using multiple sources + hash RFC 4086 (RFC = Request For Comments)

20 TRNGs and PRNGS Often a TRNG will be used to supply a seed for a PRNG.
If a TRNG is available, why not use it instead of a PRNG? Good PRNGs are “provably random”, especially if given a random key TRNGs are often slow, especially if pass through a deskewing or other algorithm to remove possible bias Ideal compromise – use a TRNG to generate a small random seed for a good PRNG

Download ppt "Issues of Random Numbers and Cryptography"

Similar presentations

“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Generating Random Numbers

Generating Random Numbers
Network Security. Confidentiality Using Symmetric Encryption John wrote the letters of the alphabet under the letters in its first lines and tried it.

Network Security. Confidentiality Using Symmetric Encryption John wrote the letters of the alphabet under the letters in its first lines and tried it.
CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos
Random number generation Algorithms and Transforms to Univariate Distributions.

Random number generation Algorithms and Transforms to Univariate Distributions.
Cryptography and Network Security

Cryptography and Network Security
Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Stream cipher diagram + + Recall: One-time pad in Chap. 2.

Stream cipher diagram + + Recall: One-time pad in Chap. 2.
Pseudorandom Number Generators

Pseudorandom Number Generators
Pseudorandom Bit Generation Artur Gadomski Piero Giammarino Henrik Goldman Massimo Giulio Caterino.

Pseudorandom Bit Generation Artur Gadomski Piero Giammarino Henrik Goldman Massimo Giulio Caterino.
Cryptography and Network Security Chapter 7

Cryptography and Network Security Chapter 7
Cryptography and Network Security Chapter 7 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Modified – Tom Noack, UPRM.

Cryptography and Network Security Chapter 7 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Modified – Tom Noack, UPRM.
Spread Spectrum Techniques

Spread Spectrum Techniques
1 Confidentiality Cryptography & Network Security H. Yoon Confidentiality Using Conventional Encryption Where should cryptographic functionality be located?

1 Confidentiality Cryptography & Network Security H. Yoon Confidentiality Using Conventional Encryption Where should cryptographic functionality be located?
Pseudorandom Number Generators. Randomness and Security Many cryptographic protocols require the parties to generate random numbers. All the hashing algorithms.

Pseudorandom Number Generators. Randomness and Security Many cryptographic protocols require the parties to generate random numbers. All the hashing algorithms.
Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings.

Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings.
Cryptography and Network Security (CS435)

Cryptography and Network Security (CS435)
Chapter 7 Random-Number Generation

Chapter 7 Random-Number Generation

Similar presentations

Ads by Google