Presentation is loading. Please wait.

Presentation is loading. Please wait.

Session ID: Session Classification: Kai Michaelis, Chris Meyer, Jörg Schwenk Horst Görtz Institute for IT-Security (HGI) Chair for Network and Data Security.

Published byClarence Townsend Modified over 9 years ago

Similar presentations

Presentation on theme: "Session ID: Session Classification: Kai Michaelis, Chris Meyer, Jörg Schwenk Horst Görtz Institute for IT-Security (HGI) Chair for Network and Data Security."— Presentation transcript:

1 Session ID: Session Classification: Kai Michaelis, Chris Meyer, Jörg Schwenk Horst Görtz Institute for IT-Security (HGI) Chair for Network and Data Security Ruhr-University Bochum, Germany CRYP-W25 Advanced Randomly Failed! The State of Randomness in Current Java Implementations

2 How Random are Java PRNGs? Source: http://www.xkcd.com

3 Spoiler Slide Source: http://www.memegenerator.net ► At least, thankfully not! ► Inspected PRNGs ► Apache Harmony ► GNU Classpath ► OpenJDK ► The Legion of Bouncy Castle ► Methodology ► Code/algorithm inspection ► Blackbox Tests (Dieharder, STS, …) ► Broad range of code/algorithm quality ► The good ► The bad ► And the ugly

4 Operation Sketch of a PRNG Seeding (normally invoked only once) Random number Generating pseudo-random numbers (invoked multiple times) Focus of inspection

5 ► PRNG ► SHA-1 based algorithm: Seed, Counter, Internal State ► Backup seeding facility (Entropy Collector) ► (under Unix): Unix-Time, Processor Time, Pointer value (Heap) ► Weaknesses ► Self-seeding SecureRandom suffers from implementation bug ► Pointer into state buffer not properly adjusted ► Entropy reduced to 64 bits ► Directly affects the Android platform ► Backup seeding facility (Entropy Collector) suffers from multiple implementation bugs ► MSB set to 0 (reason for this remains unclear) ► Inappropriate modular reduction (signed/unsigned integers) ► Entropy reduced to 31 bits (worst case) Results: Apache Harmony

6 Quality of Entropy Collector ► Worst-Case scenario ► 2 consecutive bytes mark a single point ► 10 MiB generated Seed

7 ► PRNG ► SHA-1 based algorithm: Seed, Internal State ► Backup seeding facility (Entropy Collector) ► 8 Threads increment independent counters (c1..c8) ► Seed = c1 XOR c2 XOR …. c8 ► Weaknesses ► Repeated use of same IV ► Predictable internal states: only 20 of 32 bytes unknown ► Backup seeding facility (Entropy Collector) can be influenced ► High load prevents threads execution Results:GNU Classpath

8 Quality of Entropy Collector ► Worst-Case scenario ► 2 consecutive bytes mark a single point ► 10 MiB generated Seed

9 ► PRNG ► SHA-1 based algorithm: Seed, Internal State, Fixed-state protection ► Backup seeding facility (Entropy Collector) ► Counter incrementation, System.properties ► Noise threads (keep the scheduler busy) ► S-Boxing counter ► Enforcing mandatory runtime and counter incrementation ► Slow…. ► Weaknesses ► No obvious weakness Results: OpenJDK

10 ► PRNG ► Multiple SecureRandom replacements ► SHA-1 based algorithm: Seed, Internal State, Counter ► VMPC based algorithm ► Backup seeding facility (Entropy Collector) ► Counter incrementation ► Producer and Consumer Threads ► Slow and fast operation mode ► Weaknesses ► VMPC known to be vulnerable to distinguishing attacks Results: Bouncy Castle

11 ► PRNGs are only as good as the seed’s entropy ► Software Entropy Collectors are mostly not suitable for cryptographic purposes ► Broad range of code/algorithm quality ► Fixed & limited size of internal states ► Some implementations are only susceptible to the outlined vulnerabilities if no OS entropy is available Conclusion In critical environments ►Prevent usage of PRNGs ►Exclusively rely on hardware ECs/RNGs

12 Random Questions? Chris Meyer Christopher.meyer@rub.de http://armoredbarista.blogspot.com http://www.nds.rub.de/chair/people/cmeyer Source: http://www.troll.me

Download ppt "Session ID: Session Classification: Kai Michaelis, Chris Meyer, Jörg Schwenk Horst Görtz Institute for IT-Security (HGI) Chair for Network and Data Security."

Similar presentations

Operating Systems Components of OS

Operating Systems Components of OS
Test Yaodong Bi.

Test Yaodong Bi.
9.4 Page Replacement What if there is no free frame?

9.4 Page Replacement What if there is no free frame?
Gone in 360 Seconds: Hijacking with Hitag2

Gone in 360 Seconds: Hijacking with Hitag2
TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.

TIE Extensions for Cryptographic Acceleration Charles-Henri Gros Alan Keefer Ankur Singla.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator: Automatically Correcting Memory Errors with High Probability Gene.

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2007 Exterminator: Automatically Correcting Memory Errors with High Probability Gene.
Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October.

Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 15 Implementation Flaws Part 3: Randomness and Timing Issues.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 15 Implementation Flaws Part 3: Randomness and Timing Issues.
Stream cipher diagram + + Recall: One-time pad in Chap. 2.

Stream cipher diagram + + Recall: One-time pad in Chap. 2.
JVM-1 Introduction to Java Virtual Machine. JVM-2 Outline Java Language, Java Virtual Machine and Java Platform Organization of Java Virtual Machine Garbage.

JVM-1 Introduction to Java Virtual Machine. JVM-2 Outline Java Language, Java Virtual Machine and Java Platform Organization of Java Virtual Machine Garbage.
15-441 Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from 15-441, semester’s past and others.

Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.

Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
AN INTRODUCTION TO LINUX OPERATING SYSTEM Zihui Han.

AN INTRODUCTION TO LINUX OPERATING SYSTEM Zihui Han.
Security Testing Kevin Brey, Ryan Clark, Luke Joswiak, Jeff Lawinger, Jake Lokkesmoe.

Security Testing Kevin Brey, Ryan Clark, Luke Joswiak, Jeff Lawinger, Jake Lokkesmoe.
Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.

Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
Security and Random Number Generators

Security and Random Number Generators

Similar presentations

Ads by Google