Analysis of a strong Random Number Generator
- Type
- Video
- Tags
- cryptography
- Authors
- Thomas Biege
- Event
- Chaos Communication Congress 23th (23C3) 2006
- Indexed on
- Mar 27, 2013
- URL
- http://dewy.fem.tu-ilmenau.de/CCC/23C3/video/23C3-1420-en-strong_random_number_generator.m4v
- File name
- 23C3-1420-en-strong_random_number_generator.m4v
- File size
- 670.6 MB
- MD5
- af7d6dd2e178a8c0a07c97aae47f31e8
- SHA1
- dd9af8833893f690c42a96c00b7494bceca66cdc
This paper (and slides) will descibe the inner workings of the the random number generator (/dev/{u}random) of Linux. Additionally some possible security flaws are shown (entropy overestimation, zero'izing the pool, etc.) Almost all cryptographic protocols depend on random (unpredictable) values to create keys, cookies, tokens, initialisation vectors, and so on. The Linux (as well as other Unix flavours) kernel provides a character device as a source for randomness. This device represents the essential part needed by various cryptographic protocol implementations for a secure operation (conditional security), therefore it needs special attention from security experts. This paper will give an extract of results taken from analysing the input sources used by Linux' PRNG implementation. The statistical entropy of each source and of the whole pool is calculated to get a better picture of the entropy quality during the boot--process and to spot entropy overestimation by the kernel. Observation taken by process show a repeating behaviour for different system startups. This can be used by an attacker to create profiles and to simulate a more complex system. Even observations of the events generated by the block-device show timing patterns between different boot--sequences. To dispel doubts of developers to add untrusted sources, two kinds of untrusted sources, low-quality and malicious source, were examined. It will be shown that low--quality sources are not able to reduce the entropy in the pool that already exists but can lead to an overestimation. A more dangerous situation exists with the presence of a malicious source which is theoretically able to led the mixing algorithm produce a stream of zeros. The goal of this work is not to show a practical attack against the random device but to provide more transparency and to ease further analysis.
About us
Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.
Statistics
Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.
Contribute
To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.
