An Analysis of Openssl's Random Number Generator Eurocrypt 2016
An Analysis of OpenSSL’s Random Number Generator Eurocrypt 2016
Falko Strenzke
cryptosource GmbH, Darmstadt [email protected]
c Falko Strenzke, cryptosource GmbH 2016
September 14, 2016
An Analysis of OpenSSL’s RNG Falko Strenzke 1 / 34 Pseudo Random Number Generation
Software-based RNG’s use pseudo random number generators (PRNGs) but are not PRNGs
RAND add (buffer, estimated entopy)
RNG state RAND bytes (buffer), RAND pseudo bytes (buffer) output
An Analysis of OpenSSL’s RNG Falko Strenzke 2 / 34 Pseudo Random Number Generation
Software-based RNG’s use pseudo random number generators (PRNGs) but are not PRNGs
seed
RAND add (buffer, estimated entopy)
RNG state RAND bytes (buffer), RAND pseudo bytes (buffer) output
An Analysis of OpenSSL’s RNG Falko Strenzke 2 / 34 Pseudo Random Number Generation
Software-based RNG’s use pseudo random number generators (PRNGs) but are not PRNGs
seed
RAND add (buffer, estimated entopy)
RNG state RAND bytes (buffer), RAND pseudo bytes (buffer) output
An Analysis of OpenSSL’s RNG Falko Strenzke 2 / 34 Pseudo Random Number Generation
Software-based RNG’s use pseudo random number generators (PRNGs) but are not PRNGs
seed
RAND add (buffer, estimated entopy)
RNG state RAND bytes (buffer), RAND pseudo bytes (buffer) output
An Analysis of OpenSSL’s RNG Falko Strenzke 2 / 34 Pseudo Random Number Generation
Software-based RNG’s use pseudo random number generators (PRNGs) but are not PRNGs
seed
RAND add (buffer, estimated entopy)
RNG state RAND bytes (buffer), RAND pseudo bytes (buffer) output
An Analysis of OpenSSL’s RNG Falko Strenzke 2 / 34 Random Number Generation in Cryptographic Libraries
t
application seed random numbers (file)
OpenSSL RNG
seed
OS RNG
entropy source entropy source entropy source
An Analysis of OpenSSL’s RNG Falko Strenzke 3 / 34 Security Notions for RNGs
forward security t
recover output state compromise
backward security t
recover state compromise output
don’t leak any information about state in output
An Analysis of OpenSSL’s RNG Falko Strenzke 4 / 34 Security Notions for RNGs
forward security t
recover output state compromise
backward security t
recover state compromise output
don’t leak any information about state in output
An Analysis of OpenSSL’s RNG Falko Strenzke 4 / 34 Security Notions for RNGs
forward security t
recover output state compromise
backward security t
recover state compromise output
don’t leak any information about state in output
An Analysis of OpenSSL’s RNG Falko Strenzke 4 / 34 Low Entropy Secret Leakage
An Analysis of OpenSSL’s RNG Falko Strenzke 5 / 34 Seeding by the Application
t
application
RAND bytes() RAND bytes() RAND add() RAND pseudo bytes() RAND pseudo bytes()
OpenSSL RNG
H < 256 bit H ≥ 256 bit
An Analysis of OpenSSL’s RNG Falko Strenzke 6 / 34 Seeding by the Application
t
application
RAND bytes() RAND bytes() RAND add() RAND pseudo bytes() RAND pseudo bytes()
OpenSSL RNG
H < 256 bit H ≥ 256 bit
An Analysis of OpenSSL’s RNG Falko Strenzke 6 / 34 Seeding by the Application
t
application
RAND bytes() RAND bytes() RAND add() RAND pseudo bytes() RAND pseudo bytes()
OpenSSL RNG
H < 256 bit H ≥ 256 bit
An Analysis of OpenSSL’s RNG Falko Strenzke 6 / 34 Seeding by the Application
t
application
RAND bytes() RAND bytes() RAND add() RAND pseudo bytes() RAND pseudo bytes()
OpenSSL RNG
H < 256 bit H ≥ 256 bit
An Analysis of OpenSSL’s RNG Falko Strenzke 6 / 34 Seeding by the Application
t
application
RAND bytes() RAND bytes() RAND add() RAND pseudo bytes() RAND pseudo bytes()
OpenSSL RNG
H < 256 bit H ≥ 256 bit
An Analysis of OpenSSL’s RNG Falko Strenzke 6 / 34 Outputting Random Numbers in Low Entropy States
t
attacker
25 brute force 2 guesses RNG output, nonce recover secret seed application
secret seed RAND pseudo bytes() H = 15 bits OpenSSL RNG
H = 10 bits H = 25 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 7 / 34 Outputting Random Numbers in Low Entropy States
t
attacker
25 brute force 2 guesses RNG output, nonce recover secret seed application
secret seed RAND pseudo bytes() H = 15 bits OpenSSL RNG
H = 10 bits H = 25 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 7 / 34 Outputting Random Numbers in Low Entropy States
t
attacker
25 brute force 2 guesses RNG output, nonce recover secret seed application
secret seed RAND pseudo bytes() H = 15 bits OpenSSL RNG
H = 10 bits H = 25 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 7 / 34 Outputting Random Numbers in Low Entropy States
t
attacker
25 brute force 2 guesses RNG output, nonce recover secret seed application
secret seed RAND pseudo bytes() H = 15 bits OpenSSL RNG
H = 10 bits H = 25 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 7 / 34 Outputting Random Numbers in Low Entropy States
t
attacker
25 brute force 2 guesses RNG output, nonce recover secret seed application
secret seed RAND pseudo bytes() H = 15 bits OpenSSL RNG
H = 10 bits H = 25 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 7 / 34 Outputting Random Numbers in Low Entropy States
t
attacker
25 brute force 2 guesses RNG output, nonce recover secret seed application
secret seed RAND pseudo bytes() H = 15 bits OpenSSL RNG
H = 10 bits H = 25 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 7 / 34 Outputting Random Numbers in Low Entropy States
t
attacker
25 brute force 2 guesses RNG output, nonce recover secret seed application
secret seed RAND pseudo bytes() H = 15 bits OpenSSL RNG
H = 10 bits H = 25 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 7 / 34 Potentially Leaked Secrets
RAND pseudo bytes generates output in the same way as RAND bytes API documentation suggests to feed low-entropy secrets such passwords OpenSSL feeds the previous contents of buffers to be randomized to RNG state (Debian issue in 2008) previous contents could contain low entropy secrets by themselves overwriting secrets with random numbers is an established practice overwritten low entropy secrets may be leaked in output
An Analysis of OpenSSL’s RNG Falko Strenzke 8 / 34 Potentially Leaked Secrets
RAND pseudo bytes generates output in the same way as RAND bytes API documentation suggests to feed low-entropy secrets such passwords OpenSSL feeds the previous contents of buffers to be randomized to RNG state (Debian issue in 2008) previous contents could contain low entropy secrets by themselves overwriting secrets with random numbers is an established practice overwritten low entropy secrets may be leaked in output
An Analysis of OpenSSL’s RNG Falko Strenzke 8 / 34 Potentially Leaked Secrets
RAND pseudo bytes generates output in the same way as RAND bytes API documentation suggests to feed low-entropy secrets such passwords OpenSSL feeds the previous contents of buffers to be randomized to RNG state (Debian issue in 2008) previous contents could contain low entropy secrets by themselves overwriting secrets with random numbers is an established practice overwritten low entropy secrets may be leaked in output
An Analysis of OpenSSL’s RNG Falko Strenzke 8 / 34 Potentially Leaked Secrets
RAND pseudo bytes generates output in the same way as RAND bytes API documentation suggests to feed low-entropy secrets such passwords OpenSSL feeds the previous contents of buffers to be randomized to RNG state (Debian issue in 2008) previous contents could contain low entropy secrets by themselves overwriting secrets with random numbers is an established practice overwritten low entropy secrets may be leaked in output
An Analysis of OpenSSL’s RNG Falko Strenzke 8 / 34 Potentially Leaked Secrets
RAND pseudo bytes generates output in the same way as RAND bytes API documentation suggests to feed low-entropy secrets such passwords OpenSSL feeds the previous contents of buffers to be randomized to RNG state (Debian issue in 2008) previous contents could contain low entropy secrets by themselves overwriting secrets with random numbers is an established practice overwritten low entropy secrets may be leaked in output
An Analysis of OpenSSL’s RNG Falko Strenzke 8 / 34 Potentially Leaked Secrets
RAND pseudo bytes generates output in the same way as RAND bytes API documentation suggests to feed low-entropy secrets such passwords OpenSSL feeds the previous contents of buffers to be randomized to RNG state (Debian issue in 2008) previous contents could contain low entropy secrets by themselves overwriting secrets with random numbers is an established practice overwritten low entropy secrets may be leaked in output
An Analysis of OpenSSL’s RNG Falko Strenzke 8 / 34 Core Cryptographic Function of OpenSSL’s RNG
An Analysis of OpenSSL’s RNG Falko Strenzke 9 / 34 Core Cryptographic Function of OpenSSL’s RNG
custom design c 1998
An Analysis of OpenSSL’s RNG Falko Strenzke 10 / 34 Core Cryptographic Function of OpenSSL’s RNG
custom design c 1998
An Analysis of OpenSSL’s RNG Falko Strenzke 10 / 34 Core Cryptographic Function of OpenSSL’s RNG
160 bits 80 bits
b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1
s0 ... s2 s3 s4 ...
RAND add RAND bytes
160 md ignoring: counters, PID bits RAND add, RAND bytes
1023 state bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 11 / 34 Core Cryptographic Function of OpenSSL’s RNG
160 bits 80 bits
b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1
s0 ... s2 s3 s4 ...
RAND add RAND bytes
160 md ignoring: counters, PID bits RAND add, RAND bytes
1023 state bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 11 / 34 Core Cryptographic Function of OpenSSL’s RNG
160 bits 80 bits
b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1
s0 ... s2 s3 s4 ...
RAND add RAND bytes
160 md ignoring: counters, PID bits RAND add, RAND bytes
1023 state bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 11 / 34 Core Cryptographic Function of OpenSSL’s RNG
160 bits 80 bits
b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1
s0 ... s2 s3 s4 ...
RAND add RAND bytes
160 md ignoring: counters, PID bits RAND add, RAND bytes
1023 state bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 11 / 34 Core Cryptographic Function of OpenSSL’s RNG
160 bits 80 bits
b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1
s0 ... s2 s3 s4 ...
RAND add RAND bytes
160 md ignoring: counters, PID bits RAND add, RAND bytes
1023 state bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 11 / 34 Core Cryptographic Function of OpenSSL’s RNG
160 bits 80 bits
b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1
s0 ... s2 s3 s4 ...
RAND add RAND bytes
160 md ignoring: counters, PID bits RAND add, RAND bytes
1023 state bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 11 / 34 Core Cryptographic Function of OpenSSL’s RNG
160 bits 80 bits
b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1
s0 ... s2 s3 s4 ...
RAND add RAND bytes
160 md ignoring: counters, PID bits RAND add, RAND bytes
1023 state bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 11 / 34 Core Cryptographic Function of OpenSSL’s RNG
160 bits 80 bits
b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1
s0 ... s2 s3 s4 ...
RAND add RAND bytes
160 md ignoring: counters, PID bits RAND add, RAND bytes
1023 state bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 11 / 34 Core Cryptographic Function of OpenSSL’s RNG
160 bits 80 bits
b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1
s0 ... s2 s3 s4 ...
RAND add RAND bytes
160 md ignoring: counters, PID bits RAND add, RAND bytes
1023 state bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 11 / 34 Core Cryptographic Function of OpenSSL’s RNG
160 bits 80 bits
b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1
s0 ... s2 s3 s4 ...
RAND add RAND bytes
160 md ignoring: counters, PID bits RAND add, RAND bytes
1023 state bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 11 / 34 Core Cryptographic Function of OpenSSL’s RNG
160 bits 80 bits
b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1
s0 ... s2 s3 s4 ...
RAND add RAND bytes
160 md ignoring: counters, PID bits RAND add, RAND bytes
1023 state bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 11 / 34 Core Cryptographic Function of OpenSSL’s RNG
160 bits 80 bits
b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1
s0 ... s2 s3 s4 ...
RAND add RAND bytes
160 md ignoring: counters, PID bits RAND add, RAND bytes
1023 state bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 11 / 34 Core Cryptographic Function of OpenSSL’s RNG
160 bits 80 bits
b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1
s0 ... s2 s3 s4 ...
RAND add RAND bytes
160 md ignoring: counters, PID bits RAND add, RAND bytes
1023 state bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 11 / 34 Core Cryptographic Function of OpenSSL’s RNG
160 bits 80 bits
b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1
s0 ... s2 s3 s4 ...
RAND add RAND bytes
160 md ignoring: counters, PID bits RAND add, RAND bytes
1023 state bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 11 / 34 Core Cryptographic Function of OpenSSL’s RNG
160 bits 80 bits
b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1
s0 ... s2 s3 s4 ...
RAND add RAND bytes
160 md ignoring: counters, PID bits RAND add, RAND bytes
1023 state bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 11 / 34 Core Cryptographic Function of OpenSSL’s RNG
160 bits 80 bits
b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1
s0 ... s2 s3 s4 ...
RAND add RAND bytes
160 md ignoring: counters, PID bits RAND add, RAND bytes
1023 state bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 11 / 34 Core Cryptographic Function of OpenSSL’s RNG
160 bits 80 bits
b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1
s0 ... s2 s3 s4 ...
RAND add RAND bytes
160 md ignoring: counters, PID bits RAND add, RAND bytes
1023 state bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 11 / 34 Core Cryptographic Function of OpenSSL’s RNG
160 bits 80 bits
b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1
s0 ... s2 s3 s4 ...
RAND add RAND bytes
160 md ignoring: counters, PID bits RAND add, RAND bytes
1023 state bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 11 / 34 Core Cryptographic Function of OpenSSL’s RNG
160 bits 80 bits
b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1
s0 ... s2 s3 s4 ...
RAND add RAND bytes
160 md ignoring: counters, PID bits RAND add, RAND bytes
1023 state bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 11 / 34 Core Cryptographic Function of OpenSSL’s RNG
160 bits 80 bits
b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1
s0 ... s2 s3 s4 ...
RAND add RAND bytes
160 md ignoring: counters, PID bits RAND add, RAND bytes
1023 state bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 11 / 34 Output Entropy Limitation Vulnerabilities
An Analysis of OpenSSL’s RNG Falko Strenzke 12 / 34 ELO240
b0 b1 b2 b3 md md md / 0 00 0 SHA1 SHA1 0 0 160 SHA1 SHA1
s0 s1 s2 s3
RAND add RAND add
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 256 bits H = 0
1023 bytes state bytes
H = 160 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 13 / 34 ELO240
b0 b1 b2 b3 md md md / 0 00 0 SHA1 SHA1 0 0 160 SHA1 SHA1
s0 s1 s2 s3
RAND add RAND add
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 256 bits H = 0
1023 bytes state bytes
H = 160 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 13 / 34 ELO240
b0 b1 b2 b3 md md md / 0 00 0 SHA1 SHA1 0 0 160 SHA1 SHA1
s0 s1 s2 s3
RAND add RAND add
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 256 bits H = 0
1023 bytes state bytes
H = 160 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 13 / 34 ELO240
b0 b1 b2 b3 md md md / 0 00 0 SHA1 SHA1 0 0 160 SHA1 SHA1
s0 s1 s2 s3
RAND add RAND add
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 256 bits H = 0
1023 bytes state bytes
H = 160 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 13 / 34 ELO240
b0 b1 b2 b3 md md md / 0 00 0 SHA1 SHA1 0 0 160 SHA1 SHA1
s0 s1 s2 s3
RAND add RAND add
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 256 bits H = 0
1023 bytes state bytes
H = 160 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 13 / 34 ELO240
b0 b1 b2 b3 md md md / 0 00 0 SHA1 SHA1 0 0 160 SHA1 SHA1
s0 s1 s2 s3
RAND add RAND add
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 256 bits H = 0
1023 bytes state bytes
H = 160 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 13 / 34 ELO240
b0 b1 b2 b3 md md md / 0 00 0 SHA1 SHA1 0 0 160 SHA1 SHA1
s0 s1 s2 s3
RAND add RAND add
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 256 bits H = 0
1023 bytes state bytes
H = 160 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 13 / 34 ELO240
b0 b1 b2 b3 md md md / 0 00 0 SHA1 SHA1 0 0 160 SHA1 SHA1
s0 s1 s2 s3
RAND add RAND add
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 256 bits H = 0
1023 bytes state bytes
H = 160 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 13 / 34 ELO240
b0 b1 b2 b3 md md md / 0 00 0 SHA1 SHA1 0 0 160 SHA1 SHA1
s0 s1 s2 s3
RAND add RAND add
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 256 bits H = 0
1023 bytes state bytes
H = 160 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 13 / 34 ELO240
80 bits output 240 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes 160 bits 80 bits 160 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 256 bits H = 0
1023 bytes state bytes
output production H = 160 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 14 / 34 ELO240
80 bits output 240 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes 160 bits 80 bits 160 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 256 bits H = 0
1023 bytes state bytes
output production H = 160 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 14 / 34 ELO240
80 bits output 240 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes 160 bits 80 bits 160 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 256 bits H = 0
1023 bytes state bytes
output production H = 160 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 14 / 34 ELO240
80 bits output 240 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes 160 bits 80 bits 160 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 256 bits H = 0
1023 bytes state bytes
output production H = 160 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 14 / 34 ELO240
80 bits output 240 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes 160 bits 80 bits 160 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 256 bits H = 0
1023 bytes state bytes
output production H = 160 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 14 / 34 ELO240
80 bits output 240 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes 160 bits 80 bits 160 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 256 bits H = 0
1023 bytes state bytes
output production H = 160 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 14 / 34 ELO240
80 bits output 240 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes 160 bits 80 bits 160 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 256 bits H = 0
1023 bytes state bytes
output production H = 160 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 14 / 34 ELO240
80 bits output 240 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes 160 bits 80 bits 160 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 256 bits H = 0
1023 bytes state bytes
output production H = 160 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 14 / 34 ELO240
80 bits output 240 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes 160 bits 80 bits 160 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 256 bits H = 0
1023 bytes state bytes
output production H = 160 bits
An Analysis of OpenSSL’s RNG Falko Strenzke 14 / 34 Life cycle
RAND pseudo bytes unseeded RAND bytes
RAND add, seed entropy = 256 bits
RAND add, seed stirring on first call seeded with low entropy to RAND bytes
compromise
falsely seeded
RAND add, seed entropy = 256 bits
should not reseeded stirring never done exist
An Analysis of OpenSSL’s RNG Falko Strenzke 15 / 34 Life cycle
RAND pseudo bytes unseeded RAND bytes
RAND add, seed entropy = 256 bits
RAND add, seed stirring on first call seeded with low entropy to RAND bytes
compromise
falsely seeded
RAND add, seed entropy = 256 bits
should not reseeded stirring never done exist
An Analysis of OpenSSL’s RNG Falko Strenzke 15 / 34 Life cycle
RAND pseudo bytes unseeded RAND bytes
RAND add, seed entropy = 256 bits
RAND add, seed stirring on first call seeded with low entropy to RAND bytes
compromise
falsely seeded
RAND add, seed entropy = 256 bits
should not reseeded stirring never done exist
An Analysis of OpenSSL’s RNG Falko Strenzke 15 / 34 Life cycle
RAND pseudo bytes unseeded RAND bytes
RAND add, seed entropy = 256 bits
RAND add, seed stirring on first call seeded with low entropy to RAND bytes
compromise
falsely seeded
RAND add, seed entropy = 256 bits
should not reseeded stirring never done exist
An Analysis of OpenSSL’s RNG Falko Strenzke 15 / 34 Life cycle
RAND pseudo bytes unseeded RAND bytes
RAND add, seed entropy = 256 bits
RAND add, seed stirring on first call seeded with low entropy to RAND bytes
compromise
falsely seeded
RAND add, seed entropy = 256 bits
should not reseeded stirring never done exist
An Analysis of OpenSSL’s RNG Falko Strenzke 15 / 34 Life cycle
RAND pseudo bytes unseeded RAND bytes
RAND add, seed entropy = 256 bits
RAND add, seed stirring on first call seeded with low entropy to RAND bytes
compromise
falsely seeded
RAND add, seed entropy = 256 bits
should not reseeded stirring never done exist
An Analysis of OpenSSL’s RNG Falko Strenzke 15 / 34 Life cycle
RAND pseudo bytes unseeded RAND bytes
RAND add, seed entropy = 256 bits
RAND add, seed stirring on first call seeded with low entropy to RAND bytes
compromise
falsely seeded
RAND add, seed entropy = 256 bits
should not reseeded stirring never done exist
An Analysis of OpenSSL’s RNG Falko Strenzke 15 / 34 Life cycle
RAND pseudo bytes unseeded RAND bytes
RAND add, seed entropy = 256 bits
RAND add, seed stirring on first call seeded with low entropy to RAND bytes
compromise
falsely seeded
RAND add, seed entropy = 256 bits
should not reseeded stirring never done exist
An Analysis of OpenSSL’s RNG Falko Strenzke 15 / 34 Life cycle
RAND pseudo bytes unseeded RAND bytes
RAND add, seed entropy = 256 bits
RAND add, seed stirring on first call seeded with low entropy to RAND bytes
compromise
falsely seeded
RAND add, seed entropy = 256 bits
should not reseeded stirring never done exist
An Analysis of OpenSSL’s RNG Falko Strenzke 15 / 34 Reseeded State in Practice
t
application seed random numbers (file)
OpenSSLreseeded RNG
seed
falsely seeded OS RNG
entropy source entropy source entropy source
An Analysis of OpenSSL’s RNG Falko Strenzke 16 / 34 Reseeded State in Practice
t
application seed random numbers (file)
OpenSSLreseeded RNG
seed
falsely seeded OS RNG
entropy source entropy source entropy source
An Analysis of OpenSSL’s RNG Falko Strenzke 16 / 34 Reseeded State in Practice
t
application seed random numbers (file)
OpenSSLreseeded RNG
seed
falsely seeded OS RNG
entropy source entropy source entropy source
An Analysis of OpenSSL’s RNG Falko Strenzke 16 / 34 ELO160 / ELO80 in State reseeded
80 bits output 80 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes H = 0 bits 160 bits 80 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 0 bits H = 0
1023 bytes state bytes
high entropy output production H = 0 bits seeding reseeded falsely seeded
An Analysis of OpenSSL’s RNG Falko Strenzke 17 / 34 ELO160 / ELO80 in State reseeded
80 bits output 80 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes H = 0 bits 160 bits 80 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 0 bits H = 0
1023 bytes state bytes
high entropy output production H = 0 bits seeding reseeded falsely seeded
An Analysis of OpenSSL’s RNG Falko Strenzke 17 / 34 ELO160 / ELO80 in State reseeded
80 bits output 80 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes H = 0 bits 160 bits 80 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 0 bits H = 0
1023 bytes state bytes
high entropy output production H = 0 bits seeding reseeded falsely seeded
An Analysis of OpenSSL’s RNG Falko Strenzke 17 / 34 ELO160 / ELO80 in State reseeded
80 bits output 80 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes H = 0 bits 160 bits 80 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 0 bits H = 0
1023 bytes state bytes
high entropy output production H = 0 bits seeding reseeded falsely seeded
An Analysis of OpenSSL’s RNG Falko Strenzke 17 / 34 ELO160 / ELO80 in State reseeded
80 bits output 80 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes H = 0 bits 160 bits 80 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 0 bits H = 0
1023 bytes state bytes
high entropy output production H = 0 bits seeding reseeded falsely seeded
An Analysis of OpenSSL’s RNG Falko Strenzke 17 / 34 ELO160 / ELO80 in State reseeded
80 bits output 80 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes H = 0 bits 160 bits 80 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 0 bits H = 0
1023 bytes state bytes
high entropy output production H = 0 bits seeding reseeded falsely seeded
An Analysis of OpenSSL’s RNG Falko Strenzke 17 / 34 ELO160 / ELO80 in State reseeded
80 bits output 80 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes H = 0 bits 160 bits 80 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 0 bits H = 0
1023 bytes state bytes
high entropy output production H = 0 bits seeding reseeded falsely seeded
An Analysis of OpenSSL’s RNG Falko Strenzke 17 / 34 ELO160 / ELO80 in State reseeded
80 bits output 80 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes H = 0 bits 160 bits 80 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 0 bits H = 0
1023 bytes state bytes
high entropy output production H = 0 bits seeding reseeded falsely seeded
An Analysis of OpenSSL’s RNG Falko Strenzke 17 / 34 ELO160 / ELO80 in State reseeded
80 bits output 80 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes H = 0 bits 160 bits 80 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 0 bits H = 0
1023 bytes state bytes
high entropy output production H = 0 bits seeding reseeded falsely seeded
An Analysis of OpenSSL’s RNG Falko Strenzke 17 / 34 ELO160 / ELO80 in State reseeded
80 bits output 80 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes H = 0 bits 160 bits 80 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 0 bits H = 0
1023 bytes state bytes
high entropy output production H = 0 bits seeding reseeded falsely seeded
An Analysis of OpenSSL’s RNG Falko Strenzke 17 / 34 ELO160 / ELO80 in State reseeded
80 bits output 80 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes H = 0 bits 160 bits 80 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 0 bits H = 0
1023 bytes state bytes
high entropy output production H = 0 bits seeding reseeded falsely seeded
An Analysis of OpenSSL’s RNG Falko Strenzke 17 / 34 ELO160 / ELO80 in State reseeded
80 bits output 80 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes H = 0 bits 160 bits 80 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 0 bits H = 0
1023 bytes state bytes
high entropy output production H = 0 bits seeding reseeded falsely seeded
An Analysis of OpenSSL’s RNG Falko Strenzke 17 / 34 ELO160 / ELO80 in State reseeded
80 bits output 80 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes H = 0 bits 160 bits 80 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 0 bits H = 0
1023 bytes state bytes
high entropy output production H = 0 bits seeding reseeded falsely seeded
An Analysis of OpenSSL’s RNG Falko Strenzke 17 / 34 ELO160 / ELO80 in State reseeded
80 bits output 80 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes H = 0 bits 160 bits 80 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 0 bits H = 0
1023 bytes state bytes
high entropy output production H = 0 bits seeding reseeded falsely seeded
An Analysis of OpenSSL’s RNG Falko Strenzke 17 / 34 ELO160 / ELO80 in State reseeded
80 bits output 80 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes H = 0 bits 160 bits 80 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 0 bits H = 0
1023 bytes state bytes
high entropy output production H = 0 bits seeding reseeded falsely seeded
An Analysis of OpenSSL’s RNG Falko Strenzke 17 / 34 ELO160 / ELO80 in State reseeded
80 bits output 80 bits to attacker of entropy
b0 b1 r0 r1 ... md md md md X ... 0 00 2 1 SHA1 SHA1 0 0 SHA1 SHA1
s0 s1 s3 s4 ...
RAND add RAND bytes H = 0 bits 160 bits 80 bits
initial seed dummy add “stirring operation” (prior to first output production with RAND bytes) H = 0 bits H = 0
1023 bytes state bytes
high entropy output production H = 0 bits seeding reseeded falsely seeded
An Analysis of OpenSSL’s RNG Falko Strenzke 17 / 34 Attacks so far
ELO-240: purely cosmetic ELO-160: not exploitable ELO-80: only predict output from same call to RAND bytes can we do better? ≈ 280 and more realistic conditions?
An Analysis of OpenSSL’s RNG Falko Strenzke 18 / 34 Attacks so far
ELO-240: purely cosmetic ELO-160: not exploitable ELO-80: only predict output from same call to RAND bytes can we do better? ≈ 280 and more realistic conditions?
An Analysis of OpenSSL’s RNG Falko Strenzke 18 / 34 Attacks so far
ELO-240: purely cosmetic ELO-160: not exploitable ELO-80: only predict output from same call to RAND bytes can we do better? ≈ 280 and more realistic conditions?
An Analysis of OpenSSL’s RNG Falko Strenzke 18 / 34 Attacks so far
ELO-240: purely cosmetic ELO-160: not exploitable ELO-80: only predict output from same call to RAND bytes can we do better? ≈ 280 and more realistic conditions?
An Analysis of OpenSSL’s RNG Falko Strenzke 18 / 34 State Recovery Attacks
An Analysis of OpenSSL’s RNG Falko Strenzke 19 / 34 State Recovery Attack: DEJA-STATE
RNG in low entropy state high entropy reseeding in reseeded state goal: recover RNG state after reseeding
reseed RAND bytes 320 bits
H = 0
RAND bytes
attacker
An Analysis of OpenSSL’s RNG Falko Strenzke 20 / 34 State Recovery Attack: DEJA-STATE
RNG in low entropy state high entropy reseeding in reseeded state goal: recover RNG state after reseeding
reseed RAND bytes 320 bits
H = 0
RAND bytes
attacker
An Analysis of OpenSSL’s RNG Falko Strenzke 20 / 34 State Recovery Attack: DEJA-STATE
RNG in low entropy state high entropy reseeding in reseeded state goal: recover RNG state after reseeding
reseed RAND bytes 320 bits
H = 0
RAND bytes
attacker
An Analysis of OpenSSL’s RNG Falko Strenzke 20 / 34 State Recovery Attack: DEJA-STATE
RNG in low entropy state high entropy reseeding in reseeded state goal: recover RNG state after reseeding
reseed RAND bytes 320 bits
H = 0
RAND bytes
attacker
An Analysis of OpenSSL’s RNG Falko Strenzke 20 / 34 State Recovery Attack: DEJA-STATE
RNG in low entropy state high entropy reseeding in reseeded state goal: recover RNG state after reseeding
reseed RAND bytes 320 bits
H = 0
RAND bytes
attacker
An Analysis of OpenSSL’s RNG Falko Strenzke 20 / 34 State Recovery Attack: DEJA-STATE
use for matching, guess other half – use for completely 80 one collision ... 2 possibilities matching known on average
r0 r1 ... r3 r4 ... md md md md md md X 6 5 4 2 1 0 SHA1 SHA1 ... SHA1 SHA1 ...
s1 s2 ... s4 s5 ...
80 bits iterate through unknown 280 guesses reseed 320 bits
H = 0
RAND bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 21 / 34 State Recovery Attack: DEJA-STATE
use for matching, guess other half – use for completely 80 one collision ... 2 possibilities matching known on average
r0 r1 ... r3 r4 ... md md md md md md X 6 5 4 2 1 0 SHA1 SHA1 ... SHA1 SHA1 ...
s1 s2 ... s4 s5 ...
80 bits iterate through unknown 280 guesses reseed 320 bits
H = 0
RAND bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 21 / 34 State Recovery Attack: DEJA-STATE
use for matching, guess other half – use for completely 80 one collision ... 2 possibilities matching known on average
r0 r1 ... r3 r4 ... md md md md md md X 6 5 4 2 1 0 SHA1 SHA1 ... SHA1 SHA1 ...
s1 s2 ... s4 s5 ...
80 bits iterate through unknown 280 guesses reseed 320 bits
H = 0
RAND bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 21 / 34 State Recovery Attack: DEJA-STATE
use for matching, guess other half – use for completely 80 one collision ... 2 possibilities matching known on average
r0 r1 ... r3 r4 ... md md md md md md X 6 5 4 2 1 0 SHA1 SHA1 ... SHA1 SHA1 ...
s1 s2 ... s4 s5 ...
80 bits iterate through unknown 280 guesses reseed 320 bits
H = 0
RAND bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 21 / 34 State Recovery Attack: DEJA-STATE
use for matching, guess other half – use for completely 80 one collision ... 2 possibilities matching known on average
r0 r1 ... r3 r4 ... md md md md md md X 6 5 4 2 1 0 SHA1 SHA1 ... SHA1 SHA1 ...
s1 s2 ... s4 s5 ...
80 bits iterate through unknown 280 guesses reseed 320 bits
H = 0
RAND bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 21 / 34 State Recovery Attack: DEJA-STATE
use for matching, guess other half – use for completely 80 one collision ... 2 possibilities matching known on average
r0 r1 ... r3 r4 ... md md md md md md X 6 5 4 2 1 0 SHA1 SHA1 ... SHA1 SHA1 ...
s1 s2 ... s4 s5 ...
80 bits iterate through unknown 280 guesses reseed 320 bits
H = 0
RAND bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 21 / 34 State Recovery Attack: DEJA-STATE
use for matching, guess other half – use for completely 80 one collision ... 2 possibilities matching known on average
r0 r1 ... r3 r4 ... md md md md md md X 6 5 4 2 1 0 SHA1 SHA1 ... SHA1 SHA1 ...
s1 s2 ... s4 s5 ...
80 bits iterate through unknown 280 guesses reseed 320 bits
H = 0
RAND bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 21 / 34 State Recovery Attack: DEJA-STATE
use for matching, guess other half – use for completely 80 one collision ... 2 possibilities matching known on average
r0 r1 ... r3 r4 ... md md md md md md X 6 5 4 2 1 0 SHA1 SHA1 ... SHA1 SHA1 ...
s1 s2 ... s4 s5 ...
80 bits iterate through unknown 280 guesses reseed 320 bits
H = 0
RAND bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 21 / 34 State Recovery Attack: DEJA-STATE
use for matching, guess other half – use for completely 80 one collision ... 2 possibilities matching known on average
r0 r1 ... r3 r4 ... md md md md md md X 6 5 4 2 1 0 SHA1 SHA1 ... SHA1 SHA1 ...
s1 s2 ... s4 s5 ...
80 bits iterate through unknown 280 guesses reseed 320 bits
H = 0
RAND bytes
An Analysis of OpenSSL’s RNG Falko Strenzke 21 / 34 State Recovery Attack: DEJA-STATE
state bytes recovered now: recovery of md after the seeding revisit the attacked seeding:
b0 b1
md at end of md md reseeding, 0 00 SHA1 SHA1 0 0 known from difference
0 0 s0 s1
s0 s1
known prior to reseeding known from attack
An Analysis of OpenSSL’s RNG Falko Strenzke 22 / 34 State Recovery Attack: DEJA-STATE
state bytes recovered now: recovery of md after the seeding revisit the attacked seeding:
b0 b1
md at end of md md reseeding, 0 00 SHA1 SHA1 0 0 known from difference
0 0 s0 s1
s0 s1
known prior to reseeding known from attack
An Analysis of OpenSSL’s RNG Falko Strenzke 22 / 34 State Recovery Attack: DEJA-STATE
state bytes recovered now: recovery of md after the seeding revisit the attacked seeding:
b0 b1
md at end of md md reseeding, 0 00 SHA1 SHA1 0 0 known from difference
0 0 s0 s1
s0 s1
known prior to reseeding known from attack
An Analysis of OpenSSL’s RNG Falko Strenzke 22 / 34 State Recovery Attack: DEJA-STATE
state bytes recovered now: recovery of md after the seeding revisit the attacked seeding:
b0 b1
md at end of md md reseeding, 0 00 SHA1 SHA1 0 0 known from difference
0 0 s0 s1
s0 s1
known prior to reseeding known from attack
An Analysis of OpenSSL’s RNG Falko Strenzke 22 / 34 State Recovery Attack: DEJA-STATE
state bytes recovered now: recovery of md after the seeding revisit the attacked seeding:
b0 b1
md at end of md md reseeding, 0 00 SHA1 SHA1 0 0 known from difference
0 0 s0 s1
s0 s1
known prior to reseeding known from attack
An Analysis of OpenSSL’s RNG Falko Strenzke 22 / 34 State Recovery Attack: DEJA-STATE
state bytes recovered now: recovery of md after the seeding revisit the attacked seeding:
b0 b1
md at end of md md reseeding, 0 00 SHA1 SHA1 0 0 known from difference
0 0 s0 s1
s0 s1
known prior to reseeding known from attack
An Analysis of OpenSSL’s RNG Falko Strenzke 22 / 34 State Recovery Attack: DEJA-STATE
state bytes recovered now: recovery of md after the seeding revisit the attacked seeding:
b0 b1
md at end of md md reseeding, 0 00 SHA1 SHA1 0 0 known from difference
0 0 s0 s1
s0 s1
known prior to reseeding known from attack
An Analysis of OpenSSL’s RNG Falko Strenzke 22 / 34 State Recovery Attack: DEJA-STATE
state bytes recovered now: recovery of md after the seeding revisit the attacked seeding:
b0 b1
md at end of md md reseeding, 0 00 SHA1 SHA1 0 0 known from difference
0 0 s0 s1
s0 s1
known prior to reseeding known from attack
An Analysis of OpenSSL’s RNG Falko Strenzke 22 / 34 Dealing with Non-Zero Initial Entropy
Strategies to deal with non-zero initial entropy determine state prior to seeding from output determine additional entropy during the recovery of md computational effort 280+x
An Analysis of OpenSSL’s RNG Falko Strenzke 23 / 34 Dealing with Non-Zero Initial Entropy
Strategies to deal with non-zero initial entropy determine state prior to seeding from output determine additional entropy during the recovery of md computational effort 280+x
An Analysis of OpenSSL’s RNG Falko Strenzke 23 / 34 Dealing with Non-Zero Initial Entropy
Strategies to deal with non-zero initial entropy determine state prior to seeding from output determine additional entropy during the recovery of md computational effort 280+x
An Analysis of OpenSSL’s RNG Falko Strenzke 23 / 34 State Recovery Attack: DEJA-STATE
state after reseeding completely recovered condition: attacker receives longer portion of output at specific offset after reseeding effort for a 320-bit seed: 284 hash evaluations (some tens of bytes in each hash invocation) also possible for seed not a multiple of 80 bits 280 considered “light-weight security” ≈ RSA-1024 PRESENT light-weight block cipher for RFID applications must be feared to be breakable within a decade (?) will incur considerable costs for a long time
An Analysis of OpenSSL’s RNG Falko Strenzke 24 / 34 State Recovery Attack: DEJA-STATE
state after reseeding completely recovered condition: attacker receives longer portion of output at specific offset after reseeding effort for a 320-bit seed: 284 hash evaluations (some tens of bytes in each hash invocation) also possible for seed not a multiple of 80 bits 280 considered “light-weight security” ≈ RSA-1024 PRESENT light-weight block cipher for RFID applications must be feared to be breakable within a decade (?) will incur considerable costs for a long time
An Analysis of OpenSSL’s RNG Falko Strenzke 24 / 34 State Recovery Attack: DEJA-STATE
state after reseeding completely recovered condition: attacker receives longer portion of output at specific offset after reseeding effort for a 320-bit seed: 284 hash evaluations (some tens of bytes in each hash invocation) also possible for seed not a multiple of 80 bits 280 considered “light-weight security” ≈ RSA-1024 PRESENT light-weight block cipher for RFID applications must be feared to be breakable within a decade (?) will incur considerable costs for a long time
An Analysis of OpenSSL’s RNG Falko Strenzke 24 / 34 State Recovery Attack: DEJA-STATE
state after reseeding completely recovered condition: attacker receives longer portion of output at specific offset after reseeding effort for a 320-bit seed: 284 hash evaluations (some tens of bytes in each hash invocation) also possible for seed not a multiple of 80 bits 280 considered “light-weight security” ≈ RSA-1024 PRESENT light-weight block cipher for RFID applications must be feared to be breakable within a decade (?) will incur considerable costs for a long time
An Analysis of OpenSSL’s RNG Falko Strenzke 24 / 34 State Recovery Attack: DEJA-STATE
state after reseeding completely recovered condition: attacker receives longer portion of output at specific offset after reseeding effort for a 320-bit seed: 284 hash evaluations (some tens of bytes in each hash invocation) also possible for seed not a multiple of 80 bits 280 considered “light-weight security” ≈ RSA-1024 PRESENT light-weight block cipher for RFID applications must be feared to be breakable within a decade (?) will incur considerable costs for a long time
An Analysis of OpenSSL’s RNG Falko Strenzke 24 / 34 State Recovery Attack: DEJA-STATE
state after reseeding completely recovered condition: attacker receives longer portion of output at specific offset after reseeding effort for a 320-bit seed: 284 hash evaluations (some tens of bytes in each hash invocation) also possible for seed not a multiple of 80 bits 280 considered “light-weight security” ≈ RSA-1024 PRESENT light-weight block cipher for RFID applications must be feared to be breakable within a decade (?) will incur considerable costs for a long time
An Analysis of OpenSSL’s RNG Falko Strenzke 24 / 34 State Recovery Attack: DEJA-STATE
state after reseeding completely recovered condition: attacker receives longer portion of output at specific offset after reseeding effort for a 320-bit seed: 284 hash evaluations (some tens of bytes in each hash invocation) also possible for seed not a multiple of 80 bits 280 considered “light-weight security” ≈ RSA-1024 PRESENT light-weight block cipher for RFID applications must be feared to be breakable within a decade (?) will incur considerable costs for a long time
An Analysis of OpenSSL’s RNG Falko Strenzke 24 / 34 State Recovery Attack: DEJA-STATE
state after reseeding completely recovered condition: attacker receives longer portion of output at specific offset after reseeding effort for a 320-bit seed: 284 hash evaluations (some tens of bytes in each hash invocation) also possible for seed not a multiple of 80 bits 280 considered “light-weight security” ≈ RSA-1024 PRESENT light-weight block cipher for RFID applications must be feared to be breakable within a decade (?) will incur considerable costs for a long time
An Analysis of OpenSSL’s RNG Falko Strenzke 24 / 34 State Recovery Attack: DEJA-STATE
state after reseeding completely recovered condition: attacker receives longer portion of output at specific offset after reseeding effort for a 320-bit seed: 284 hash evaluations (some tens of bytes in each hash invocation) also possible for seed not a multiple of 80 bits 280 considered “light-weight security” ≈ RSA-1024 PRESENT light-weight block cipher for RFID applications must be feared to be breakable within a decade (?) will incur considerable costs for a long time
An Analysis of OpenSSL’s RNG Falko Strenzke 24 / 34 State Recovery Attack: DEJA-STATE
state after reseeding completely recovered condition: attacker receives longer portion of output at specific offset after reseeding effort for a 320-bit seed: 284 hash evaluations (some tens of bytes in each hash invocation) also possible for seed not a multiple of 80 bits 280 considered “light-weight security” ≈ RSA-1024 PRESENT light-weight block cipher for RFID applications must be feared to be breakable within a decade (?) will incur considerable costs for a long time
An Analysis of OpenSSL’s RNG Falko Strenzke 24 / 34 State Recovery Attack: DEJA-SEED
similar attack, recover also the seed
const/ 80 bits known entropy
b0, 160 bits b1, 80 bits md md 0 00 SHA1 SHA1 0 0
s0 s1
synching to md like in DEJA-STATE then iterate through the possible seed values
An Analysis of OpenSSL’s RNG Falko Strenzke 25 / 34 State Recovery Attack: DEJA-SEED
similar attack, recover also the seed
const/ 80 bits known entropy
b0, 160 bits b1, 80 bits md md 0 00 SHA1 SHA1 0 0
s0 s1
synching to md like in DEJA-STATE then iterate through the possible seed values
An Analysis of OpenSSL’s RNG Falko Strenzke 25 / 34 State Recovery Attack: DEJA-SEED
similar attack, recover also the seed
const/ 80 bits known entropy
b0, 160 bits b1, 80 bits md md 0 00 SHA1 SHA1 0 0
s0 s1
synching to md like in DEJA-STATE then iterate through the possible seed values
An Analysis of OpenSSL’s RNG Falko Strenzke 25 / 34 Forward Security of Seed Data
An Analysis of OpenSSL’s RNG Falko Strenzke 26 / 34 Forward Security of Seed Data
forward security of seed data not a recognized notion OpenSSL’s RNG: even high entropy seed data potentially recoverable block-wise hashing in RAND add is a mistake correct: hashing state together with new input always inefficient for large RNG states
An Analysis of OpenSSL’s RNG Falko Strenzke 27 / 34 Forward Security of Seed Data
forward security of seed data not a recognized notion OpenSSL’s RNG: even high entropy seed data potentially recoverable block-wise hashing in RAND add is a mistake correct: hashing state together with new input always inefficient for large RNG states
An Analysis of OpenSSL’s RNG Falko Strenzke 27 / 34 Forward Security of Seed Data
forward security of seed data not a recognized notion OpenSSL’s RNG: even high entropy seed data potentially recoverable block-wise hashing in RAND add is a mistake correct: hashing state together with new input always inefficient for large RNG states
An Analysis of OpenSSL’s RNG Falko Strenzke 27 / 34 Forward Security of Seed Data
forward security of seed data not a recognized notion OpenSSL’s RNG: even high entropy seed data potentially recoverable block-wise hashing in RAND add is a mistake correct: hashing state together with new input always inefficient for large RNG states
An Analysis of OpenSSL’s RNG Falko Strenzke 27 / 34 Forward Security of Seed Data
forward security of seed data not a recognized notion OpenSSL’s RNG: even high entropy seed data potentially recoverable block-wise hashing in RAND add is a mistake correct: hashing state together with new input always inefficient for large RNG states
An Analysis of OpenSSL’s RNG Falko Strenzke 27 / 34 Theoretical Considerations
An Analysis of OpenSSL’s RNG Falko Strenzke 28 / 34 Notion of Mixing Function
H(f (I , S)) ≥ H(S) and H(f (I , S) ≥ H(I )
input I , state S RAND add fulfills this notion formally but not effectively only useful if whole state is used in output production in a symmetric way need definition which considers entropy of subsequent output instead of that of the state
An Analysis of OpenSSL’s RNG Falko Strenzke 29 / 34 Notion of Mixing Function
H(f (I , S)) ≥ H(S) and H(f (I , S) ≥ H(I )
input I , state S RAND add fulfills this notion formally but not effectively only useful if whole state is used in output production in a symmetric way need definition which considers entropy of subsequent output instead of that of the state
An Analysis of OpenSSL’s RNG Falko Strenzke 29 / 34 Notion of Mixing Function
H(f (I , S)) ≥ H(S) and H(f (I , S) ≥ H(I )
input I , state S RAND add fulfills this notion formally but not effectively only useful if whole state is used in output production in a symmetric way need definition which considers entropy of subsequent output instead of that of the state
An Analysis of OpenSSL’s RNG Falko Strenzke 29 / 34 Notion of Mixing Function
H(f (I , S)) ≥ H(S) and H(f (I , S) ≥ H(I )
input I , state S RAND add fulfills this notion formally but not effectively only useful if whole state is used in output production in a symmetric way need definition which considers entropy of subsequent output instead of that of the state
An Analysis of OpenSSL’s RNG Falko Strenzke 29 / 34 Notion of Mixing Function
H(f (I , S)) ≥ H(S) and H(f (I , S) ≥ H(I )
input I , state S RAND add fulfills this notion formally but not effectively only useful if whole state is used in output production in a symmetric way need definition which considers entropy of subsequent output instead of that of the state
An Analysis of OpenSSL’s RNG Falko Strenzke 29 / 34 Formal Vulnerabilities of OpenSSL’s RNG
impaired forward security
t
recover DEJA-SEED, DEJA-STATE, reseeding output or state compromise
backward security not attempted by RNG itself but when attempted by application, suffers from our attacks
t
recover state compromise reseeding output DEJA-SEED, DEJA-STATE
new notion: forward security of seed data not achieved by OpenSSL’s RNG
An Analysis of OpenSSL’s RNG Falko Strenzke 30 / 34 Formal Vulnerabilities of OpenSSL’s RNG
impaired forward security
t
recover DEJA-SEED, DEJA-STATE, reseeding output or state compromise
backward security not attempted by RNG itself but when attempted by application, suffers from our attacks
t
recover state compromise reseeding output DEJA-SEED, DEJA-STATE
new notion: forward security of seed data not achieved by OpenSSL’s RNG
An Analysis of OpenSSL’s RNG Falko Strenzke 30 / 34 Formal Vulnerabilities of OpenSSL’s RNG
impaired forward security
t
recover DEJA-SEED, DEJA-STATE, reseeding output or state compromise
backward security not attempted by RNG itself but when attempted by application, suffers from our attacks
t
recover state compromise reseeding output DEJA-SEED, DEJA-STATE
new notion: forward security of seed data not achieved by OpenSSL’s RNG
An Analysis of OpenSSL’s RNG Falko Strenzke 30 / 34 Formal Vulnerabilities of OpenSSL’s RNG
impaired forward security
t
recover DEJA-SEED, DEJA-STATE, reseeding output or state compromise
backward security not attempted by RNG itself but when attempted by application, suffers from our attacks
t
recover state compromise reseeding output DEJA-SEED, DEJA-STATE
new notion: forward security of seed data not achieved by OpenSSL’s RNG
An Analysis of OpenSSL’s RNG Falko Strenzke 30 / 34 Formal Vulnerabilities of OpenSSL’s RNG
impaired forward security
t
recover DEJA-SEED, DEJA-STATE, reseeding output or state compromise
backward security not attempted by RNG itself but when attempted by application, suffers from our attacks
t
recover state compromise reseeding output DEJA-SEED, DEJA-STATE
new notion: forward security of seed data not achieved by OpenSSL’s RNG
An Analysis of OpenSSL’s RNG Falko Strenzke 30 / 34 Formal Vulnerabilities of OpenSSL’s RNG
impaired forward security
t
recover DEJA-SEED, DEJA-STATE, reseeding output or state compromise
backward security not attempted by RNG itself but when attempted by application, suffers from our attacks
t
recover state compromise reseeding output DEJA-SEED, DEJA-STATE
new notion: forward security of seed data not achieved by OpenSSL’s RNG
An Analysis of OpenSSL’s RNG Falko Strenzke 30 / 34 Formal Vulnerabilities of OpenSSL’s RNG
impaired forward security
t
recover DEJA-SEED, DEJA-STATE, reseeding output or state compromise
backward security not attempted by RNG itself but when attempted by application, suffers from our attacks
t
recover state compromise reseeding output DEJA-SEED, DEJA-STATE
new notion: forward security of seed data not achieved by OpenSSL’s RNG
An Analysis of OpenSSL’s RNG Falko Strenzke 30 / 34 Repairing OpenSSL’s RNG
An Analysis of OpenSSL’s RNG Falko Strenzke 31 / 34 Repairing the RNG
RAND pseudo bytes must use different state (LESLI) use cipher-based generator approved and efficients designs exist e.g. AES / counter mode generators as realized in the FIPS version of the library! more efficient than hash-based, due to hardware support ad-hoc repair increase the “entropy flow” beyond 160 bits remove the leakage of half of md forward security of seed-data cannot be efficiently addressed so far no repair in OpenSSL secure wrapper functions (→ paper) Note: the forks LibreSSL and BoringSSL are even worse
An Analysis of OpenSSL’s RNG Falko Strenzke 32 / 34 Repairing the RNG
RAND pseudo bytes must use different state (LESLI) use cipher-based generator approved and efficients designs exist e.g. AES / counter mode generators as realized in the FIPS version of the library! more efficient than hash-based, due to hardware support ad-hoc repair increase the “entropy flow” beyond 160 bits remove the leakage of half of md forward security of seed-data cannot be efficiently addressed so far no repair in OpenSSL secure wrapper functions (→ paper) Note: the forks LibreSSL and BoringSSL are even worse
An Analysis of OpenSSL’s RNG Falko Strenzke 32 / 34 Repairing the RNG
RAND pseudo bytes must use different state (LESLI) use cipher-based generator approved and efficients designs exist e.g. AES / counter mode generators as realized in the FIPS version of the library! more efficient than hash-based, due to hardware support ad-hoc repair increase the “entropy flow” beyond 160 bits remove the leakage of half of md forward security of seed-data cannot be efficiently addressed so far no repair in OpenSSL secure wrapper functions (→ paper) Note: the forks LibreSSL and BoringSSL are even worse
An Analysis of OpenSSL’s RNG Falko Strenzke 32 / 34 Repairing the RNG
RAND pseudo bytes must use different state (LESLI) use cipher-based generator approved and efficients designs exist e.g. AES / counter mode generators as realized in the FIPS version of the library! more efficient than hash-based, due to hardware support ad-hoc repair increase the “entropy flow” beyond 160 bits remove the leakage of half of md forward security of seed-data cannot be efficiently addressed so far no repair in OpenSSL secure wrapper functions (→ paper) Note: the forks LibreSSL and BoringSSL are even worse
An Analysis of OpenSSL’s RNG Falko Strenzke 32 / 34 Repairing the RNG
RAND pseudo bytes must use different state (LESLI) use cipher-based generator approved and efficients designs exist e.g. AES / counter mode generators as realized in the FIPS version of the library! more efficient than hash-based, due to hardware support ad-hoc repair increase the “entropy flow” beyond 160 bits remove the leakage of half of md forward security of seed-data cannot be efficiently addressed so far no repair in OpenSSL secure wrapper functions (→ paper) Note: the forks LibreSSL and BoringSSL are even worse
An Analysis of OpenSSL’s RNG Falko Strenzke 32 / 34 Repairing the RNG
RAND pseudo bytes must use different state (LESLI) use cipher-based generator approved and efficients designs exist e.g. AES / counter mode generators as realized in the FIPS version of the library! more efficient than hash-based, due to hardware support ad-hoc repair increase the “entropy flow” beyond 160 bits remove the leakage of half of md forward security of seed-data cannot be efficiently addressed so far no repair in OpenSSL secure wrapper functions (→ paper) Note: the forks LibreSSL and BoringSSL are even worse
An Analysis of OpenSSL’s RNG Falko Strenzke 32 / 34 Repairing the RNG
RAND pseudo bytes must use different state (LESLI) use cipher-based generator approved and efficients designs exist e.g. AES / counter mode generators as realized in the FIPS version of the library! more efficient than hash-based, due to hardware support ad-hoc repair increase the “entropy flow” beyond 160 bits remove the leakage of half of md forward security of seed-data cannot be efficiently addressed so far no repair in OpenSSL secure wrapper functions (→ paper) Note: the forks LibreSSL and BoringSSL are even worse
An Analysis of OpenSSL’s RNG Falko Strenzke 32 / 34 Repairing the RNG
RAND pseudo bytes must use different state (LESLI) use cipher-based generator approved and efficients designs exist e.g. AES / counter mode generators as realized in the FIPS version of the library! more efficient than hash-based, due to hardware support ad-hoc repair increase the “entropy flow” beyond 160 bits remove the leakage of half of md forward security of seed-data cannot be efficiently addressed so far no repair in OpenSSL secure wrapper functions (→ paper) Note: the forks LibreSSL and BoringSSL are even worse
An Analysis of OpenSSL’s RNG Falko Strenzke 32 / 34 Repairing the RNG
RAND pseudo bytes must use different state (LESLI) use cipher-based generator approved and efficients designs exist e.g. AES / counter mode generators as realized in the FIPS version of the library! more efficient than hash-based, due to hardware support ad-hoc repair increase the “entropy flow” beyond 160 bits remove the leakage of half of md forward security of seed-data cannot be efficiently addressed so far no repair in OpenSSL secure wrapper functions (→ paper) Note: the forks LibreSSL and BoringSSL are even worse
An Analysis of OpenSSL’s RNG Falko Strenzke 32 / 34 Repairing the RNG
RAND pseudo bytes must use different state (LESLI) use cipher-based generator approved and efficients designs exist e.g. AES / counter mode generators as realized in the FIPS version of the library! more efficient than hash-based, due to hardware support ad-hoc repair increase the “entropy flow” beyond 160 bits remove the leakage of half of md forward security of seed-data cannot be efficiently addressed so far no repair in OpenSSL secure wrapper functions (→ paper) Note: the forks LibreSSL and BoringSSL are even worse
An Analysis of OpenSSL’s RNG Falko Strenzke 32 / 34 Repairing the RNG
RAND pseudo bytes must use different state (LESLI) use cipher-based generator approved and efficients designs exist e.g. AES / counter mode generators as realized in the FIPS version of the library! more efficient than hash-based, due to hardware support ad-hoc repair increase the “entropy flow” beyond 160 bits remove the leakage of half of md forward security of seed-data cannot be efficiently addressed so far no repair in OpenSSL secure wrapper functions (→ paper) Note: the forks LibreSSL and BoringSSL are even worse
An Analysis of OpenSSL’s RNG Falko Strenzke 32 / 34 Repairing the RNG
RAND pseudo bytes must use different state (LESLI) use cipher-based generator approved and efficients designs exist e.g. AES / counter mode generators as realized in the FIPS version of the library! more efficient than hash-based, due to hardware support ad-hoc repair increase the “entropy flow” beyond 160 bits remove the leakage of half of md forward security of seed-data cannot be efficiently addressed so far no repair in OpenSSL secure wrapper functions (→ paper) Note: the forks LibreSSL and BoringSSL are even worse
An Analysis of OpenSSL’s RNG Falko Strenzke 32 / 34 Repairing the RNG
RAND pseudo bytes must use different state (LESLI) use cipher-based generator approved and efficients designs exist e.g. AES / counter mode generators as realized in the FIPS version of the library! more efficient than hash-based, due to hardware support ad-hoc repair increase the “entropy flow” beyond 160 bits remove the leakage of half of md forward security of seed-data cannot be efficiently addressed so far no repair in OpenSSL secure wrapper functions (→ paper) Note: the forks LibreSSL and BoringSSL are even worse
An Analysis of OpenSSL’s RNG Falko Strenzke 32 / 34 Conclusion
multiple design errors in OpenSSL’s RNG LESLI ELO240,ELO160,ELO80 DEJA-STATE, DEJA-SEED effort around 280 hash evaluations impact attacks highly application specific relevant for embedded systems theoretic insights applicability of the notion of mixing function forward security of seed data repairs suggested
An Analysis of OpenSSL’s RNG Falko Strenzke 33 / 34 Conclusion
multiple design errors in OpenSSL’s RNG LESLI ELO240,ELO160,ELO80 DEJA-STATE, DEJA-SEED effort around 280 hash evaluations impact attacks highly application specific relevant for embedded systems theoretic insights applicability of the notion of mixing function forward security of seed data repairs suggested
An Analysis of OpenSSL’s RNG Falko Strenzke 33 / 34 Conclusion
multiple design errors in OpenSSL’s RNG LESLI ELO240,ELO160,ELO80 DEJA-STATE, DEJA-SEED effort around 280 hash evaluations impact attacks highly application specific relevant for embedded systems theoretic insights applicability of the notion of mixing function forward security of seed data repairs suggested
An Analysis of OpenSSL’s RNG Falko Strenzke 33 / 34 Conclusion
multiple design errors in OpenSSL’s RNG LESLI ELO240,ELO160,ELO80 DEJA-STATE, DEJA-SEED effort around 280 hash evaluations impact attacks highly application specific relevant for embedded systems theoretic insights applicability of the notion of mixing function forward security of seed data repairs suggested
An Analysis of OpenSSL’s RNG Falko Strenzke 33 / 34 Conclusion
multiple design errors in OpenSSL’s RNG LESLI ELO240,ELO160,ELO80 DEJA-STATE, DEJA-SEED effort around 280 hash evaluations impact attacks highly application specific relevant for embedded systems theoretic insights applicability of the notion of mixing function forward security of seed data repairs suggested
An Analysis of OpenSSL’s RNG Falko Strenzke 33 / 34 Conclusion
multiple design errors in OpenSSL’s RNG LESLI ELO240,ELO160,ELO80 DEJA-STATE, DEJA-SEED effort around 280 hash evaluations impact attacks highly application specific relevant for embedded systems theoretic insights applicability of the notion of mixing function forward security of seed data repairs suggested
An Analysis of OpenSSL’s RNG Falko Strenzke 33 / 34 Conclusion
multiple design errors in OpenSSL’s RNG LESLI ELO240,ELO160,ELO80 DEJA-STATE, DEJA-SEED effort around 280 hash evaluations impact attacks highly application specific relevant for embedded systems theoretic insights applicability of the notion of mixing function forward security of seed data repairs suggested
An Analysis of OpenSSL’s RNG Falko Strenzke 33 / 34 Conclusion
multiple design errors in OpenSSL’s RNG LESLI ELO240,ELO160,ELO80 DEJA-STATE, DEJA-SEED effort around 280 hash evaluations impact attacks highly application specific relevant for embedded systems theoretic insights applicability of the notion of mixing function forward security of seed data repairs suggested
An Analysis of OpenSSL’s RNG Falko Strenzke 33 / 34 Conclusion
multiple design errors in OpenSSL’s RNG LESLI ELO240,ELO160,ELO80 DEJA-STATE, DEJA-SEED effort around 280 hash evaluations impact attacks highly application specific relevant for embedded systems theoretic insights applicability of the notion of mixing function forward security of seed data repairs suggested
An Analysis of OpenSSL’s RNG Falko Strenzke 33 / 34 Conclusion
multiple design errors in OpenSSL’s RNG LESLI ELO240,ELO160,ELO80 DEJA-STATE, DEJA-SEED effort around 280 hash evaluations impact attacks highly application specific relevant for embedded systems theoretic insights applicability of the notion of mixing function forward security of seed data repairs suggested
An Analysis of OpenSSL’s RNG Falko Strenzke 33 / 34 Conclusion
multiple design errors in OpenSSL’s RNG LESLI ELO240,ELO160,ELO80 DEJA-STATE, DEJA-SEED effort around 280 hash evaluations impact attacks highly application specific relevant for embedded systems theoretic insights applicability of the notion of mixing function forward security of seed data repairs suggested
An Analysis of OpenSSL’s RNG Falko Strenzke 33 / 34 Conclusion
multiple design errors in OpenSSL’s RNG LESLI ELO240,ELO160,ELO80 DEJA-STATE, DEJA-SEED effort around 280 hash evaluations impact attacks highly application specific relevant for embedded systems theoretic insights applicability of the notion of mixing function forward security of seed data repairs suggested
An Analysis of OpenSSL’s RNG Falko Strenzke 33 / 34 Thank you!
An Analysis of OpenSSL’s RNG Falko Strenzke 34 / 34