DOCSLIB.ORG

Pseudo Random Number Generators in Programming Languages

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Pseudo Random Number Generators in Programming Languages The Interdisciplinary Center, Herzlia Efi Arazi School of Computer Science Pseudo Random Num- ber Generators in Pro- gramming Languages M.Sc dissertation Submitted by Aviv Sinai Under the supervision of Dr. Zvi Gutterman (CloudShare, HUJI) March, 2011. Acknowledgments First and foremost, I would like to thank my advisor, Dr. Zvi Gutterman, for the time and effort he put into helping me complete this work. I would like to express my deepest gratitude to Asaf Rubin, a friend and co-worker. I’m grateful for his help and time spent assisting me in finishing this work. I would like to also thank Danny Slutsky and Yaniv Meoded, who reviewed early drafts of this work. Special thanks to Dr. Anat Bremler and the IDC M.Sc. CS program office, for their patience and help. Finally, I want to thank my family who gave me the support I needed to invest pre- cious time working to complete this work. i Abstract Software developers frequently encounter the need to integrate random numbers in their systems and applications. Applications and systems that span from implement- ing a new security protocol to implementing a shuffling algorithm in an online poker game. Modern software languages come to their aid by providing them with a rich SDK that contains pseudo random number generation functions for the developer to use without the need to implement their own generators. These functions differ in cryptographic strength and underlying algorithms used. In this thesis we research the implementations of random number generators in popular programming languages. We provide a complete and detailed analysis of the algorithms used, cryptographic strength and capabilities of these generators. Our analysis shows weaknesses in the generators implemented, including a bug in C#’s implementation of the additive feedback generator. In addition we provide a non- trivial attack on the session generation algorithm in PHP that relies on our analysis of PHP’s generator. ii Table of Contents ACKNOWLEDGMENTS ......................................................................................................................... I ABSTRACT ........................................................................................................................................ II TABLE OF CONTENTS ......................................................................................................................... III LIST OF FIGURES ................................................................................................................................ VI 1 INTRODUCTION ............................................................................................................... 2 1.1 CONTRIBUTIONS ............................................................................................................... 2 1.2 STRUCTURE AND OUTLINE .................................................................................................. 3 2 PSEUDO RANDOM NUMBER GENERATORS ..................................................................... 4 2.1 THE IMPORTANCE OF RANDOM NUMBERS ............................................................................. 4 2.2 WHAT IS A GOOD (PSEUDO) RANDOM NUMBER GENERATOR? ................................................. 5 2.3 THEORY VS. PRACTICE ........................................................................................................ 6 2.4 POPULAR PRNGS REVIEW .................................................................................................. 7 2.4.1 Linear Congruential Generator (LCG) .............................................................. 7 2.4.2 Multiplicative Congruential Generator (MRG/MCG/MLCG) ............................ 7 2.4.3 Combined MCG (CMCG/CMLCG) ..................................................................... 8 2.4.4 LFSR (Linear Feedback Shift Register) .............................................................. 8 2.4.5 Lagged Fibonacci Pseudo Random Generators (LFG) ...................................... 9 2.4.6 Generalized Feedback Shift Register (GFSR) .................................................. 10 2.4.7 Twisted Generalized Feedback Shift Register (TGFSR)................................... 10 2.4.8 Mersenne Twister .......................................................................................... 11 2.4.9 Blum Blum Shub (BBS) ................................................................................... 11 2.4.10 PRNGs in Standards ....................................................................................... 11 3 RELATED WORK ............................................................................................................. 13 3.1 THE RANDU PRNG ....................................................................................................... 13 3.2 NETSCAPE SSL ATTACK .................................................................................................... 13 3.3 PREDICTABLE SESSION KEYS IN KERBEROS V4 ....................................................................... 14 3.4 ATTACK ON APACHE TOMCAT’S SESSION ID GENERATION ....................................................... 14 3.5 IDENTICAL NFS FILE HANDLES ........................................................................................... 15 3.6 ONLINE POKER EXPLOIT ................................................................................................... 16 3.7 LINUX RANDOM NUMBER GENERATOR (LRNG) ANALYSIS ...................................................... 17 3.8 WINDOWS RANDOM NUMBER GENERATOR (WRNG) ANALYSIS ............................................. 18 4 ANALYSIS METHODS ..................................................................................................... 20 4.1 NOTATIONS/JARGON ....................................................................................................... 20 4.2 ASSUMPTIONS ................................................................................................................ 20 4.3 COMMON ANALYSIS STRUCTURE ........................................................................................ 20 4.4 ATTACK VECTORS AND ATTACK ASSUMPTIONS ...................................................................... 21 5 C .................................................................................................................................... 22 5.1 INTRODUCTION ............................................................................................................... 22 5.2 MICROSOFT CRT (MSVCRT) GENERATORS......................................................................... 23 5.2.1 (ANSI-C) C Standard Built-in Generators (rand() family) ............................... 23 5.2.2 rand_s() ......................................................................................................... 25 5.3 *NIX GLIBC GENERATORS ................................................................................................. 26 5.3.1 Introduction ................................................................................................... 26 5.3.2 (ANSI-C) C Standard Built-in Generators (rand() family) ............................... 26 5.4 BSD C GENERATORS (RANDOM() FAMILY) ........................................................................... 27 5.4.1 Introduction ................................................................................................... 27 iii 5.4.2 Design Space .................................................................................................. 27 5.4.3 G0: LCG .......................................................................................................... 28 5.4.4 G1-G4: AFG .................................................................................................... 29 5.5 SVID C GENERATORS (RAND48() FAMILY) ........................................................................... 33 5.5.1 Introduction ................................................................................................... 33 5.5.2 Design Space .................................................................................................. 33 5.5.3 Under the Hood ............................................................................................. 33 5.5.4 Properties Analysis ........................................................................................ 35 6 JAVA .............................................................................................................................. 36 6.1 INTRODUCTION ............................................................................................................... 36 6.2 MATH.RANDOM ............................................................................................................. 36 6.2.1 Design Space .................................................................................................. 36 6.3 JAVA.UTIL.RANDOM ........................................................................................................ 36 6.3.1 Design Space .................................................................................................. 36 6.3.2 Under the Hood ............................................................................................. 37 3.6.6 Properties Analysis ........................................................................................ 38 6.4 JAVA.SECURITY.SECURERANDOM ....................................................................................... 40 6.4.1 Introduction ..................................................................................................
Load more

Recommended publications
  • Medtronic Care Management Services, LLC CC FM TLS/SRTP FIPS 140
    Medtronic Care Management Services, LLC CC FM TLS/SRTP FIPS 140‐2 Cryptographic Module Non‐Proprietary Security Policy Version: 1.6 Date: March 16, 2016 Copyright Medtronic Care Management Services 2016 Version 1.6 Page 1 of 14 Medtronic Care Management Services Public Material – May be reproduced only in its original entirety (without revision). Table of Contents 1 Introduction .................................................................................................................... 4 1.1 Cryptographic Boundary ..............................................................................................................5 1.2 Mode of Operation .......................................................................................................................5 2 Cryptographic Functionality ............................................................................................. 6 2.1 Critical Security Parameters .........................................................................................................7 2.2 Public Keys ....................................................................................................................................8 3 Roles, Authentication and Services .................................................................................. 8 3.1 Assumption of Roles .....................................................................................................................8 3.2 Services and CSP Access Rights ....................................................................................................8
    [Show full text]
  • A Note on Random Number Generation
    A note on random number generation Christophe Dutang and Diethelm Wuertz September 2009 1 1 INTRODUCTION 2 \Nothing in Nature is random. number generation. By \random numbers", we a thing appears random only through mean random variates of the uniform U(0; 1) the incompleteness of our knowledge." distribution. More complex distributions can Spinoza, Ethics I1. be generated with uniform variates and rejection or inversion methods. Pseudo random number generation aims to seem random whereas quasi random number generation aims to be determin- istic but well equidistributed. 1 Introduction Those familiars with algorithms such as linear congruential generation, Mersenne-Twister type algorithms, and low discrepancy sequences should Random simulation has long been a very popular go directly to the next section. and well studied field of mathematics. There exists a wide range of applications in biology, finance, insurance, physics and many others. So 2.1 Pseudo random generation simulations of random numbers are crucial. In this note, we describe the most random number algorithms At the beginning of the nineties, there was no state-of-the-art algorithms to generate pseudo Let us recall the only things, that are truly ran- random numbers. And the article of Park & dom, are the measurement of physical phenomena Miller (1988) entitled Random generators: good such as thermal noises of semiconductor chips or ones are hard to find is a clear proof. radioactive sources2. Despite this fact, most users thought the rand The only way to simulate some randomness function they used was good, because of a short on computers are carried out by deterministic period and a term to term dependence.
    [Show full text]
  • Package 'Randtoolbox'
    Package ‘randtoolbox’ January 31, 2020 Type Package Title Toolbox for Pseudo and Quasi Random Number Generation and Random Generator Tests Version 1.30.1 Author R port by Yohan Chalabi, Christophe Dutang, Petr Savicky and Di- ethelm Wuertz with some underlying C codes of (i) the SFMT algorithm from M. Mat- sumoto and M. Saito, (ii) the Knuth-TAOCP RNG from D. Knuth. Maintainer Christophe Dutang <[email protected]> Description Provides (1) pseudo random generators - general linear congruential generators, multiple recursive generators and generalized feedback shift register (SF-Mersenne Twister algorithm and WELL generators); (2) quasi random generators - the Torus algorithm, the Sobol sequence, the Halton sequence (including the Van der Corput sequence) and (3) some generator tests - the gap test, the serial test, the poker test. See e.g. Gentle (2003) <doi:10.1007/b97336>. The package can be provided without the rngWELL dependency on demand. Take a look at the Distribution task view of types and tests of random number generators. Version in Memoriam of Diethelm and Barbara Wuertz. Depends rngWELL (>= 0.10-1) License BSD_3_clause + file LICENSE NeedsCompilation yes Repository CRAN Date/Publication 2020-01-31 10:17:00 UTC R topics documented: randtoolbox-package . .2 auxiliary . .3 coll.test . .4 coll.test.sparse . .6 freq.test . .8 gap.test . .9 get.primes . 11 1 2 randtoolbox-package getWELLState . 12 order.test . 12 poker.test . 14 pseudoRNG . 16 quasiRNG . 22 rngWELLScriptR . 26 runifInterface . 27 serial.test . 29 soboltestfunctions . 31 Index 33 randtoolbox-package General remarks on toolbox for pseudo and quasi random number generation Description The randtoolbox-package started in 2007 during an ISFA (France) working group.
    [Show full text]
  • No Random, No Ransom: a Key to Stop Cryptographic Ransomware
    No Random, No Ransom: A Key to Stop Cryptographic Ransomware Ziya Alper Genç, Gabriele Lenzini, and Peter Y.A. Ryan Interdisciplinary Centre for Security Reliability and Trust (SnT) University of Luxembourg Abstract. To be effective, ransomware has to implement strong encryp- tion, and strong encryption in turn requires a good source of random numbers. Without access to true randomness, ransomware relies on the pseudo random number generators that modern Operating Systems make available to applications. With this insight, we propose a strategy to miti- gate ransomware attacks that considers pseudo random number generator functions as critical resources, controls accesses on their APIs and stops unauthorized applications that call them. Our strategy, tested against 524 active real-world ransomware samples, stops 94% of them, including WannaCry, Locky, CryptoLocker and CryptoWall. Remarkably, it also nullifies NotPetya, the latest offspring of the family which so far has eluded all defenses. Keywords: ransomware, cryptographic malware, randomness, mitigation. 1 Introduction Ransomware is a malware, a malicious software that blocks access to victim’s data. In contrast to traditional malware, whose break-down is permanent, ransomware’s damage is reversible: access to files can be restored on the payment of a ransom, usually a few hundreds US dollars in virtual coins. Despite being relatively new, this cyber-crime is spreading fast and it is believed to become soon a worldwide pandemic. According to [24], a US Govern- ment’s white paper dated June 2016, on average more than 4,000 ransomware attacks occurred daily in the USA. This is 300-percent increase from the previous year and such important increment is probably due to the cyber-crime’s solid business model: with a small investment there is a considerable pecuniary gain which, thanks to the virtual currency technology, can be collected reliably and in a way that is not traceable by the authorities.
    [Show full text]
  • Cryptanalysis of the Random Number Generator of the Windows Operating System
    Cryptanalysis of the Random Number Generator of the Windows Operating System Leo Dorrendorf School of Engineering and Computer Science The Hebrew University of Jerusalem 91904 Jerusalem, Israel [email protected] Zvi Gutterman Benny Pinkas¤ School of Engineering and Computer Science Department of Computer Science The Hebrew University of Jerusalem University of Haifa 91904 Jerusalem, Israel 31905 Haifa, Israel [email protected] [email protected] November 4, 2007 Abstract The pseudo-random number generator (PRNG) used by the Windows operating system is the most commonly used PRNG. The pseudo-randomness of the output of this generator is crucial for the security of almost any application running in Windows. Nevertheless, its exact algorithm was never published. We examined the binary code of a distribution of Windows 2000, which is still the second most popular operating system after Windows XP. (This investigation was done without any help from Microsoft.) We reconstructed, for the ¯rst time, the algorithm used by the pseudo- random number generator (namely, the function CryptGenRandom). We analyzed the security of the algorithm and found a non-trivial attack: given the internal state of the generator, the previous state can be computed in O(223) work (this is an attack on the forward-security of the generator, an O(1) attack on backward security is trivial). The attack on forward-security demonstrates that the design of the generator is flawed, since it is well known how to prevent such attacks. We also analyzed the way in which the generator is run by the operating system, and found that it ampli¯es the e®ect of the attacks: The generator is run in user mode rather than in kernel mode, and therefore it is easy to access its state even without administrator privileges.
    [Show full text]
  • Gretl User's Guide
    Gretl User’s Guide Gnu Regression, Econometrics and Time-series Allin Cottrell Department of Economics Wake Forest university Riccardo “Jack” Lucchetti Dipartimento di Economia Università Politecnica delle Marche December, 2008 Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation (see http://www.gnu.org/licenses/fdl.html). Contents 1 Introduction 1 1.1 Features at a glance ......................................... 1 1.2 Acknowledgements ......................................... 1 1.3 Installing the programs ....................................... 2 I Running the program 4 2 Getting started 5 2.1 Let’s run a regression ........................................ 5 2.2 Estimation output .......................................... 7 2.3 The main window menus ...................................... 8 2.4 Keyboard shortcuts ......................................... 11 2.5 The gretl toolbar ........................................... 11 3 Modes of working 13 3.1 Command scripts ........................................... 13 3.2 Saving script objects ......................................... 15 3.3 The gretl console ........................................... 15 3.4 The Session concept ......................................... 16 4 Data files 19 4.1 Native format ............................................. 19 4.2 Other data file formats ....................................... 19 4.3 Binary databases ..........................................
    [Show full text]
  • Scope of Various Random Number Generators in Ant System Approach for Tsp
    AC 2007-458: SCOPE OF VARIOUS RANDOM NUMBER GENERATORS IN ANT SYSTEM APPROACH FOR TSP S.K. Sen, Florida Institute of Technology Syamal K Sen ([email protected]) is currently a professor in the Dept. of Mathematical Sciences, Florida Institute of Technology (FIT), Melbourne, Florida. He did his Ph.D. (Engg.) in Computational Science from the prestigious Indian Institute of Science (IISc), Bangalore, India in 1973 and then continued as a faculty of this institute for 33 years. He was a professor of Supercomputer Computer Education and Research Centre of IISc during 1996-2004 before joining FIT in January 2004. He held a Fulbright Fellowship for senior teachers in 1991 and worked in FIT. He also held faculty positions, on leave from IISc, in several universities around the globe including University of Mauritius (Professor, Maths., 1997-98), Mauritius, Florida Institute of Technology (Visiting Professor, Math. Sciences, 1995-96), Al-Fateh University (Associate Professor, Computer Engg, 1981-83.), Tripoli, Libya, University of the West Indies (Lecturer, Maths., 1975-76), Barbados.. He has published over 130 research articles in refereed international journals such as Nonlinear World, Appl. Maths. and Computation, J. of Math. Analysis and Application, Simulation, Int. J. of Computer Maths., Int. J Systems Sci., IEEE Trans. Computers, Internl. J. Control, Internat. J. Math. & Math. Sci., Matrix & Tensor Qrtly, Acta Applicande Mathematicae, J. Computational and Applied Mathematics, Advances in Modelling and Simulation, Int. J. Engineering Simulation, Neural, Parallel and Scientific Computations, Nonlinear Analysis, Computers and Mathematics with Applications, Mathematical and Computer Modelling, Int. J. Innovative Computing, Information and Control, J. Computational Methods in Sciences and Engineering, and Computers & Mathematics with Applications.
    [Show full text]
  • Gretl 1.6.0 and Its Numerical Accuracy - Technical Supplement
    GRETL 1.6.0 AND ITS NUMERICAL ACCURACY - TECHNICAL SUPPLEMENT A. Talha YALTA and A. Yasemin YALTA∗ Department of Economics, Fordham University, New York 2007-07-13 This supplement provides detailed information regarding both the procedure and the results of our testing GRETL using the univariate summary statistics, analysis of variance, linear regression, and nonlinear least squares benchmarks of the NIST Statis- tical Reference Datasets (StRD), as well as verification of the random number generator and the accuracy of statistical distributions used for calculating critical values. The numbers of accurate digits (NADs) for testing the StRD datasets are also supplied and compared with several commercial packages namely SAS v6.12, SPSS v7.5, S-Plus v4.0, Stata 7, and Gauss for Windows v3.2.37. We did not perform any accuracy tests of the latest versions of these programs and the results that we supply for packages other than GRETL 1.6.0 are those independently verified and published by McCullough (1999a), McCullough and Wilson (2002), and Vinod (2000) previously. Readers are also referred to McCullough (1999b) and Keeling and Pavur (2007), which examine software accuracy and supply the NADS across four and nine software packages at once respectively. Since all these programs perform calculations using 64-bit floating point arithmetic, discrepan- cies in results are caused by differences in algorithms used to perform various statistical operations. 1 Numerical tests of the NIST StRD benchmarks For the StRD reference data sets, NIST provides certified values calculated with multiple precision in 500 digits of accuracy, which were later rounded to 15 significant digits (11 for nonlinear least squares).
    [Show full text]
  • Vulnerabilities of the Linux Random Number Generator
    Black Hat 2006 Open to Attack Vulnerabilities of the Linux Random Number Generator Zvi Gutterman Chief Technology Officer with Benny Pinkas Tzachy Reinman Zvi Gutterman CTO, Safend Previously a chief architect in the IP infrastructure group for ECTEL (NASDAQ:ECTX) and an officer in the Israeli Defense Forces (IDF) Elite Intelligence unit. Master's and Bachelor's degrees in Computer Science from the Israeli Institute of Technology. Ph.D. candidate at the Hebrew University of Jerusalem, focusing on security, network protocols, and software engineering. - Proprietary & Confidential - Safend Safend is a leading provider of innovative endpoint security solutions that protect against corporate data leakage and penetration via physical and wireless ports. Safend Auditor and Safend Protector deliver complete visibility and granular control over all enterprise endpoints. Safend's robust, ultra- secure solutions are intuitive to manage, almost impossible to circumvent, and guarantee connectivity and productivity, without sacrificing security. For more information, visit www.safend.com. - Proprietary & Confidential - Pseudo-Random-Number-Generator (PRNG) Elementary and critical component in many cryptographic protocols Usually: “… Alice picks key K at random …” In practice looks like random.nextBytes(bytes); session_id = digest.digest(bytes); • Which is equal to session_id = md5(get next 16 random bytes) - Proprietary & Confidential - If the PRNG is predictable the cryptosystem is not secure Demonstrated in - Netscape SSL [GoldbergWagner 96] http://www.cs.berkeley.edu/~daw/papers/ddj-netscape.html Apache session-id’s [GuttermanMalkhi 05] http://www.gutterman.net/publications/2005/02/hold_your_sessions_an_attack_o.html - Proprietary & Confidential - General PRNG Scheme 0 0 01 Stateseed 110 100010 Properties: 1. Pseudo-randomness Output bits are indistinguishable from uniform random stream 2.
    [Show full text]
  • 3 Uniform Random Numbers 3 3.1 Random and Pseudo-Random Numbers
    Contents 3 Uniform random numbers 3 3.1 Random and pseudo-random numbers . 3 3.2 States, periods, seeds, and streams . 5 3.3 U(0; 1) random variables . 8 3.4 Inside a random number generator . 10 3.5 Uniformity measures . 12 3.6 Statistical tests of random numbers . 15 3.7 Pairwise independent random numbers . 17 End notes . 18 Exercises . 20 1 2 Contents © Art Owen 2009{2013 do not distribute or post electronically without author's permission 3 Uniform random numbers Monte Carlo methods require a source of randomness. For the convenience of the users, random numbers are delivered as a stream of independent U(0; 1) random variables. As we will see in later chapters, we can generate a vast assortment of random quantities starting with uniform random numbers. In practice, for reasons outlined below, it is usual to use simulated or pseudo- random numbers instead of genuinely random numbers. This chapter looks at how to make good use of random number generators. That begins with selecting a good one. Sometimes it ends there too, but in other cases we need to learn how best to set seeds and organize multiple streams and substreams of random numbers. This chapter also covers quality criteria for ran- dom number generators, briefly discusses the most commonly used algorithms, and points out some numerical issues that can trap the unwary. 3.1 Random and pseudo-random numbers It would be satisfying to generate random numbers from a process that accord- ing to well established understanding of physics is truly random.
    [Show full text]
  • A Recap of Randomness the Mersene Twister Xorshift Linear
    Programmatic Entropy: Exploring the Most Prominent PRNGs Jared Anderson, Evan Bause, Nick Pappas, Joshua Oberlin A Recap of Randomness Random number generating algorithms are rated by two primary measures: entropy - the measure of disorder in the numbers created and period - how long it takes before the PRNG begins to inevitably cycle its pattern. While high entropy and a long period are desirable traits, it is Xorshift sometimes necessary to settle for a less intense method of random Linear Congruential Generators Xorshift random number generators are an extremely fast and number generation to not sacrifice performance of the product the PRNG efficient type of PRNG discovered by George Marsaglia. An xorshift is required for. However, in the real world PRNGs must also be evaluated PRNG works by taking the exclusive or (xor) of a computer word with a for memory footprint, CPU requirements, and speed. shifted version of itself. For a single integer x, an xorshift operation can In this poster we will explore three of the major types of PRNGs, their produce a sequence of 232 - 1 random integers. For a pair of integers x, history, their inner workings, and their uses. y, it can produce a sequence of 264 - 1 random integers. For a triple x, y, z, it can produce a sequence of 296 - 1, and so on. The Mersene Twister The Mersenne Twister is the most widely used general purpose pseudorandom number generator today. A Mersenne prime is a prime number that is one less than a power of two, and in the case of a 19937 mersenne twister, is its chosen period length (most commonly 2 −1).
    [Show full text]
  • 1. Monte Carlo Integration
    1. Monte Carlo integration The most common use for Monte Carlo methods is the evaluation of integrals. This is also the basis of Monte Carlo simulations (which are actually integrations). The basic principles hold true in both cases. 1.1. Basics Basic idea becomes clear from the • “dartboard method” of integrating the area of an irregular domain: Choose points randomly within the rectangular box A # hits inside area = p(hit inside area) Abox # hits inside box as the # hits . ! 1 1 Buffon’s (1707–1788) needle experiment to determine π: • – Throw needles, length l, on a grid of lines l distance d apart. – Probability that a needle falls on a line: d 2l P = πd – Aside: Lazzarini 1901: Buffon’s experiment with 34080 throws: 355 π = 3:14159292 ≈ 113 Way too good result! (See “π through the ages”, http://www-groups.dcs.st-and.ac.uk/ history/HistTopics/Pi through the ages.html) ∼ 2 1.2. Standard Monte Carlo integration Let us consider an integral in d dimensions: • I = ddxf(x) ZV Let V be a d-dim hypercube, with 0 x 1 (for simplicity). ≤ µ ≤ Monte Carlo integration: • - Generate N random vectors x from flat distribution (0 (x ) 1). i ≤ i µ ≤ - As N , ! 1 V N f(xi) I : N iX=1 ! - Error: 1=pN independent of d! (Central limit) / “Normal” numerical integration methods (Numerical Recipes): • - Divide each axis in n evenly spaced intervals 3 - Total # of points N nd ≡ - Error: 1=n (Midpoint rule) / 1=n2 (Trapezoidal rule) / 1=n4 (Simpson) / If d is small, Monte Carlo integration has much larger errors than • standard methods.
    [Show full text]