Ensuring High-Quality Randomness in Cryptographic Key Generation ∗ Henry Corrigan-Gibbs Wendy Mu Stanford University Stanford University [email protected] [email protected] Dan Boneh Bryan Ford Stanford University Yale University [email protected] [email protected] ABSTRACT Keywords The security of any cryptosystem relies on the secrecy of the entropy authority; cryptography; key generation; RSA; DSA; system’s secret keys. Yet, recent experimental work demon- entropy; randomness strates that tens of thousands of devices on the Internet use RSA and DSA secrets drawn from a small pool of candidate values. As a result, an adversary can derive the device’s 1. INTRODUCTION secret keys without breaking the underlying cryptosystem. A good source of randomness is crucial for a number of We introduce a new threat model, under which there is a cryptographic operations. Public-key encryption schemes systemic solution to such randomness flaws. In our model, use randomness to achieve chosen-plaintext security, key- when a device generates a cryptographic key, it incorporates exchange algorithms use randomness to establish secret ses- some random values from an entropy authority into its cryp- sion keys, and commitment schemes use randomness to hide tographic secrets and then proves to the authority, using the committed value. The security of these schemes relies on zero-knowledge-proof techniques, that it performed this op- the unpredictability of the random input values, so when the eration correctly. By presenting an entropy-authority-signed “random”inputs are not really random, dire security failures public-key certificate to a third party (like a certificate au- result [7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, thority or SSH client), the device can demonstrate that its 26, 29, 32, 41]. public key incorporates randomness from the authority and Although the dangers of weak randomness have been part is therefore drawn from a large pool of candidate values. of the computer security folklore for years [26], entropy fail- Where possible, our protocol protects against eavesdrop- ures are still commonplace. In 2008, a single mistaken patch pers, entropy authority misbehavior, and devices attempt- caused the OpenSSL distribution in all Debian-based oper- ing to discredit the entropy authority. To demonstrate ating systems to use only the process ID (plus a few other the practicality of our protocol, we have implemented and easy-to-guess values) as the seed for its pseudo-random num- evaluated its performance on a commodity wireless home ber generator. This bug caused affected machines to select a router. When running on a home router, our protocol in- 1024-bit RSA modulus from a pool of fewer than one million curs a 1.7× slowdown over conventional RSA key generation values, rather than the near-21000 possible values [41]. By and it incurs a 3.6× slowdown over conventional EC-DSA replaying the key generation process using each of the one key generation. million possible PRNG seeds, an adversary could recover the secret key corresponding to one of these weak public keys in a matter or hours or days. Categories and Subject Descriptors Recent surveys [29, 32] of SSH and TLS public keys on C.2.0 [Computer-Communication Networks]: General— the Internet demonstrate that hardware devices with poorly Security and protection; C.2.2 [Computer-Communication seeded random number generators have led to a prolifer- Networks]: Network Protocols—Applications; E.3 [Data ation of weak cryptographic keys. During the drafting of Encryption]: Public key cryptosystems this paper, NetBSD maintainers discovered a bug caused by a “misplaced parenthesis” that could have caused NetBSD ∗Work conducted while author was a staff member at Yale machines to generate cryptographic keys incorporating as University. few as 32 or 64 bits of entropy, instead of the 100+ ex- Permission to make digital or hard copies of all or part of this work for personal or pected bits [36]. Even more recently, a PRNG initialization classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation bug in the Android operating system could have caused ap- on the first page. Copyrights for components of this work owned by others than the plications using the system to generate weak cryptographic author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or keys [31]. republish, to post on servers or to redistribute to lists, requires prior specific permission Randomness failures continue to haunt cryptographic soft- and/or a fee. Request permissions from [email protected]. ware for a number of reasons: the randomness “stack” in a CCS’13, November 4–8, 2013, Berlin, Germany. modern operating system [39] is large and complex, there is Copyright is held by the owner/author(s). Publication rights licensed to ACM. ACM 978-1-4503-2477-9/13/11 ...$15.00. no simple way to test whether a random number generator http://dx.doi.org/10.1145/2508859.2516680. is really generating random numbers, and (at least in the context of cryptographic keys) there has never been a sys- In prior work, Juels and Guajardo [30] present a proto- temic solution to the randomness problem. The response to col in which a possibly malicious device generates an RSA entropy failures has traditionally been ad hoc: each device key in cooperation with a certificate authority. Their proto- manufacturer or software vendor patches RNG-related bugs col prevents a device from generating an ill-formed keypair in its own implementation (once discovered), without de- (e.g., an RSA modulus that is the product of more than two ploying techniques to prevent similar failures in the future. primes). We consider a different threat model. We ensure The quantity and severity of randomness failures suggests that a device samples its keys from a distribution with high that this “fix the implementation” approach is grossly insuf- min-entropy, but we do not prevent the device from gen- ficient. erating malformed keys. Under this new threat model, we We offer the first systemic solution to the entropy problem achieve roughly a 25× performance improvement over the in cryptographic key generation for public-key cryptosys- protocol of Juels and Guajardo (as measured by the number tems. In our protocol, a device generating a cryptographic of modular exponentiations that the device must compute). keypair fetches random values from an entropy authority Section 7 compares the two protocols and discusses other and incorporates these values into its cryptographic secrets. related work. The device can later prove to third parties (e.g., a certifi- After introducing our threat model in Section 2, we de- cate authority or an SSH client) that the device’s secrets scribe our key generation protocols in Section 3 and present incorporate the authority’s random values, thus guarantee- security proofs in Section 4. Section 5 summarizes our eval- ing that the device’s cryptographic keys are selected from uation results and Section 6 discusses issues related to inte- a large enough pool of candidate values. Unlike certificate grating our protocols with existing systems. authorities in today’s Internet, our entropy authorities are not trusted third parties: if the device has a strong entropy 1.1 Why Other Solutions Are Insufficient source, a malicious entropy authority learns no useful infor- Before describing our protocol in detail, we discuss a few mation about the device’s secret key. We present versions of other possible, but unsatisfactory, ways to prevent networked our protocol for RSA and DSA key generation and we offer devices from using weak cryptographic keys.1 proofs of security for each. A subtlety of our solution is the threat model: under a Possible Solution #1: Fix the implementation. One traditional “global passive adversary” model, the adversary possible solution to the weak key problem is to simply make can completely simulate the view of a device that has a very sure that cryptography libraries properly incorporate ran- weak entropy source. Thus, under the global passive adver- dom values into the cryptographic secrets that they produce. sary model, a device with a weak entropy source has no hope Unfortunately, bugs and bad implementations are a fact of of generating strong keys. We propose an alternate threat life in the world of software, and the subtleties of random model, in which the adversary can observe all communica- number generation make randomness bugs particularly com- tion except for one initial communication session between mon. Implementations that seed their random number gen- the device and the entropy authority. Under this more lim- erators with public or guessable values (e.g., time, process ited adversary model, which is realistic in many deployment ID, or MAC address) [8, 15, 16, 18, 18], implementations scenarios, we can take advantage of an entropy authority to that use weak random number generators [10, 11, 12, 20, ensure the randomness of cryptographic keys. 21], and implementations without a good source of environ- The key generation protocols we present are useful both mental entropy [29] are all vulnerable. for devices with strong and weak entropy sources. In par- The complexity of generating cryptographically strong ran- ticular, if the device has a strong entropy source (the device dom numbers, the overwhelming number of randomness fail- can repeatedly sample from the uniform distribution over a ures in deployed software, and the difficulty of detecting large set of values), running the protocol never weakens the these failures during testing all indicate that “fix the imple- device’s cryptographic keys. In contrast, if the device has mentation” is an insufficient solution to the weak key prob- a weak or biased entropy source, running the protocol can lem.