A Provable Security Analysis of Intel's Secure Key RNG Thomas Shrimpton & Seth Terashima Portland State University The Intel RNG ● New hardware random-number generator on all recent Intel chips (Ivy Bridge +) ● Two new instructions: – RDRAND: Fetch pseudo-random bits – RDSEED: Fetch “truly random” bits (Broadwell +) RDSEED ES Health Test Conditioner DRBG ES: Entropy source DRBG: Deterministic random RDRAND bit generator Agenda ● Intel's Secure-Key RNG design ● The Model : “PRNGs With Input” (PWIs) ● Analsyis Not on the Agenda: Entropy Source ES: Entropy source ES ES Shift Register OSTE: Online self-tested entropy CE: Conditioned entropy DRBG: Deterministic random bit generator Health History Health Test RDSEED DRBG Output Buffers OSTE Queue Condition CE Buffer Reseed (K, IV) RDRAND ● Uses thermal noise to generate random bits ● Analysis of empirical data by Cryptographic Research, Inc. (Hamburg, Kocher, Marson '12) ● 256-bit samples buffered in shift register Health Tests ES: Entropy source ES ES Shift Register OSTE: Online self-tested entropy CE: Conditioned entropy DRBG: Deterministic random bit generator Health History Health Test RDSEED DRBG Output Buffers OSTE Queue Condition CE Buffer Reseed (K, IV) RDRAND ● Heuristic tests for catastrophic ES failure ● 1% false-positive rate on ideal random source Conditioning ES: Entropy source ES ES Shift Register OSTE: Online self-tested entropy CE: Conditioned entropy DRBG: Deterministic random bit generator Health History Health Test RDSEED DRBG Output Buffers OSTE Queue Condition CE Buffer Reseed (K, IV) RDRAND ● ES bits are assumed to be biased, correlated ● Fed into streaming CBC-MAC computation to “condition” them into (hopefully) uniform random bits Health History ES: Entropy source ES ES Shift Register OSTE: Online self-tested entropy CE: Conditioned entropy DRBG: Deterministic random bit generator Health History Health Test RDSEED DRBG Output Buffers OSTE Queue Condition CE Buffer Reseed (K, IV) RDRAND ● At least two/three (Ivy Bridge/Broadwell) healthy samples needed before CE buffer is “available” ● But samples don't count unless at least half of the past 256 samples were healthy RDSEED ES: Entropy source ES ES Shift Register OSTE: Online self-tested entropy CE: Conditioned entropy DRBG: Deterministic random bit generator Health History Health Test RDSEED DRBG Output Buffers OSTE Queue Condition CE Buffer Reseed (K, IV) RDRAND ● RDSEED instruction grabs bits from CE buffer ● Buffer not cleared, but flagged as “unavailable” ● Will be made available again after sufficient number of healthy samples generated, conditioned (Re)Seeding the DRBG ES: Entropy source ES ES Shift Register OSTE: Online self-tested entropy CE: Conditioned entropy DRBG: Deterministic random bit generator Health History Health Test RDSEED DRBG Output Buffers OSTE Queue Condition CE Buffer Reseed (K, IV) RDRAND ● CE buffer also used to reseed traditional deterministic PRNG (CTR-AES based) ● Reseeding makes CE buffer unavailable (Re)Seeding the DRBG ES: Entropy source ES ES Shift Register OSTE: Online self-tested entropy CE: Conditioned entropy DRBG: Deterministic random bit generator Health History Health Test RDSEED DRBG Output Buffers OSTE Queue Condition CE Buffer Reseed (K, IV) RDRAND ● PRNG outputs buffered ● Read by RDRAND instruction ● At most 64Kb generated between reseeds Agenda ● Intel's Secure-Key RNG design ● The Model : “PRNGs With Input” (PWIs) ● Analsyis PRNGs (the traditional view) Step 1. Provide seed. Step 2. Get random numbers. Seed PRNG PRNG Random Numbers This isn't how {/dev/[u]random, OpenSSL RNG, RDRAND} work. PRNGs with Input Entropy PWI PRNGs with Input Entropy PWI “Entropy” PWI PRNGs with Input Entropy PWI “Entropy” PWI PWI Random Numbers PRNGs with Input Entropy PWI “Entropy” PWI PWI Random Numbers PRNGs with Input Entropy PWI “Entropy” PWI PWI Random Numbers State compromise PWI PRNGs with Input PWI Random (?) Entropy PWI Numbers “Entropy” PWI PWI Random Numbers State compromise PWI PRNGs with Input PWI Random (?) Entropy PWI Numbers “Entropy” PWI Entropy PWI PWI Random PWI Random (?) Numbers Numbers State compromise PWI Types of security Resilience: Basic security. No state compromise, everything looks random Forward security: Random values are safe even if PWI state is compromised in the future. Backward security: Random values are safe even if PWI state was compromised in the past (as long as we've harvested enough entropy since then). Robustness: Both forward and backward security, even if the adversary can tamper with state. PWI Primitive ● Started with PWI model of [DPRVW'13] Entropy Source ● Some simple extensions: – Blocking refresh(I) – Multiple interfaces next(m) – Explicit setup state PWI – Asynchronous behavior setup() tick() Dodis, Pointcheval, Ruhault, Vergnaud, Wichs (CCS 2013), itself an extension of Barak and Halevi (CCS 2005). PWI Oracles Challenger runs setup(), b flips coin b. Entropy ● Heads: API connects to Source real PWI ES-Refresh( ) ● Tails: API connects to idealized version of PWI refresh(I) get-next( ) next(m) b = ? next-ror( ) state PWI get-state( ) setup() tick() set-state( ) wait( ) PWI Oracles Grabs bits from entropy source, feeds them to b PWI. Leaks some side- Entropy channel info to attacker. Source ES-Refresh( ) refresh(I) get-next( ) next(m) b = ? next-ror( ) state PWI get-state( ) setup() tick() set-state( ) wait( ) PWI Oracles Calls next(). Returns the b result. Entropy Source ES-Refresh( ) refresh(I) get-next( ) next(m) b = ? next-ror( ) state PWI get-state( ) setup() tick() set-state( ) wait( ) PWI Oracles Calls next(). b ● Returns result if b = 0. Entropy ● Returns random string if Source b = 1. ES-Refresh( ) refresh(I) get-next( ) next(m) b = ? next-ror( ) state PWI get-state( ) setup() tick() set-state( ) wait( ) PWI Oracles Returns the PWI state. b Entropy Source ES-Refresh( ) refresh(I) get-next( ) next(m) b = ? next-ror( ) state PWI get-state( ) setup() tick() set-state( ) wait( ) PWI Oracles Sets the PWI state to a b value specified by the Entropy Adversary. Source ES-Refresh( ) refresh(I) get-next( ) next(m) b = ? next-ror( ) state PWI get-state( ) setup() tick() set-state( ) wait( ) PWI Oracles Prompts the PWI to b perform next scheduled Entropy atomic task. No return Source value. ES-Refresh( ) refresh(I) get-next( ) next(m) b = ? next-ror( ) state PWI get-state( ) setup() tick() set-state( ) wait( ) PWI Oracles The get-state and set- b state oracles make the Entropy state “corrupt”. Source ES-Refresh( ) refresh(I) get-next( ) next(m) b = ? next-ror( ) state PWI get-state( ) setup() tick() set-state( ) wait( ) PWI Oracles While the state is corrupt, b the Adversary is cut off Entropy from the next-ror oracle. Source ES-Refresh( ) refresh(I) get-next( ) next(m) b = ? next-ror( ) state PWI get-state( ) setup() tick() set-state( ) wait( ) PWI Oracles The state remains corrupt b until the PWI harvests a Entropy specified amount of Source entropy. ES-Refresh( ) refresh(I) get-next( ) next(m) b = ? next-ror( ) state PWI get-state( ) setup() tick() set-state( ) wait( ) Measuring security Attacker's advantage is: Secure setup() ● setup() should place the PWI in a “good” state – Some state is sensitive – Other state is not (counters, buffered entropy, etc.) ● Define a masking function M such that M(S) is a “good version” of S. State produced by setup() Forward security when starting from masked state Agenda ● Intel's Secure-Key RNG design ● The Model : “PRNGs With Input” (PWIs) ● Analsyis RDSEED ES Health Test Conditioner DRBG ES: Entropy source DRBG: Deterministic random bit generator RDRAND Entropy Source From CRI Report (Hamburg, Kocher, Marson '12) Entropy Source Magic The ES is a magic black box that produces bits with some amount of min-entropy. Entropy source assumptions ES Health Test Conditioner ● Assume “healthy” samples have min-entropy – Will estimate value from CRI analysis – (Conservatively) assume no entropy from “unhealthy” samples ● Assume ES will eventually produce a healthy sample – Perfect entropy source = 1% of samples unhealthy – Say any 256-bit sample is healthy with probability RDSEED ES Health Test Conditioner DRBG ES: Entropy source DRBG: Deterministic random bit generator RDRAND Conditioner: CBC-MAC Loops until ES generates 2-3 ES “Healthy” 256-bit strings Old CE Buffer Conditioner seed K New CE Buffer is fixed, public Repeats for both 128-bit halves of the CE Buffer Does this work? Theorem from [DGHKR Crypto '04] says CBC- MAC (over a random permutation) works as an entropy extractor but – Intel RNG recycles state – Bound degrades quickly with input length Dodis, Gennaro, Hastad, Krawczyk, and Rabin, “Randomness Extraction and Key Derivation using the CBC, Cascade and HMAC Modes” (CRYPTO 2004) Does this work? Theorem from [DGHKR Crypto '04] says CBC- MAC (over a random permutation) works as an entropy extractor but – Intel RNG recycles state Not too hard to patch – Bound degrades quickly with input length Dodis, Gennaro, Hastad, Krawczyk, and Rabin, “Randomness Extraction and Key Derivation using the CBC, Cascade and HMAC Modes” (CRYPTO 2004) Does this work? Theorem from [DGHKR Crypto '04] says CBC- MAC (over a random permutation) works as an entropy extractor but – Intel RNG recycles state Not too hard to patch – Bound degrades quickly with input length We can impose a fixed “cut-off” point --- don't count entropy or input length past this point. Dodis, Gennaro, Hastad, Krawczyk, and Rabin, “Randomness Extraction and Key Derivation using the CBC, Cascade and HMAC Modes” (CRYPTO 2004) RDSEED ES Health