An Analysis of OpenSSL's Random Number Generator Eurocrypt 2016 Falko Strenzke cryptosource GmbH, Darmstadt [email protected] c Falko Strenzke, cryptosource GmbH 2016 September 14, 2016 An Analysis of OpenSSL's RNG Falko Strenzke 1 / 34 Pseudo Random Number Generation Software-based RNG's use pseudo random number generators (PRNGs) but are not PRNGs seed RAND add (buffer, estimated entopy) RNG state RAND bytes (buffer), RAND pseudo bytes (buffer) output An Analysis of OpenSSL's RNG Falko Strenzke 2 / 34 Pseudo Random Number Generation Software-based RNG's use pseudo random number generators (PRNGs) but are not PRNGs seed RAND add (buffer, estimated entopy) RNG state RAND bytes (buffer), RAND pseudo bytes (buffer) output An Analysis of OpenSSL's RNG Falko Strenzke 2 / 34 Pseudo Random Number Generation Software-based RNG's use pseudo random number generators (PRNGs) but are not PRNGs seed RAND add (buffer, estimated entopy) RNG state RAND bytes (buffer), RAND pseudo bytes (buffer) output An Analysis of OpenSSL's RNG Falko Strenzke 2 / 34 Pseudo Random Number Generation Software-based RNG's use pseudo random number generators (PRNGs) but are not PRNGs seed RAND add (buffer, estimated entopy) RNG state RAND bytes (buffer), RAND pseudo bytes (buffer) output An Analysis of OpenSSL's RNG Falko Strenzke 2 / 34 Pseudo Random Number Generation Software-based RNG's use pseudo random number generators (PRNGs) but are not PRNGs seed RAND add (buffer, estimated entopy) RNG state RAND bytes (buffer), RAND pseudo bytes (buffer) output An Analysis of OpenSSL's RNG Falko Strenzke 2 / 34 Random Number Generation in Cryptographic Libraries t application seed random numbers (file) OpenSSL RNG seed OS RNG entropy source entropy source entropy source An Analysis of OpenSSL's RNG Falko Strenzke 3 / 34 Security Notions for RNGs forward security t recover output state compromise backward security t recover state compromise output don't leak any information about state in output An Analysis of OpenSSL's RNG Falko Strenzke 4 / 34 Security Notions for RNGs forward security t recover output state compromise backward security t recover state compromise output don't leak any information about state in output An Analysis of OpenSSL's RNG Falko Strenzke 4 / 34 Security Notions for RNGs forward security t recover output state compromise backward security t recover state compromise output don't leak any information about state in output An Analysis of OpenSSL's RNG Falko Strenzke 4 / 34 Low Entropy Secret Leakage An Analysis of OpenSSL's RNG Falko Strenzke 5 / 34 Seeding by the Application t application RAND bytes() RAND bytes() RAND add() RAND pseudo bytes() RAND pseudo bytes() OpenSSL RNG H < 256 bit H ≥ 256 bit An Analysis of OpenSSL's RNG Falko Strenzke 6 / 34 Seeding by the Application t application RAND bytes() RAND bytes() RAND add() RAND pseudo bytes() RAND pseudo bytes() OpenSSL RNG H < 256 bit H ≥ 256 bit An Analysis of OpenSSL's RNG Falko Strenzke 6 / 34 Seeding by the Application t application RAND bytes() RAND bytes() RAND add() RAND pseudo bytes() RAND pseudo bytes() OpenSSL RNG H < 256 bit H ≥ 256 bit An Analysis of OpenSSL's RNG Falko Strenzke 6 / 34 Seeding by the Application t application RAND bytes() RAND bytes() RAND add() RAND pseudo bytes() RAND pseudo bytes() OpenSSL RNG H < 256 bit H ≥ 256 bit An Analysis of OpenSSL's RNG Falko Strenzke 6 / 34 Seeding by the Application t application RAND bytes() RAND bytes() RAND add() RAND pseudo bytes() RAND pseudo bytes() OpenSSL RNG H < 256 bit H ≥ 256 bit An Analysis of OpenSSL's RNG Falko Strenzke 6 / 34 Outputting Random Numbers in Low Entropy States t attacker 25 brute force 2 guesses RNG output, nonce recover secret seed application secret seed RAND pseudo bytes() H = 15 bits OpenSSL RNG H = 10 bits H = 25 bits An Analysis of OpenSSL's RNG Falko Strenzke 7 / 34 Outputting Random Numbers in Low Entropy States t attacker 25 brute force 2 guesses RNG output, nonce recover secret seed application secret seed RAND pseudo bytes() H = 15 bits OpenSSL RNG H = 10 bits H = 25 bits An Analysis of OpenSSL's RNG Falko Strenzke 7 / 34 Outputting Random Numbers in Low Entropy States t attacker 25 brute force 2 guesses RNG output, nonce recover secret seed application secret seed RAND pseudo bytes() H = 15 bits OpenSSL RNG H = 10 bits H = 25 bits An Analysis of OpenSSL's RNG Falko Strenzke 7 / 34 Outputting Random Numbers in Low Entropy States t attacker 25 brute force 2 guesses RNG output, nonce recover secret seed application secret seed RAND pseudo bytes() H = 15 bits OpenSSL RNG H = 10 bits H = 25 bits An Analysis of OpenSSL's RNG Falko Strenzke 7 / 34 Outputting Random Numbers in Low Entropy States t attacker 25 brute force 2 guesses RNG output, nonce recover secret seed application secret seed RAND pseudo bytes() H = 15 bits OpenSSL RNG H = 10 bits H = 25 bits An Analysis of OpenSSL's RNG Falko Strenzke 7 / 34 Outputting Random Numbers in Low Entropy States t attacker 25 brute force 2 guesses RNG output, nonce recover secret seed application secret seed RAND pseudo bytes() H = 15 bits OpenSSL RNG H = 10 bits H = 25 bits An Analysis of OpenSSL's RNG Falko Strenzke 7 / 34 Outputting Random Numbers in Low Entropy States t attacker 25 brute force 2 guesses RNG output, nonce recover secret seed application secret seed RAND pseudo bytes() H = 15 bits OpenSSL RNG H = 10 bits H = 25 bits An Analysis of OpenSSL's RNG Falko Strenzke 7 / 34 Potentially Leaked Secrets RAND pseudo bytes generates output in the same way as RAND bytes API documentation suggests to feed low-entropy secrets such passwords OpenSSL feeds the previous contents of buffers to be randomized to RNG state (Debian issue in 2008) previous contents could contain low entropy secrets by themselves overwriting secrets with random numbers is an established practice overwritten low entropy secrets may be leaked in output An Analysis of OpenSSL's RNG Falko Strenzke 8 / 34 Potentially Leaked Secrets RAND pseudo bytes generates output in the same way as RAND bytes API documentation suggests to feed low-entropy secrets such passwords OpenSSL feeds the previous contents of buffers to be randomized to RNG state (Debian issue in 2008) previous contents could contain low entropy secrets by themselves overwriting secrets with random numbers is an established practice overwritten low entropy secrets may be leaked in output An Analysis of OpenSSL's RNG Falko Strenzke 8 / 34 Potentially Leaked Secrets RAND pseudo bytes generates output in the same way as RAND bytes API documentation suggests to feed low-entropy secrets such passwords OpenSSL feeds the previous contents of buffers to be randomized to RNG state (Debian issue in 2008) previous contents could contain low entropy secrets by themselves overwriting secrets with random numbers is an established practice overwritten low entropy secrets may be leaked in output An Analysis of OpenSSL's RNG Falko Strenzke 8 / 34 Potentially Leaked Secrets RAND pseudo bytes generates output in the same way as RAND bytes API documentation suggests to feed low-entropy secrets such passwords OpenSSL feeds the previous contents of buffers to be randomized to RNG state (Debian issue in 2008) previous contents could contain low entropy secrets by themselves overwriting secrets with random numbers is an established practice overwritten low entropy secrets may be leaked in output An Analysis of OpenSSL's RNG Falko Strenzke 8 / 34 Potentially Leaked Secrets RAND pseudo bytes generates output in the same way as RAND bytes API documentation suggests to feed low-entropy secrets such passwords OpenSSL feeds the previous contents of buffers to be randomized to RNG state (Debian issue in 2008) previous contents could contain low entropy secrets by themselves overwriting secrets with random numbers is an established practice overwritten low entropy secrets may be leaked in output An Analysis of OpenSSL's RNG Falko Strenzke 8 / 34 Potentially Leaked Secrets RAND pseudo bytes generates output in the same way as RAND bytes API documentation suggests to feed low-entropy secrets such passwords OpenSSL feeds the previous contents of buffers to be randomized to RNG state (Debian issue in 2008) previous contents could contain low entropy secrets by themselves overwriting secrets with random numbers is an established practice overwritten low entropy secrets may be leaked in output An Analysis of OpenSSL's RNG Falko Strenzke 8 / 34 Core Cryptographic Function of OpenSSL's RNG An Analysis of OpenSSL's RNG Falko Strenzke 9 / 34 Core Cryptographic Function of OpenSSL's RNG custom design c 1998 An Analysis of OpenSSL's RNG Falko Strenzke 10 / 34 Core Cryptographic Function of OpenSSL's RNG custom design c 1998 An Analysis of OpenSSL's RNG Falko Strenzke 10 / 34 Core Cryptographic Function of OpenSSL's RNG 160 bits 80 bits b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1 s0 ... s2 s3 s4 ... RAND add RAND bytes 160 md ignoring: counters, PID bits RAND add, RAND bytes 1023 state bytes An Analysis of OpenSSL's RNG Falko Strenzke 11 / 34 Core Cryptographic Function of OpenSSL's RNG 160 bits 80 bits b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1 s0 ... s2 s3 s4 ... RAND add RAND bytes 160 md ignoring: counters, PID bits RAND add, RAND bytes 1023 state bytes An Analysis of OpenSSL's RNG Falko Strenzke 11 / 34 Core Cryptographic Function of OpenSSL's RNG 160 bits 80 bits b0 ... b2 r0 r1 md md md md 160 md 3 2 1 0 bits 0 0 SHA1 SHA1 SHA1 SHA1 SHA1 s0 ..