In the news CNS Widely Deployed Software (1) CRITICAL: Apple QuickTime Multiple Vulnerabilities Lecture 4 (2) HIGH: Adobe Flash Player Multiple Vulnerabilities (3) HIGH: Microsoft Internet Explorer Compressed Content Heap Overflow(MS06-042) (4) HIGH: Microsoft Pragmatic General Multicast Buffer Overflow (MS06-052) Random Numbers (5) HIGH: Microsoft Publisher File Parsing Buffer Overflow (MS06-054) Steganography (6) MODERATE: Cisco IOS VTP Multiple Vulnerabilities (7) MODERATE: HP OpenView Multiple Vulnerabilities Classical cryptography (8) MODERATE: PHP NULL Processing Arbitrary File Overwrite (9) LOW: Microsoft Indexing Service Cross Site Scripting Vulnerability(MS06-053) Other Software Assignments ncp (10) HIGH: Multiple Products PHP File Include Vulnerabilities (11) HIGH: Multiple Products SQL Injection Vulnerabilities Hash/hmac values are binary data, you can’t use strcpy() (12) HIGH: Tagger LE Remote Code Execution or strcmp(), use memcpy() (13) MODERATE: Act Networks NetPerformer FRAD Multiple Vulnerabilities (14) MODERATE: SQL-Ledger/LedgerSMB Remote Code Execution CNS Lecture 4 - 2 Random Numbers 34495638193476348762347346 You are here … Attacks & Defenses Cryptography Applied crypto •Why? • Risk assessment •Random numbers •SSH • Generating (pseudo) random • Viruses numbers from a random seed •Hash functions •PGP • Unix security • • Sources of random bits • authentication MD5, SHA,RIPEMD S/Mime • •Classical + stego •SSL Network security Crypto Toolkit Firewalls,vpn,IPsec,IDS secret-key crypto •Number theory •Kerberos public-key crypto big-number math •Symmetric key •IPsec random numbers prime numbers hash functions DES, Rijndael, RC5 •Public key RSA, DSA, D-H,ECC CNS Lecture 4 - 3 CNS Lecture 4 - 4 Random Numbers Random numbers -- definition Good cryptography requires good random numbers. • equally likely to choose any element (uniform distribution) • independence – can’t infer one value in the sequence from others • tests of random sequences (Knuth) • non-crypto: games, simulation – half the bits 1 • salt, cookie, nonce (challenge) – Chi-square (bin tests), Komolgorov-Smirnov • TCP sequence number – spectral test – runs tests, n-D tests • used for public keys (RSA, D-H) – bit, byte, word correlations • per-message secrets (DSS k, PGP) – FIPS 140 tests: runs, poker, monobit • used for secret keys (KDC/ssh session key) – show that it's NOT random • Encryption initialization vectors (IV) – Software: Diehard or ent • • cryptographic random numbers need to be used for one-time pads or seed – unpredictable • used for blinding – resistant to attack • By observing random output, can’t predict next nor back-guess • Can’t significantly influence output or initial seed predictable = vulnerable predictable, means you can guess the key CNS Lecture 4 - 5 CNS Lecture 4 - 6 1 Pseudorandom numbers (PRNG) Stronger PRNGs • computer is deterministic • software linear feedback shift registers (LFSR) • encrypted counter • rand() statistically OK, but cryptographically weak • chained encryption (OFB, DES/rijndael/etc.) –based on linear congruential method Ri+1 = encrypt(key,Ri) OFB's (e.g.,DES) are slow (export limits) –R i+1 = (aRi + b) mod n • repeated hash (MD5, SHA) –random numbers between 0 and n-1 –R i+1 = MD5(key,Ri) BBS (large primes p and q, secret!) – outputsize eventually repeats –eventually repeats 2 2 X0 = s mod n n =pq where p=q=3 mod 4 – • Java SecureRandom -- SHA(seed,counter) 2 even if good seed, R0, can solve for a,b,n if you can capture three R’s Xi = (Xi-1) mod n s is relatively prime to n • Blum, Blum, Shub (quadratric residue) B = X mod 2 just use low order bit • repeatability good for testing (games/simulation), bad for i i crypto catch 22: need a good random seed (key) p=383 seed needs to be unpredictable q=503 s=101355 CNS Lecture 4 - 7 CNS Lecture 4 - 8 ANSI random numbers True random numbers ANSI X9.17 Sources for a random seed • coin toss, dice • V0 64-bit initial seed • radioactive source • Ek 3DES encryption with random keys K1 K2 (112 bits) • noisy diode • • DT high-resolution time t (max 64-bits) unplugged microphone (/dev/audio) i • lava lamps (video, SHA, BBS) • R = E (E (t) ⊕ V ) next random number n k k n • FORTEZZA card has random source ? • V = E (E (t) ⊕ R ) next seed n+1 k k n • a few hardware sources for computers (QNG),intel i810, AMD768 • 9 DES operations – thermal noise (resistor) • Export controlled – sampling oscillators • if keys are discovered, – I/O device, 75 Kbs can predict all outputs! – Serial port devices need a good random seed/key need to verify generator is working (FIPS 140-2) CNS Lecture 4 - 9 CNS Lecture 4 - 10 Almost random sources Bad random sources Netscape (SSL) • source for a random seed x = mixbits (time.tv_usec) y = mixbits(getpid() + time.tv_sec + getppid() << 12) –keystroke timing seed = MD5(x,y) –mouse tracking nonce = MD5(seed++) –frame buffer key = MD5(seed++) –disk times MIT_MAGIC_COOKIE –/dev/random key = rand() % 256 –system status (netstat, ps, iostat) Kerberos v4 • Netscape attack srandom(time.tv_usec ^ time.tv_sec ^ getpid() ^ gethostid() ^ counter++ ) key = random() • poll several sources SESAME • may be biases -- use a mixing function (MD5, encryptor) to eliminate biases key = rand() and "stretch" output • Retain (and protect) random pool across reboots CNS Lecture 4 - 11 CNS Lecture 4 - 12 2 Texas hold’em -- ooops SSH v1 random numbers randoms.c • On-line poker site used simple random number generator and random_get_noise_from_command(state, uid, "ps laxww 2>/dev/null"); guessable seed (Pascal’s Randomize() ) if (time(NULL) - start_time < 30) random_get_noise_from_command(state, uid, "ps -al 2>/dev/null"); 32 • Instead of 52! possibilities from a shuffle, less than 2 if (time(NULL) - start_time < 30) • After 5 cards revealed, you can figure out the order of the deck random_get_noise_from_command(state, uid, "ls -alni /tmp/. 2>/dev/null"); • Nerd’s revenge if (time(NULL) - start_time < 30) random_get_noise_from_command(state, uid, "w 2>/dev/null"); if (time(NULL) - start_time < 30) random_get_noise_from_command(state, uid, "netstat -s 2>/dev/null"); if (time(NULL) - start_time < 30) random_get_noise_from_command(state, uid, "netstat -an 2>/dev/null"); if (time(NULL) - start_time < 30) random_get_noise_from_command(state, uid, "netstat -in 2>/dev/null"); then mixes using MD5 ssh v2 uses openssl (/dev/urandom) CNS Lecture 4 - 13 CNS Lecture 4 - 14 Truerand() PGP’s random numbers in Blaze's cryptolib •returns about 16 bits of entropy per call noise.c random.c randpool.c •starts a timer (16.7 ms) • key strokes, high res time •does count++ til timer expires • randomness retained in randseed.bin • shifts/XOR count into a buffer • data from file pre/post washed with encryption (CFB) •does it 11 times • updated any time user does keyboard input randomness of clock skew and OS events • updated with hash (MD5) of file being encrypted • data stirred with MD5 • uses X9.17 but with IDEA Java’s dueling threads • paper on randomness of PGP IDEA keys Start 8 threads each doing counter[i]++ rand is XOR of 8 counters CNS Lecture 4 - 15 CNS Lecture 4 - 16 gpg randomness UNIX /dev/random • Random numbers for public key generation and message keys • cipher/random.c based on Gutman’s paper • Uses /dev/urandom, seed file + pid, time, and clock • Mixes pool with RIPEMD-160 • Wipes stack and prefers “secure memory” (no swap) • Pool updated whenever key requested for encryption or secure • Entropy C collected from sources and mixed into primary pool hash ( DSS k ) • Secondary pools draw entropy E from primary pool • Stats track current entropy of pool • Whenever entropy is withdrawn some is mixed back in • Application can request strong entropy (slower) • Event entropy (bits): • Saves pool to file ~/.gpg/randseed.bin keyboard(12), mouse(8), disk(3), interrupts(4) CNS Lecture 4 - 17 CNS Lecture 4 - 18 3 /dev/random Entropy gathering daemons (EGD) • randomness from keyboard timings, mouse,interrupts, IO completion, delta times • For systems without /dev/random • randomness is added to pool by each driver in kernel • EGADS (securesoftware.com) –Linux: e.g., in mouse driver routine –Conservative entropy estimates add_mouse_randomness(queue->buf[head] = inb(AUX_INPUT_PORT)); • If not enough entropy, gathers more data –and in keyboard.c, after a key press –“Tiny” variant of Yarrow, slow pool and fast pool of entropy add_keyboard_randomness(scancode); –Data gathered from system mixed in pool (8 LFSR’s) with UMAC nonce and • mixing with primitive polynomial GF(2) and MD5 counter using primitive polynomial • • startup is a problem (can save/restore pool) Unix info: /dev/random, df, ps • Windows: timestamp, sleep() jitter, performance counters, • Available on most UNIX systems –Access via UNIX domain socket • user can request random bytes with read to /dev/random –API for random bytes, int’s, double, range, various distributions (uniform, reading reduces the available bits (4096 max) and may block! gaussian, …) • /dev/urandom for pseudo-random (recurse MD5) –OpenSSL will look for EGADS daemon if no /dev/random • /dev/hwrandom if hardware random source available (AMD, intel) What if embedded system, cold start, little activity? CNS Lecture 4 - 19 CNS Lecture 4 - 20 OpenSSL random numbers Other PRNG’s • Window’s CryptGenRandom() –Entropy gathered from system (process and thread IDs, ticks since boot, –mix (MD5) in msg, time, /dev/random current time, memory info, performance counters) and mixed with MD4 and –Windows -- hash of screen (frame buffer) RC4 • Java’s SecureRandom –add randomness