The Interdisciplinary Center, Herzlia Efi Arazi School of Computer Science Pseudo Random Num- ber Generators in Pro- gramming Languages M.Sc dissertation Submitted by Aviv Sinai Under the supervision of Dr. Zvi Gutterman (CloudShare, HUJI) March, 2011. Acknowledgments First and foremost, I would like to thank my advisor, Dr. Zvi Gutterman, for the time and effort he put into helping me complete this work. I would like to express my deepest gratitude to Asaf Rubin, a friend and co-worker. I’m grateful for his help and time spent assisting me in finishing this work. I would like to also thank Danny Slutsky and Yaniv Meoded, who reviewed early drafts of this work. Special thanks to Dr. Anat Bremler and the IDC M.Sc. CS program office, for their patience and help. Finally, I want to thank my family who gave me the support I needed to invest pre- cious time working to complete this work. i Abstract Software developers frequently encounter the need to integrate random numbers in their systems and applications. Applications and systems that span from implement- ing a new security protocol to implementing a shuffling algorithm in an online poker game. Modern software languages come to their aid by providing them with a rich SDK that contains pseudo random number generation functions for the developer to use without the need to implement their own generators. These functions differ in cryptographic strength and underlying algorithms used. In this thesis we research the implementations of random number generators in popular programming languages. We provide a complete and detailed analysis of the algorithms used, cryptographic strength and capabilities of these generators. Our analysis shows weaknesses in the generators implemented, including a bug in C#’s implementation of the additive feedback generator. In addition we provide a non- trivial attack on the session generation algorithm in PHP that relies on our analysis of PHP’s generator. ii Table of Contents ACKNOWLEDGMENTS ......................................................................................................................... I ABSTRACT ........................................................................................................................................ II TABLE OF CONTENTS ......................................................................................................................... III LIST OF FIGURES ................................................................................................................................ VI 1 INTRODUCTION ............................................................................................................... 2 1.1 CONTRIBUTIONS ............................................................................................................... 2 1.2 STRUCTURE AND OUTLINE .................................................................................................. 3 2 PSEUDO RANDOM NUMBER GENERATORS ..................................................................... 4 2.1 THE IMPORTANCE OF RANDOM NUMBERS ............................................................................. 4 2.2 WHAT IS A GOOD (PSEUDO) RANDOM NUMBER GENERATOR? ................................................. 5 2.3 THEORY VS. PRACTICE ........................................................................................................ 6 2.4 POPULAR PRNGS REVIEW .................................................................................................. 7 2.4.1 Linear Congruential Generator (LCG) .............................................................. 7 2.4.2 Multiplicative Congruential Generator (MRG/MCG/MLCG) ............................ 7 2.4.3 Combined MCG (CMCG/CMLCG) ..................................................................... 8 2.4.4 LFSR (Linear Feedback Shift Register) .............................................................. 8 2.4.5 Lagged Fibonacci Pseudo Random Generators (LFG) ...................................... 9 2.4.6 Generalized Feedback Shift Register (GFSR) .................................................. 10 2.4.7 Twisted Generalized Feedback Shift Register (TGFSR)................................... 10 2.4.8 Mersenne Twister .......................................................................................... 11 2.4.9 Blum Blum Shub (BBS) ................................................................................... 11 2.4.10 PRNGs in Standards ....................................................................................... 11 3 RELATED WORK ............................................................................................................. 13 3.1 THE RANDU PRNG ....................................................................................................... 13 3.2 NETSCAPE SSL ATTACK .................................................................................................... 13 3.3 PREDICTABLE SESSION KEYS IN KERBEROS V4 ....................................................................... 14 3.4 ATTACK ON APACHE TOMCAT’S SESSION ID GENERATION ....................................................... 14 3.5 IDENTICAL NFS FILE HANDLES ........................................................................................... 15 3.6 ONLINE POKER EXPLOIT ................................................................................................... 16 3.7 LINUX RANDOM NUMBER GENERATOR (LRNG) ANALYSIS ...................................................... 17 3.8 WINDOWS RANDOM NUMBER GENERATOR (WRNG) ANALYSIS ............................................. 18 4 ANALYSIS METHODS ..................................................................................................... 20 4.1 NOTATIONS/JARGON ....................................................................................................... 20 4.2 ASSUMPTIONS ................................................................................................................ 20 4.3 COMMON ANALYSIS STRUCTURE ........................................................................................ 20 4.4 ATTACK VECTORS AND ATTACK ASSUMPTIONS ...................................................................... 21 5 C .................................................................................................................................... 22 5.1 INTRODUCTION ............................................................................................................... 22 5.2 MICROSOFT CRT (MSVCRT) GENERATORS......................................................................... 23 5.2.1 (ANSI-C) C Standard Built-in Generators (rand() family) ............................... 23 5.2.2 rand_s() ......................................................................................................... 25 5.3 *NIX GLIBC GENERATORS ................................................................................................. 26 5.3.1 Introduction ................................................................................................... 26 5.3.2 (ANSI-C) C Standard Built-in Generators (rand() family) ............................... 26 5.4 BSD C GENERATORS (RANDOM() FAMILY) ........................................................................... 27 5.4.1 Introduction ................................................................................................... 27 iii 5.4.2 Design Space .................................................................................................. 27 5.4.3 G0: LCG .......................................................................................................... 28 5.4.4 G1-G4: AFG .................................................................................................... 29 5.5 SVID C GENERATORS (RAND48() FAMILY) ........................................................................... 33 5.5.1 Introduction ................................................................................................... 33 5.5.2 Design Space .................................................................................................. 33 5.5.3 Under the Hood ............................................................................................. 33 5.5.4 Properties Analysis ........................................................................................ 35 6 JAVA .............................................................................................................................. 36 6.1 INTRODUCTION ............................................................................................................... 36 6.2 MATH.RANDOM ............................................................................................................. 36 6.2.1 Design Space .................................................................................................. 36 6.3 JAVA.UTIL.RANDOM ........................................................................................................ 36 6.3.1 Design Space .................................................................................................. 36 6.3.2 Under the Hood ............................................................................................. 37 3.6.6 Properties Analysis ........................................................................................ 38 6.4 JAVA.SECURITY.SECURERANDOM ....................................................................................... 40 6.4.1 Introduction ..................................................................................................