1 the fortuna prng niels ferguson. 2 the problem we need to make “random” choices in...
Post on 18-Dec-2015
218 views
TRANSCRIPT
![Page 1: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/1.jpg)
1
The Fortuna PRNG
Niels Ferguson
![Page 2: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/2.jpg)
2
The problem
• We need to make “random” choices in cryptographic protocols.
• Computers are deterministic.
• Standard “random” functions are completely inadequate.
• Must be unpredictable for an attacker!
![Page 3: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/3.jpg)
3
“Real” RNG
• Random Number Generator.
• A “real” RNG is a specialised hardware device that produces random numbers.
• Difficult and expensive.
• Prone to undetected failures.
• Not included in my PC.
![Page 4: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/4.jpg)
4
PRNG
• Pseudo-Random Number Generator.
• Deterministic algorithm.
• Produces “random-looking” numbers.
• Widely used.
• Most of them cryptographically useless.
![Page 5: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/5.jpg)
5
CSPRNG
• Cryptographically Strong Pseudo-Random Number Generator.
• Deterministic algorithm.
• Can’t predict one output given other output values.
• Don’t ever use anything else.
![Page 6: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/6.jpg)
6
PRNG internals
• Internal state.
• State initialised with a random seed.
• Generator function that produces some output bits plus a new state.
GeneratorOld state New state
Output
![Page 7: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/7.jpg)
7
Generator function
• Can be built from existing cryptographic primitives:
• Block ciphers.
• Hash functions.
• Stream ciphers.
![Page 8: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/8.jpg)
8
Fortuna generator
• State consists of 256-bit key K + 128-bit counter C.
AES
C
Output
K
+1 new C
![Page 9: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/9.jpg)
9
State compromise
• What happens if an attacker manages to break into the machine and retrieve the PRNG state?
• This reveals all past outputs!
• It also reveals all future outputs.
![Page 10: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/10.jpg)
10
Forward security
• Generate as many output blocks as required for the request.
• Generate two more blocks.
• Wipe key K.
• Set K to the two extra generated blocks.
• Protects against future state compromise.
![Page 11: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/11.jpg)
11
Initialising the generator
• Set (C,K) = (0,0).
• Refuse to generate any output if C = 0.
• (Re)seed operation is required for first output.
![Page 12: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/12.jpg)
12
(Re)seeding the generator
• Add seed material to the existing state.
• K = SHAd-256( K || seed string )
• C = C + 1
![Page 13: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/13.jpg)
13
The big problem
Where does the seed come from?
![Page 14: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/14.jpg)
14
Solution 1
• Let the application choose the seed.
![Page 15: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/15.jpg)
15
Problem 1
• This is not a solution.
• It just moves the problem to someone else, who is less well equipped to handle it.
![Page 16: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/16.jpg)
16
Solution 2
• Use the current time as the seed.
![Page 17: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/17.jpg)
17
Problem 2
• This is not a secret.
• Attacker can guess the time value.
• Guess can be verified by looking at some random data.
• Correct guess reveals all random data.
![Page 18: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/18.jpg)
18
Solution 3
• Construct the seed from the current time, the process ID, the value of the windows handle, etc.
![Page 19: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/19.jpg)
19
Problem 3
• Still not a secret.
• Requires a bit more guessing, but not a whole lot.
![Page 20: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/20.jpg)
20
Seed requirements
• Seed must be unpredictable to the attacker.
• Measure of unpredictability: entropy
![Page 21: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/21.jpg)
21
Entropy
• Unit of information.• Formal definitions exist. • A bit that will be set with probability 0.5
has 1 bit of entropy.• A bit that will be set with probability 0.75
has 0.811… bits of entropy.• A bit that will be set with probability 0.9
has 0.469… bits of entropy
![Page 22: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/22.jpg)
22
Entropy (continued)
• Entropy of a variable depends on how many possible values it can have.
• Entropy depends on the probability distribution of those values.
• Entropy also depends on the knowledge we already have.
• Entropy is always relative to someone’s knowledge.
![Page 23: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/23.jpg)
23
White lie
• There are several different kinds of entropy.
• Shannon entropy: from information theory.
• Renyi entropy: used to analyse probability of duplicate values.
• Guessing entropy: most appropriate here.
• I will ignore these complications.
![Page 24: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/24.jpg)
24
Back to reseeding
• Seed must have high entropy with respect to the knowledge that the attacker has.
• We don’t know how much the attacker knows.
• We can’t know how much effective entropy any particular value has.
![Page 25: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/25.jpg)
25
Solution 4
• Ask the user to type some random text.
![Page 26: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/26.jpg)
26
Problem 4
• Low entropy: many users produce something like “fdsajkl;fdsjkl;fsdajkl;fsdaj”
• Attacker can try to stuff keystrokes into the keyboard buffer.
• Or maybe she can sniff the keystrokes in some way.
![Page 27: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/27.jpg)
27
Fundamental problem
• Entropy is not available in sufficient quantities when we want it.
• Initial reseed must come from external source.
• Let’s leave this problem for now.
![Page 28: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/28.jpg)
28
Recovery from compromise
• Assume that attacker knows our PRNG state.
• Irregular stream of “random events”.
• Can we evict the attacker and recover to an unknown state?
![Page 29: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/29.jpg)
29
Typical event sources
• Mouse movements & detailed timings.
• Keyboard data & timings.
• Disk response speed.
• Clock jitter.
• Network packet timing.
• …
![Page 30: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/30.jpg)
30
Assumption
• Together, the events contain at least some entropy w.r.t. the attacker.
• Otherwise there is no hope of recovery.
![Page 31: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/31.jpg)
31
Reseed on every event
• Simple solution.
• Reseed sets K = SHAd-256( K || event data).
• Harmless to reseed with non-random event.
![Page 32: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/32.jpg)
32
Problem
• Does not work.
• Attacker knows old state, and can guess the event data.
• Asks for some random data from generator, and verify the guess.
![Page 33: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/33.jpg)
33
Pooling
• Save up events in a pool.
• Reseed with whole pool at once.
• Attacker has to guess the whole pool.
• Recovers from state compromise if entropy of pool is large enough.
![Page 34: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/34.jpg)
34
How large a pool
• Should pool events until we have, say, 128 bits of entropy.
• But we don’t know the entropy of the events.
• Can’t decide how many events to pool.
• Need to estimate the entropy.
![Page 35: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/35.jpg)
35
Entropy estimators
• Don’t even try.
• Impossible: depends on knowledge of the attacker.
• Various estimator systems have been proposed.
• All are ad-hoc, and heuristic.
![Page 36: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/36.jpg)
36
Fortuna pooling
• Keep 32 pools: P0, …, P31.
• Each event source distributes its events over the pools.
• Entropy flows into pools at approximately the same rate.
• But we don’t know at which rate.
![Page 37: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/37.jpg)
37
Fortuna reseeding
• Reseed whenever P0 is large enough to be interesting.
• Include pool Pk every 2k reseeds.
![Page 38: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/38.jpg)
38
Heuristic analysis
• T = Time between reseeds.
• R = rate at which entropy flows into each pool.
• Pool k is used in a reseed every T · 2k seconds.
• In that time it has collected R · T · 2k bits of entropy.
![Page 39: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/39.jpg)
39
One “good” pool
• As long as R and T are reasonable, there is at least one pool that collects 128 bits of entropy before it is used.
• We don’t know which pool.
• But we don’t care!
• Within a factor of 64 of optimal.
![Page 40: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/40.jpg)
40
Further tricks
• Require that T 0.1 s.
• Don’t store the pools, but hash the pools.
![Page 41: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/41.jpg)
41
Back to the initial seed
• We still need to have a starting seed value.
![Page 42: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/42.jpg)
42
Seed file
• “Random” data on persistent storage.
• Read at startup and use to seed the PRNG.
• Danger: using the same seed file twice.
• Danger: compromise of the seed file.
![Page 43: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/43.jpg)
43
At startup
• Read the seed file.
• Use contents to seed the PRNG.
• Generate new contents for seed file using PRNG.
• Write new seed file.
• Wait until write is permanent. (How?)
• Allow PRNG to be used.
![Page 44: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/44.jpg)
44
Regularly
• Write new seed file.
• This incorporates the events that were used during the reseeds into the seed file state.
![Page 45: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/45.jpg)
45
On shutdown
• Reseed with all the data from all the pools.
• Write a new seed file.
• Beware: losing the seed file is far worse than not writing a new one.
• Maybe use two files?
![Page 46: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/46.jpg)
46
Initial seed file
• Unsolved problem.
• We need an external source for the seed file.
• Require factory to provide one?
• Ask user help during installation of OS?
![Page 47: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/47.jpg)
47
Don’t ignore the problem
• The first thing you (should) do on a new computer is to generate cryptographic keys for various purposes.
• Those have to be secure.
• This needs a good PRNG… which requires a good initial seed file.
![Page 48: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/48.jpg)
48
Seed file details
• Closely look at the atomicity of file updates.
• Most operating systems don’t promise anything.
• Even disk drives might buffer writes.
• Do the best you can.
![Page 49: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/49.jpg)
49
Three parts of Fortuna
• Generator to service the requests.
• Pools & reseed control to recover from state compromise.
• Seed file & logic to provide starting seed.
• Required: initial seed file.
![Page 50: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/50.jpg)
50
Where?
• Operating system has access to all events that can be used in a PRNG.
• Therefore, PRNG should be part of the operating system.
• It isn’t in most cases.
• Work to be done!
![Page 51: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/51.jpg)
51
Hardware RNG
• Don’t use it directly.
• Use it as an event source for Fortuna.
• Keeps you safe if your RNG breaks (which happens more often than you’d like).
• Can use it for initialisation.
![Page 52: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/52.jpg)
52
Warning
• Some systems have “real random” RNGs.
• Try to extract entropy from the events.
• Have to use entropy estimators.
• Pure heuristics, and therefore dangerous.
![Page 53: 1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d245503460f949fac3e/html5/thumbnails/53.jpg)
53
Conclusion
• A good PRNG is vital for good cryptographic systems.
• Fortuna is the state of the art.
• Relatively easy to implement, except for the parts that are inherently hard.
• Don’t settle for anything less.