conceptual foundanons of the ivy bridge random number generator

Conceptual Founda.ons of the Ivy Bridge Random Number Generator

Jesse Walker, Ph.D. Intel Corpora.on

Intel Labs Circuits and Systems Research

Security Research Lab

1

Agenda

•  Engineering without a safety net •  What is randomness? •  Intel’s first genera.on RNG •  A New Design

–  Joint work with George Cox, Charles Dike, and D.J. Johnston

2

Randomness’ Role in Security •  Implicit Expecta.on: “Secure” systems work as specified,

independent of what the environment (i.e., any aTacker) can do to it (i.e., without any constraints on the environment) –  So we know a priori we will fail to meet expecta.ons

•  Ques.on: How can we defeat ALL adversaries? –  Even the ones we haven’t thought about?

•  Strategy: Use randomness to wall off aTack below a computa.onal complexity threshold –  Cryptographic algorithm designers seek to use n bits of randomness to

embed an O(2n/2) or O(2n) search problem into its designs –  If n is sufficiently large and the embedding succeeds, then O(2n/2) or O

(2n) opera.ons is beyond anyone’s computa.onal resources

3 Engineering without a safety net

What if it’s not really Random?

4 Engineering without a safety net

•  January 1996 -‐ Mozilla SSL Browser RNG Failure •  September 28, 1999 -‐ How We Learned to Cheat at Online

Poker: A Study in Sodware Security –  By Brad Arkin, Frank Hill, Sco2 Marks, Ma2 Schmid and Thomas

John Walls

•  August 2007 – NSA’s Dual EC DRBG shown to have backdoor parameters

•  November 19, 2007 – Microsod Windows Insecure Random Number Generator

–  CVE-‐2007-‐6043

•  May 13, 2008 -‐ Debian/OpenSSL Fiasco •  November 4, 2008 -‐ MiFare Classic •  March 29, 2010 -‐ Weak RNG in PHP session ID genera.on leads

to session hijacking •  December 2010 Sony PlaySta.on* 3 Jailbreak

Debian/OpenSSL Fiasco

Debian has warned of a vulnerability in its cryptographic func.ons that could leave systems open to aTack. The use of a cryptographically flawed pseudo random number generator in Debian's implementa.on of OpenSSL meant that poten.ally predictable keys were generated… The Register – May 13th, 2008

MiFare Classic Crypto-‐1

Stream cipher used in about 200 million RFID chips worldwide. 16-‐bit random numbers generated by LFSR-‐based RNG. Internal state can be unshided, filter func.on can be inverted, limited size enables replay aTacks. BlackHat 2008 Cryptography is impossible without real

randomness

How is Randomness Represented? •  A random variable X : S → R models measurements of some random

process •  The informa=on of a random variable X is itself a random variable defined

as –log2(X) = log2(1/X) –  The informa.on log2(1/X(s)) says how many bits are needed to

unambiguously represent state s –  If the number of bits of X(s) exceeds log2(1/X(s)), then X contains redundant

informa.on •  The entropy H(X) of a random variable X is the nega.ve of the expected

value of X’s informa.on: H(X) = EX(–log2(X)) = Σs∈S X(s)⋅log2 (1/X(s)) –  The entropy measures the randomness or unpredictability of X in bits

•  The min-‐entropy is H∞(X) = – mins∈S{log2 (X(s))} = – log2 (maxs∈S{X(s)}) = log2 (mins∈S{1/X(s)})

•  H∞(X) ≤ H(X), with equality if and only if X(s) = 1/|S| for all s ∈ S –  Every sample from X has at least bits H∞(X) bits of entropy

5 What is Randomness?

Example

6 What is Randomness?

s X(s) log2(1/X(s)) X(s)⋅log2(1/(X(s))

1 1/16 4 1/4

2 1/4 2 1/2

3 3/8 3 – log2(3) ≈ 1.415 3(3 – log2(3))/8 ≈ 0.531

4 1/4 2 1/2

5 1/16 4 1/4

H(X) = EX(log2(1/X)) = Σs∈S X(s)⋅log2 (1/X(s)) ≈ 1/4 + 1/2 + 0.531 + 1/2 + 1/4 = 2.031 H∞(X) = – mins∈S{log2 (X(s))} = log2(mins∈S{1/(X(s)}) = 3 – log2(3) ≈ 1.415 Every sample of X has at least H∞(X) = 1.415 bits of entropy

1 2 3 4 5

H ∞(X) = mins∈S{log2 (1/X(s))}

X

7

Intel’s 1999 RNG

Johnson Thermal Noise Source (resistor)

Noise amplifier

Voltage Controlled Oscillator

High Speed

Oscillator

Super Latch

•  Thermal noise modulates the slower oscillator. •  Oscillator triggers the super latch. •  Drid between the two oscillators provides the source of the random bits. •  60:1 à 100:1 center frequency ra.os. •  One bit generated for every 6 raw binary samples à about 75 Kbit/sec

Digital Corrector

~500 KHz

~400 MHz

Von Neumann bias correc.on

Intel’s First Genera.on RNG

Ivy Bridge RNG Conceptual Design

8

Entropy Source

Health Tests

Buffer Condi.oner

RdKey

RdRand Rate Matcher -‐-‐ DRBG

BIST

RNG

Get Status

Not implemented in Ivy Bridge

A New Design

The Privacy Amplifica.on Problem

9 A New Design: The Condi.oner

Alice and Bob share a 2000 bit secret key K to secure their

communica.on against their arch-‐nemesis Eve

Alice Bob

They learn that Eve has learned part of K, say 200 bits . . .

. . . but they don’t know which 200 bits

Is there some way they can sRll use K?

Alice and Bob know: H∞(K) = 2000 – 200 = 1800

Privacy Amplica.on Solu.on •  The Le?over Hash Lemma of Impagliazzo, Levin and Luby (1989) solves

the privacy amplifica.on problem •  Defini.on. A family H of func.ons h : S → {0,1}n is ε-‐universal if for all s, t

∈ S

Prh∈H[h(s) = h(t)] ≤ ε •  Theorem (Ledover Hash Lemma). Assume H = {h : X → {0, 1}n} is a

(1+η)/2n-‐universal hash family. Then if h is selected uniformly over H then

Σs∈S |h(X(s)) – Un(X(s))| ≤ (η + 2n/2m)1/2/2 where H∞(X) ≥ m

–  Un denotes the uniform distribu.on on {0,1}n

•  Transla.on: universal hash families are efficient entropy extractors


Central Idea •  Ideal entropy sources are hard to find in nature •  We may s.ll hope to find sources that produce significant

amounts of entropy, i.e., find X with H∞(X) ≥ m •  If the entropy source X sa.sfies H∞(X) ≥ m for some m > 0,

then we can apply the Ledover Hash Lemma •  Design problems

–  Which universal hash family? –  How many min-‐entropy bits m do we need? –  How do we “uniformly” choose a member of the hash family?

•  Isn’t it chea.ng to rely on a randomly selected func.on? –  How do we get a source with a predictable min-‐entropy?


The Hash Family and H∞ Value •  Defini.on. CBC-‐MAC mode on b block strings for a block cipher E : {0,1}n

× {0,1}k → {0,1}n is defined as

M1 . . . Mb ← M, tag ← 0, do i = 1 . . b ⇒ tag ← E(Mi ⊕ tag, K) od output tag

•  Theorem. (Dodis, Gennaro, Håstad, Krawczyk, Rabin; Crypto 2004) A block cipher E : {0,1}n × {0,1}k → {0,1}n in CBC-‐MAC mode on b block strings is a (1+η)/2n -‐universal hash family, where η = O(b3/22n)

•  If the block cipher E is AES, and if the number of AES blocks b << 2128, then η = O(b3/2256) ≈ 0 and the Ledover Hash Lemma bound for AES in CBC-‐MAC mode is (η + 2128/2m)1/2/2 ≈ (2128 – m)1/2/2 = 264 – m/2/2 = 263 – m/2

•  If m ≥ 382 then 263 – m/2 ≤ 263 – 382/2 = 263 – 191 = 2–128, and the 128 bit output will be indis=nguishable from ideal


Choosing the hash family member


Health Tests

Buffer Condi.oner Rate Matcher -‐-‐ DRBG

382 bits of min-‐entropy? Rekey the Condi.oner

Generate 128 bit AES

key

Min-‐entropy

Extracted entropy

The Entropy Source

14

Entropy Source

Health Tests

Buffer Condi.oner

RdKey


BIST

RNG

Get Status

A New Design

Requirements •  Can be faithfully modeled

–  If we can faithfully model the source with a random variable X, we can compute the min-‐entropy of the source as log2(mins∈S{1/X(s)})

•  All digital: no analog components –  No I/O –  No redesign and revalida.on for new process technologies

•  Produce bits at a rate directly useful to applica.ons –  e.g., at least 100 Mbps for argument’s sake, not 75 Kbps

•  Pass the requirement to remove bias and correla.on to the Condi.oner

15 A New Design: The Entropy Source

Entropy Source

It is latch built from a pair of cross-‐coupled inverters — Circuit assumes two stable (0/1) and one unstable state (meta-‐stable) — Circuit powered on in the meta-‐stable state — Circuit held in meta-‐stable state un.l Johnson thermal noise resolves

circuit’s value to 0 or 1 — Ader the circuit resolves and outputs one bit value, power it off — Repeat at machine clock rate


Entropy Source Models •  Wanted: a faithful model that enables min-‐entropy computa.on

•  Some early unhelpful but informa.ve models: –  Binary Memoryless Source with probability p:

Pr[Xn = 1] = p, Pr[Xn = 0] = 1 – p, n = 1, 2, 3, . . . –  Binary Sta.onary Source with probability p:

Pr[Xn = 1] = Pr[Xn = 0] = ½, Pr[Xn | Xn–1] = p o  A Binary Sta.onary Source is a Markov process with one bit of memory

•  Our last, most informa.ve and explanatory model is an Ornstein-‐Uhlenbeck process –  A digital latch tends to resolve to its previous state, so our circuit slightly

biases the next output to be different from the previous –  An Orenstein-‐Uhlenbeck process models this: it a mean rever.ng random walk –  Model developed by Intel physicists Andrey Nikolaev and Dmitry Kabaev

•  Transi.on probabili.es computed from circuit electrical parameters


Min-‐Entropy •  Assume our model X faithfully represents the entropy source

–  Valida.on has not refuted this assump.on •  We can configure the circuit’s electrical parameters and

temperature characteris.cs so that H∞(X) ≥ 0.97 for all supported voltages and temperatures –  And disable hardware when voltage, temperature go out of spec

•  Under the assump.on that H∞(X) ≥ 0.97, the Condi.oner needs ⎡382/0.97⎤ = 394 samples from the entropy source to produce a full entropy output –  394 – 128 = 266 bits is the tax for not knowing how (un)predictability

is distributed throughout the samples –  Source buffer containing raw samples should be at least 512 bits, since

AES-‐CBC-‐MAC operates on a mul.ple of 128 bits (4 AES blocks)


The Classifier and Samples Buffer

19

Entropy Source

Health Tests

Buffer Condi.oner

RdKey


BIST

RNG

Get Status

A New Design

Health Tests •  We need two types of tests

–  Are samples distributed according to our model? •  Can’t claim min-‐entropy unless samples are distributed to the model

–  How much entropy do samples appear to have? •  To sanity check the model

•  The Heath Tests –  Hypothesis tes.ng to evaluate samples faithfulness to the assumed

distribu.on and to es.mate the amount of entropy present –  Add each sampled entropy source bit into the Buffer –  Invoke the Condi.oner ader accumula.ng 382 bits of min-‐entropy (usually

394 samples) •  Runs of samples are “healthy” only if “accepted” by all tests •  Health Tests report an error if too many successive samples are unhealthy

–  Hardware is assumed to have broken

20 A New Design: Health Tests and Buffer

Tes.ng Discussion •  Many standard sta.s.cs assume independent and iden.cally distributed

(IID) data •  Our entropy source does not meet the independence assump.on

–  An Ornstein-‐Uhlenbeck process is sta.onary and Ergodic with finite memory •  Dependent data can cause sta.s.cal tests based on the IID assump.on to

over-‐es.mate entropy and mis-‐classify samples •  We have implemented a diverse baTery of tests to minimize the

probability the source’s entropy is over-‐es.mated or samples mis-‐classified

•  Different entropy tests will inevitably yield different confidence levels, so we always use the most conserva.ve result

•  We rely on intellectual property acquired from 3rd par.es for most tests


Example Test: Maurer’s Universal Sta.s.c

•  Directly es.mates the entropy in X by measuring the amount of redundant informa.on

•  This sta.s.c only assumes that X is sta.onary and Ergodic with finite memory –  Does not assume samples from X are independent and iden.cally

distributed •  Let X = {X1, . . ., Xt} denote outputs from an entropy source •  Par..on X1, . . ., Xt into two groups

–  X1, . . ., Xq cons.tute a “compression dic.onary” –  Xq+1, . . ., Xq+k, where q+k = t

•  For j > 0 define –  A(Xj) = j if Xj ≠ Xi for all i < j and otherwise –  A(Xj) = min{i : i ≥ 1, Xj = Xj–i}

•  Maurer’s Universal sta=s=c is µX = (Σj=1..t A(Xj))/k


The Rate Matcher

23

Entropy Source

Health Tests

Buffer Condi.oner

RdKey


BIST

RNG

Get Status

A New Design

Mo.va.on •  RdRand meant as an instruc.on providing cryptographic entropy

•  Instruc.ons need to have determinis.c execu.on .me and low latency

•  Condi.oner can generate 128 bits of entropy every 394 cycles = 64 bits every 197 cycles

•  Sodware can issue a burst of RdRand instruc.ons at a much faster rate

•  We also need a random key for member the Condi.oner’s AES-‐CBC-‐MAC implementa.on

24 A New Design: The Rate Matcher

Rate Matcher

Key K Ctr c Ctr v

Rate Matcher = the SP 800-‐90 RBG

25

c ← c + 1, r ← AESK(c), c ← c + 1, x ← AESK(c), c ← c + 1, y ← AESK(c),

K ← K ⊕ x, c ← c ⊕ y,

v ← v+1

Generate K ← 0128, c ← 0128,

v ← 0

Init

c ← c + 1, x ← AESK(c), c ← c + 1, y ← AESK(c),

K ← K ⊕ x ⊕ s, c ← c ⊕ y ⊕ t,

v ← 0

Reseed(s,t)

s,t

r

A New Design: The Rate Matcher

RNG Interface

26

Entropy Source

Health Tests

Buffer Condi.oner

RdKey


BIST

RNG

Get Status

A New Design

API func.ons •  Goal: Provide a FIPS 140 cryptographic boundary around internal

state –  Defined API the only means of crossing this boundary

•  RdRand – provide 64 bits cryptographic entropy –  Worst case: Rate Matcher reseeded every 512 RdRand instruc.ons

•  The hardware declares itself broken if it doesn’t reseed sooner, i.e., V ≥ 512 –  An adversary’s advantage against counter mode is no beTer than

AdvAES(q,t) + q2/2129, where •  q = maximum number of reads •  t = maximum .me adversary invests in the aTack

•  RdKey – provide 64 bits of informa.on-‐theore.c entropy –  Not yet implemented

•  GetStatus – 1 bit register to indicate whether the RNG hardware is working properly

27 A New Design: The RNG Interface

Side Channels •  Timing and power analysis aTacks

–  The RNG crypto and classifier blocks can always be built to thwart .ming and power analysis

•  Power glitching aTacks –  RNG turns itself off when voltage or temperature goes out of spec

–  The RNG reini.alizes itself when power and voltage return to spec

•  EMI aTacks –  S.ll needs more work to understand the EMI characteris.cs of the design

28 A New Design: The RNG Interface

Built-‐in Self-‐Tests

29

Entropy Source

Health Tests

Buffer Condi.oner

RdKey


BIST

RNG

Get Status

A New Design

Why Built-‐In Self Tests? •  To support debug most modern hardware provides access to all

internal registers using scan chains •  Examining register values through scan chains is becoming a

rou.ne aTack vector •  The RNG has numerous internal registers

–  Condi.oner key –  Rate matcher’s parameters K, c, v –  Registers for Condi.oner output –  Registers for the health tests sta.s.cs –  Classified samples buffer

•  Strategy: Use built-‐in self-‐tests to evaluate whether the blocks implemen.ng the RNG are opera.ng correctly –  No scan-‐chains through the RNG

•  RNG status register the only way to determine circuit’s state

30 A New Design: BIST

Summary •  Cryptography is impossible without randomness •  Theory is an indispensible and prac.cal design tool

–  The theory of universal hash families tells us how many samples to collect to get a full-‐entropy output

–  It also gives requirements for the entropy source –  Stochas.c processes for modeling entropy source –  Finding the right sta.s.cal tests –  Building a DRBG that resists aTack

•  The chain of evidence presented suggests the Ivy Bridge RNG delivers cryptographic entropy at over 1 Gbps

31

32

Feedback?

BACKUP

33

34

How do ATacks Work?

Func.onal Block

Output Input

Func.onal block communicates with its environment through interfaces

Adversary monitors informa.on exchanged via interfaces to learn

something it shouldn’t

Or adversary injects informa.on and control through the interface to make algorithm act outside its specifica.on

Security must treat the environment itself as the adversary

H∞(X) ≤ H(X) •  Assume E(X) = 1

–  Not essen.al; just simplifies the reasoning •  The Renyi entropy is Hren(X) = –log2(Σs∈S X(s)2) •  Σs∈S X(s)2 ≤ Σs∈S X(s)⋅max{X(s) : s ∈ S} = max{X(s) : s ∈

S} •  Therefore

–  log2(Σs∈S X(s)2) ≤ log2(max{X(s) : s ∈ S}) and –  H∞(X) = –log2(max{X(s) : s ∈ S}) ≤ –log2(Σs∈S X(s)2) = Hren(X)

•  Since log2(⋅) is convex, Jensen’s inequality implies log2(Σs∈S X(s)2) ≥ Σs∈S X(s)⋅log2(X(s)), so

•  H∞(X) ≤ Hren(X) = –log2(Σs∈S X(s)2) ≤  –Σs∈S X(s)⋅log2(X(s)) = H(X)

35

Ornstein-‐Uhlenbeck Processes •  The only process which is sta.onary, Markov and Gaussian •  Over .me the process tends to drid toward its long-‐term mean •  Represented as a stochas.c differen.al equa.on

dXt = θ(µ – Xt)dt + σdWt –  µ = long term mean –  var(Xt) = σ2/2θ is bounded –  Wt is a Wiener process (Brownian mo.on)

•  Scaling Limit of a discrete process –  An urn contains red and green balls –  At each step a ball is drawn randomly and replaced by a ball with the

opposite color –  If Xn = number of red balls at step n, then (Xnt – n/2)/√n converges to

an Ornstein-‐Uhlenbeck process

36

37

DRBG ATacks •  Direct cryptanaly.c aTack •  Input aTacks •  Backtracking aTack •  Permanent compromise •  Itera.ve guessing aTack •  Meet-‐in-‐the-‐Middle aTack

conceptual foundanons of the ivy bridge random number generator

Documents