3. No matter how good the algorithm, bad random numbers =
4. Cisco Confidential 2017 All Rights Reserved
What is entropy?
• Entropy is true randomness
• Such as atmospheric pressure
• and Lava Lamps (cloudflare’s lava lamp wall…)
• Used to seed the DRBG
5. • Cryptographic key generation (MACSec, IPSec, SSH, TLS ...)
• Nonces and initialization vectors (802.11i, EAP, MACSec...)
• Padding schemes, digital signatures (DSA, OTPs... )
• Using poor random numbers (random != unique) can have
catastrophic consequences. And cause severe embarrassment!
Random numbers and security
7. /dev/[u]random - Linux
Image courtesy of: http://samvartaka.github.io; updated by Debra Baker
Conditioning is Optional
per latest Draft NIST SP
800-90C
Output to
DRBG
Seed
File
Conditioned
SHA-1/
SHA-256/
(preferred)
SHA-512
OpenSSL
8. Cisco Confidential 2017 All Rights Reserved
Typical Entropy Sources
System
Time
Entropy Pools
Random Bits
Clock
Cycles
/proc
PIDS
/dev
Names
interrupts
Drivers
Info
Disk
Request
Keyboard
/Mouse
9. Cisco Confidential 2017 All Rights Reserved
Entropy
Accumulator
Output
Function
32 Separate Entropy
Pools (
Health Tests
Random Bits Conditioner
Output to
DRBG
seed file
Entropy
Sources
Reseed
Generator
KEY (Internal
State)
Seed File
32 Separate Entropy
Pools (32 Separate Entropy
Pools (32 Separate Entropy
Pools (
32 Separate
Entropy Pools
(P0, P1,...P31)
Fortuna Entropy Source – FreeBSD 11.1 and above QNX 7.0
Fortuna ensures
blocked unless
have enough and
random data to
seed DRBG
10. Cisco Confidential 2017 All Rights Reserved
/dev/[u]random and Embedded Systems
Image courtesy of: http://samvartaka.github.io
11. What to do?
• Software-Only…
o QNX 7.0 (random.c) – Fortuna
o FreeBSD 11.1 – Fortuna
o Truerand.c
• Use a Hardware RNG
o Act2Lite, Cavium, on-board
entropy chip intel (DRNG)
• Make sure your entropy pool is
seeded on boot and reseeded
properly
• Test the PRNG using NIST
SP800-90B assessment tools
Editor's Notes
7 Most Dangerous New Attacks – 2017 https://www.sans.org/the-seven-most-dangerous-new-attack-techniques
Weak Random Number Generators
Creating good random numbers is a challenging problem. Small devices make it difficult to collect enough random events to initialize the algorithms used to create random numbers. Recent research has shown how this can be exploited to break WPA2 encryption. But the problem reaches well beyond Wi-Fi and WPA2. Encryption without good random numbers will put a wide range of security related algorithms at risk.
Why it matters: Most wireless protocols, not just Wi-Fi, rely on good random numbers to encrypt connections. Without good random numbers, these connections are not secure.
Deterministic Random Bit Generator
Lava Lamp gif is from the Smithsonian web site: https://www.smithsonianmag.com/arts-culture/the-history-of-the-lava-lamp-21201966/
All cryptographic algorithms are seeded with a random number from a random source.
From 33C3: Analyzing Embedded Operating System Random Number Generators paper
http://samvartaka.github.io/cryptanalysis/2017/01/03/33c3-embedded-rngs
https://github.com/freebsd/freebsd/blob/master/sys/dev/random/fortuna.c
From 33C3: Analyzing Embedded Operating System Random Number Generators paper
NIST SP 800-90C (optional for conditioning of random symbol data)
From 33C3: Analyzing Embedded Operating System Random Number Generators paper
http://samvartaka.github.io/cryptanalysis/2017/01/03/33c3-embedded-rngs
https://github.com/freebsd/freebsd/blob/master/sys/dev/random/fortuna.c
From 33C3: Analyzing Embedded Operating System Random Number Generators paper
http://samvartaka.github.io/cryptanalysis/2017/01/03/33c3-embedded-rngs
https://github.com/freebsd/freebsd/blob/master/sys/dev/random/fortuna.c