SlideShare a Scribd company logo
1 of 52
Download to read offline
CNIT 141
Cryptography for Computer Networks
2. Randomness
Topics
• Random or Non-Random?
• Randomness as a Probability Distribution
• Entropy: A Measure of Uncertainty
• Random Number Generators (RNGs) and

Pseudorandom Number Generators (PRNGs)
• Real-World PRNGs
• How Things Can Go Wrong
Random or Non-Random?
What is Randomness?
• Is 11010110 more random than 00000000 ?
• Both are equally likely, as exact values
• But if the first one is described as "three
zeroes and five ones" it's more likely
• So if we see something that "looks like"
11010110
• That is more likely to be truly random than
00000000
Randomness as a
Probability Distribution
Probability
• A fair coin
• 50% chance of head, 50% chance of tails
• A fair die
• 1/6 chance of 1, 1/6 of 2, ... up to 6
• Total is always 100%
• Uniform distribution
• Equal chance of every outcome
Entropy: A Measure of
Uncertainty
Definition of Entropy
• Distribution has probabilities
p1, p2, ... pN
• Entropy is
- p1 log(p1) - p2 log(p2) ... - pN log(pN)
• log is to base 2
Examples
• One random bit: probabilities
1/2, 1/2
• Entropy is
- 1/2 log(1/2) - 1/2 log(1/2)
log(1/2) = -1, so this is
- 1/2 (-1) - 1/2 (-1) = 1 bit
• Also called information content
Examples
• One random byte: probabilities
1/256, 1/256, ... 1/256 (256 equal values)
• Entropy is
- 1/256 log(1/256) - 1/256 log(1/256) ... 

(256 terms)
log(1/256) = -8, so this is
- 1/256 (-8) - 1/256 (-8) ... (256 terms) 

= 8 bits
Examples
• One non-random bit: probabilities
100% of 0, 0% of 1
• Entropy is
- 1 log(1) - 0 log(0)
log(1) = 0, ignore second term, so this is
0 bits
Python Code
Eight Possibilities
Weighted Coin
Random Number Generators (RNGs)
and


Pseudorandom Number Generators
(PRNGs)
RNGs and PRNGs
• To generate randomness, computers need
• A source of entropy
• Provided by a Random Number
Generator (RNG)
• An algorithm to produce random bits from
the entropy
• Pseudorandom Number Generator
(PRNG)
RNG
• Randomness comes from the environment
• Analog, chaotic, unpredictable
• Temperature, acoustic noise, random
electrical fluctuations
• Sensors: I/O devices, network or disk
activity, logs, running processes,
keypresses, mouse movements
QRNG
• Quantum Random Noise Generator
• Radioactive decay, vacuum polarization,
photons
PRNG
• Pseudorandom Noise Generator
• Create many artificial random bits
• From a few truly random bits
• Continues working even if physical source
stops (e.g., the mouse stops moving)
How PRNGs Work
• PRNG receives random bits from RNG
• at regular intervals
• Updates the entropy pool
• Mixes pool's bits together when updating
• To remove bias
DRBG
• The PRNG uses a Deterministic Random Bit
Generator (DRBG)
• Expands some bits from the entropy pool into
a much longer sequence
• Deterministic: not randomized
• Always produces the same stream of bits
from the same input
PRNG Operations
• init()
• Initializes the entropy pool and the internal state of
the PRNG
• refresh()
• Updates the entropy pool using R (data from the
RNG), called reseeding
• R is called the seed
• next()
• Returns N pseudorandom bits and updates the
entropy pool
Security Concerns
• Backtracking resistance
• Also called forward secrecy
• Previously generated bits are impossible to
recover
• Prediction resistance
• Future bits are impossible to predict
• NSA stores exabytes of captured encrypted traffic
• 1 EB is 1 million TB
• Waiting for cryptographic keys to be found
Achieving Resistance
• Backtracking resistance
• refresh and next operations must be
irreversible, so
• If attacker obtains the entropy pool, they still
can't determine previously generated bits
• Prediction resistance
• PRNG must refresh regularly with R values
that the attacker cannot find or guess
Fortuna
• A PRNG designed in 2003 by Neils Ferguson
and Bruce Schneier
• Used in Windows
• Uses 32 entropy pools, a 16-byte key, and a
16-byte counter
• Mac OS and iOS use Yarrow
• Designed in 1998 by Kelsey and Schneier
Security Failures
• If RNGs fail to produce enough random bits
• Fortuna might not notice, and produce lower-
quality pseudorandom bits
• Or stop delivering bits
• If seed files are stolen or re-used,
• Fortuna will produce identical sequences of
bits
Cryptographic vs. Non-
Cryptographic PRNGs
• Most PRNGs provided for programming
languages are non-cryptographic
• Only concerned with statistical randomness,
not predictability
• Often use Mersenne Twister algorithm
• Cryptographic PRNGs are unpredictable
Real-World PRNGs
Unix-Based Systems
• /dev/urandom gets data from the crypto
PRNG
• Non-blocking: always returns data, even if
entropy is low
• /dev/random
• Blocking: refuses to return data if entropy is
low
Blocking
• Blocking turned out to be a bad idea
• Entropy estimates are unreliable
• Attackers can fool them
• /dev/random runs out of entropy quickly
• Producing denial of service while waiting
for more entropy
• In practice, /dev/urandom is better
• Links Ch 2b, Ch 2c
Linux Commands
• To see entropy pool
• for i in {1..100}; do cat /proc/sys/kernel/
random/entropy_avail; sleep 2; done
• To consume entropy
• dd if=/dev/random bs=8 count=8 | base64
Demo: Without Haveged
Demo: With Haveged
Windows
• CryptGenRandom() function
• Now replaced by BcryptGenRandom()
• Takes entropy from the kernel mode driver
cng.sys (formerly ksedd.sys)
• Loosely based on Fortuna
Intel RDRAND
• Hardware RNG introduced in 2012 with Ivy
Bridge
• Uses RDRAND assembly language instruction
• Only partially documented
• Some people fear that it has an NSA backdoor
• Talk given in 2007
• Link Ch 2d
• Dual_EC_DRBG is 1000x slower that other
options
• Championed by the NSA
• Schneier said to avoid it in 2007
• Link Ch 2f
• TOP SECRET leaks from Snowden
• New York Times, 2013 (Link Ch 2h)
• Link Ch 2g
How Things Can Go
Wrong
Poor Entropy Sources
• Netscape's SSL in 1996
• Seeded from process ID and system time in
microseconds
• Predictable values
• Total entropy only 47 bits, but should have
had 128
• In 2012, researchers tested 7.1 million 1024-
bit RSA public keys
• 27,000 of them had a shared prime factor (p or
q)
• Link Ch 2i
Insufficient Entropy 

at Boot Time
• Cause: devices generated public keys early
after bootup, before collecting enough entropy
Non-Cryptographic PRNG
• Old version of MediaWiki, used for Wikipedia
• mt_rand is a Mersenne Twister
Sampling Bug with

Strong Randomness
• Cryptocat had an
off-by-one error
• Values had 45
bits of entropy
instead of 53
CNIT 141: 2. Randomness

More Related Content

What's hot

What's hot (20)

5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12
 
Hash Function
Hash Function Hash Function
Hash Function
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash Functions
 
Stream Ciphers
Stream CiphersStream Ciphers
Stream Ciphers
 
symmetric key encryption algorithms
 symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithms
 
Topic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptxTopic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptx
 
Pseudo Random Number
Pseudo Random NumberPseudo Random Number
Pseudo Random Number
 
2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream Ciphers
 
Modern symmetric cipher
Modern symmetric cipherModern symmetric cipher
Modern symmetric cipher
 
Post quantum cryptography - thesis
Post quantum cryptography - thesisPost quantum cryptography - thesis
Post quantum cryptography - thesis
 
Des lecture
Des lectureDes lecture
Des lecture
 
Post Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewPost Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical Overview
 
Block Ciphers and the Data Encryption Standard
Block Ciphers and the Data Encryption StandardBlock Ciphers and the Data Encryption Standard
Block Ciphers and the Data Encryption Standard
 
Homomorphic encryption
Homomorphic encryptionHomomorphic encryption
Homomorphic encryption
 
DES
DESDES
DES
 
Quantam cryptogrphy ppt (1)
Quantam cryptogrphy ppt (1)Quantam cryptogrphy ppt (1)
Quantam cryptogrphy ppt (1)
 
Post quantum cryptography
Post quantum cryptographyPost quantum cryptography
Post quantum cryptography
 
Symmetric encryption
Symmetric encryptionSymmetric encryption
Symmetric encryption
 
Elliptic curve cryptography
Elliptic curve cryptographyElliptic curve cryptography
Elliptic curve cryptography
 

Similar to CNIT 141: 2. Randomness

The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
  The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell  The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbelleurobsdcon
 
Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Cloudflare
 
BTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation CeremonyBTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation CeremonyJoshua McDougall
 
Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Dan Kaminsky
 
What is pseudo random number
What is pseudo random numberWhat is pseudo random number
What is pseudo random numberAkshay Tikekar
 
Intel Random Number Generator
Intel Random Number GeneratorIntel Random Number Generator
Intel Random Number GeneratorXequeMateShannon
 
Solving 800-90 Entropy Requirements in Software
Solving 800-90 Entropy Requirements in SoftwareSolving 800-90 Entropy Requirements in Software
Solving 800-90 Entropy Requirements in SoftwareRay Potter
 
Applied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphersApplied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphersVlad Garbuz
 
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz «Applied cryptanalysis stream ciphers» by Vladimir Garbuz
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz 0xdec0de
 
CNIT 125 Ch 4. Security Engineering (Part 2)
CNIT 125 Ch 4. Security Engineering (Part 2)CNIT 125 Ch 4. Security Engineering (Part 2)
CNIT 125 Ch 4. Security Engineering (Part 2)Sam Bowne
 
Erlang, random numbers, and the security: London Erlang User Group Talk Slide...
Erlang, random numbers, and the security: London Erlang User Group Talk Slide...Erlang, random numbers, and the security: London Erlang User Group Talk Slide...
Erlang, random numbers, and the security: London Erlang User Group Talk Slide...Kenji Rikitake
 
Anon p2p slides
Anon p2p slidesAnon p2p slides
Anon p2p slideschintaan
 
Random thoughts on IoT
Random thoughts on IoTRandom thoughts on IoT
Random thoughts on IoTMark Carney
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attackSeth Wahle
 
Encryption Deep Dive
Encryption Deep DiveEncryption Deep Dive
Encryption Deep DiveDiego Pacheco
 
Quantum cryptography by Girisha Shankar, Sr. Manager, Cisco
Quantum cryptography by Girisha Shankar, Sr. Manager, CiscoQuantum cryptography by Girisha Shankar, Sr. Manager, Cisco
Quantum cryptography by Girisha Shankar, Sr. Manager, CiscoVishnu Pendyala
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootYashin Mehaboobe
 
CNIT 141 5. Stream Ciphers
CNIT 141 5. Stream CiphersCNIT 141 5. Stream Ciphers
CNIT 141 5. Stream CiphersSam Bowne
 

Similar to CNIT 141: 2. Randomness (20)

The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
  The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell  The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
 
Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014Sullivan randomness-infiltrate 2014
Sullivan randomness-infiltrate 2014
 
OWASP Much ado about randomness
OWASP Much ado about randomnessOWASP Much ado about randomness
OWASP Much ado about randomness
 
BTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation CeremonyBTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation Ceremony
 
nabdullin_brcrdu_dark
nabdullin_brcrdu_darknabdullin_brcrdu_dark
nabdullin_brcrdu_dark
 
Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)
 
What is pseudo random number
What is pseudo random numberWhat is pseudo random number
What is pseudo random number
 
Intel Random Number Generator
Intel Random Number GeneratorIntel Random Number Generator
Intel Random Number Generator
 
Solving 800-90 Entropy Requirements in Software
Solving 800-90 Entropy Requirements in SoftwareSolving 800-90 Entropy Requirements in Software
Solving 800-90 Entropy Requirements in Software
 
Applied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphersApplied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphers
 
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz «Applied cryptanalysis stream ciphers» by Vladimir Garbuz
«Applied cryptanalysis stream ciphers» by Vladimir Garbuz
 
CNIT 125 Ch 4. Security Engineering (Part 2)
CNIT 125 Ch 4. Security Engineering (Part 2)CNIT 125 Ch 4. Security Engineering (Part 2)
CNIT 125 Ch 4. Security Engineering (Part 2)
 
Erlang, random numbers, and the security: London Erlang User Group Talk Slide...
Erlang, random numbers, and the security: London Erlang User Group Talk Slide...Erlang, random numbers, and the security: London Erlang User Group Talk Slide...
Erlang, random numbers, and the security: London Erlang User Group Talk Slide...
 
Anon p2p slides
Anon p2p slidesAnon p2p slides
Anon p2p slides
 
Random thoughts on IoT
Random thoughts on IoTRandom thoughts on IoT
Random thoughts on IoT
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attack
 
Encryption Deep Dive
Encryption Deep DiveEncryption Deep Dive
Encryption Deep Dive
 
Quantum cryptography by Girisha Shankar, Sr. Manager, Cisco
Quantum cryptography by Girisha Shankar, Sr. Manager, CiscoQuantum cryptography by Girisha Shankar, Sr. Manager, Cisco
Quantum cryptography by Girisha Shankar, Sr. Manager, Cisco
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to Root
 
CNIT 141 5. Stream Ciphers
CNIT 141 5. Stream CiphersCNIT 141 5. Stream Ciphers
CNIT 141 5. Stream Ciphers
 

More from Sam Bowne

3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
 
3. Attacking iOS Applications (Part 2)
 3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)Sam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-HellmanSam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1Sam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android ApplicationsSam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)Sam Bowne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis MethodologySam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated EncryptionSam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)Sam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data CollectionSam Bowne
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers Sam Bowne
 
6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)Sam Bowne
 

More from Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
 3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers
 
6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)
 

Recently uploaded

24 ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH SỞ GIÁO DỤC HẢI DƯ...
24 ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH SỞ GIÁO DỤC HẢI DƯ...24 ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH SỞ GIÁO DỤC HẢI DƯ...
24 ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH SỞ GIÁO DỤC HẢI DƯ...Nguyen Thanh Tu Collection
 
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading RoomSternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading RoomSean M. Fox
 
Observing-Correct-Grammar-in-Making-Definitions.pptx
Observing-Correct-Grammar-in-Making-Definitions.pptxObserving-Correct-Grammar-in-Making-Definitions.pptx
Observing-Correct-Grammar-in-Making-Definitions.pptxAdelaideRefugio
 
An overview of the various scriptures in Hinduism
An overview of the various scriptures in HinduismAn overview of the various scriptures in Hinduism
An overview of the various scriptures in HinduismDabee Kamal
 
Climbers and Creepers used in landscaping
Climbers and Creepers used in landscapingClimbers and Creepers used in landscaping
Climbers and Creepers used in landscapingDr. M. Kumaresan Hort.
 
e-Sealing at EADTU by Kamakshi Rajagopal
e-Sealing at EADTU by Kamakshi Rajagopale-Sealing at EADTU by Kamakshi Rajagopal
e-Sealing at EADTU by Kamakshi RajagopalEADTU
 
An Overview of the Odoo 17 Knowledge App
An Overview of the Odoo 17 Knowledge AppAn Overview of the Odoo 17 Knowledge App
An Overview of the Odoo 17 Knowledge AppCeline George
 
demyelinated disorder: multiple sclerosis.pptx
demyelinated disorder: multiple sclerosis.pptxdemyelinated disorder: multiple sclerosis.pptx
demyelinated disorder: multiple sclerosis.pptxMohamed Rizk Khodair
 
diagnosting testing bsc 2nd sem.pptx....
diagnosting testing bsc 2nd sem.pptx....diagnosting testing bsc 2nd sem.pptx....
diagnosting testing bsc 2nd sem.pptx....Ritu480198
 
Analyzing and resolving a communication crisis in Dhaka textiles LTD.pptx
Analyzing and resolving a communication crisis in Dhaka textiles LTD.pptxAnalyzing and resolving a communication crisis in Dhaka textiles LTD.pptx
Analyzing and resolving a communication crisis in Dhaka textiles LTD.pptxLimon Prince
 
OSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsOSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsSandeep D Chaudhary
 
Scopus Indexed Journals 2024 - ISCOPUS Publications
Scopus Indexed Journals 2024 - ISCOPUS PublicationsScopus Indexed Journals 2024 - ISCOPUS Publications
Scopus Indexed Journals 2024 - ISCOPUS PublicationsISCOPE Publication
 
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...EADTU
 
When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...Gary Wood
 
Graduate Outcomes Presentation Slides - English (v3).pptx
Graduate Outcomes Presentation Slides - English (v3).pptxGraduate Outcomes Presentation Slides - English (v3).pptx
Graduate Outcomes Presentation Slides - English (v3).pptxneillewis46
 
Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...EduSkills OECD
 
Spring gala 2024 photo slideshow - Celebrating School-Community Partnerships
Spring gala 2024 photo slideshow - Celebrating School-Community PartnershipsSpring gala 2024 photo slideshow - Celebrating School-Community Partnerships
Spring gala 2024 photo slideshow - Celebrating School-Community Partnershipsexpandedwebsite
 
Đề tieng anh thpt 2024 danh cho cac ban hoc sinh
Đề tieng anh thpt 2024 danh cho cac ban hoc sinhĐề tieng anh thpt 2024 danh cho cac ban hoc sinh
Đề tieng anh thpt 2024 danh cho cac ban hoc sinhleson0603
 
The Story of Village Palampur Class 9 Free Study Material PDF
The Story of Village Palampur Class 9 Free Study Material PDFThe Story of Village Palampur Class 9 Free Study Material PDF
The Story of Village Palampur Class 9 Free Study Material PDFVivekanand Anglo Vedic Academy
 

Recently uploaded (20)

24 ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH SỞ GIÁO DỤC HẢI DƯ...
24 ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH SỞ GIÁO DỤC HẢI DƯ...24 ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH SỞ GIÁO DỤC HẢI DƯ...
24 ĐỀ THAM KHẢO KÌ THI TUYỂN SINH VÀO LỚP 10 MÔN TIẾNG ANH SỞ GIÁO DỤC HẢI DƯ...
 
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading RoomSternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
Sternal Fractures & Dislocations - EMGuidewire Radiology Reading Room
 
Observing-Correct-Grammar-in-Making-Definitions.pptx
Observing-Correct-Grammar-in-Making-Definitions.pptxObserving-Correct-Grammar-in-Making-Definitions.pptx
Observing-Correct-Grammar-in-Making-Definitions.pptx
 
An overview of the various scriptures in Hinduism
An overview of the various scriptures in HinduismAn overview of the various scriptures in Hinduism
An overview of the various scriptures in Hinduism
 
Climbers and Creepers used in landscaping
Climbers and Creepers used in landscapingClimbers and Creepers used in landscaping
Climbers and Creepers used in landscaping
 
e-Sealing at EADTU by Kamakshi Rajagopal
e-Sealing at EADTU by Kamakshi Rajagopale-Sealing at EADTU by Kamakshi Rajagopal
e-Sealing at EADTU by Kamakshi Rajagopal
 
An Overview of the Odoo 17 Knowledge App
An Overview of the Odoo 17 Knowledge AppAn Overview of the Odoo 17 Knowledge App
An Overview of the Odoo 17 Knowledge App
 
demyelinated disorder: multiple sclerosis.pptx
demyelinated disorder: multiple sclerosis.pptxdemyelinated disorder: multiple sclerosis.pptx
demyelinated disorder: multiple sclerosis.pptx
 
diagnosting testing bsc 2nd sem.pptx....
diagnosting testing bsc 2nd sem.pptx....diagnosting testing bsc 2nd sem.pptx....
diagnosting testing bsc 2nd sem.pptx....
 
Analyzing and resolving a communication crisis in Dhaka textiles LTD.pptx
Analyzing and resolving a communication crisis in Dhaka textiles LTD.pptxAnalyzing and resolving a communication crisis in Dhaka textiles LTD.pptx
Analyzing and resolving a communication crisis in Dhaka textiles LTD.pptx
 
OSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsOSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & Systems
 
Scopus Indexed Journals 2024 - ISCOPUS Publications
Scopus Indexed Journals 2024 - ISCOPUS PublicationsScopus Indexed Journals 2024 - ISCOPUS Publications
Scopus Indexed Journals 2024 - ISCOPUS Publications
 
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
 
When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...
 
Graduate Outcomes Presentation Slides - English (v3).pptx
Graduate Outcomes Presentation Slides - English (v3).pptxGraduate Outcomes Presentation Slides - English (v3).pptx
Graduate Outcomes Presentation Slides - English (v3).pptx
 
Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...
 
Spring gala 2024 photo slideshow - Celebrating School-Community Partnerships
Spring gala 2024 photo slideshow - Celebrating School-Community PartnershipsSpring gala 2024 photo slideshow - Celebrating School-Community Partnerships
Spring gala 2024 photo slideshow - Celebrating School-Community Partnerships
 
OS-operating systems- ch05 (CPU Scheduling) ...
OS-operating systems- ch05 (CPU Scheduling) ...OS-operating systems- ch05 (CPU Scheduling) ...
OS-operating systems- ch05 (CPU Scheduling) ...
 
Đề tieng anh thpt 2024 danh cho cac ban hoc sinh
Đề tieng anh thpt 2024 danh cho cac ban hoc sinhĐề tieng anh thpt 2024 danh cho cac ban hoc sinh
Đề tieng anh thpt 2024 danh cho cac ban hoc sinh
 
The Story of Village Palampur Class 9 Free Study Material PDF
The Story of Village Palampur Class 9 Free Study Material PDFThe Story of Village Palampur Class 9 Free Study Material PDF
The Story of Village Palampur Class 9 Free Study Material PDF
 

CNIT 141: 2. Randomness

  • 1. CNIT 141 Cryptography for Computer Networks 2. Randomness
  • 2. Topics • Random or Non-Random? • Randomness as a Probability Distribution • Entropy: A Measure of Uncertainty • Random Number Generators (RNGs) and
 Pseudorandom Number Generators (PRNGs) • Real-World PRNGs • How Things Can Go Wrong
  • 4. What is Randomness? • Is 11010110 more random than 00000000 ? • Both are equally likely, as exact values • But if the first one is described as "three zeroes and five ones" it's more likely • So if we see something that "looks like" 11010110 • That is more likely to be truly random than 00000000
  • 6. Probability • A fair coin • 50% chance of head, 50% chance of tails • A fair die • 1/6 chance of 1, 1/6 of 2, ... up to 6 • Total is always 100% • Uniform distribution • Equal chance of every outcome
  • 7. Entropy: A Measure of Uncertainty
  • 8. Definition of Entropy • Distribution has probabilities p1, p2, ... pN • Entropy is - p1 log(p1) - p2 log(p2) ... - pN log(pN) • log is to base 2
  • 9. Examples • One random bit: probabilities 1/2, 1/2 • Entropy is - 1/2 log(1/2) - 1/2 log(1/2) log(1/2) = -1, so this is - 1/2 (-1) - 1/2 (-1) = 1 bit • Also called information content
  • 10. Examples • One random byte: probabilities 1/256, 1/256, ... 1/256 (256 equal values) • Entropy is - 1/256 log(1/256) - 1/256 log(1/256) ... 
 (256 terms) log(1/256) = -8, so this is - 1/256 (-8) - 1/256 (-8) ... (256 terms) 
 = 8 bits
  • 11. Examples • One non-random bit: probabilities 100% of 0, 0% of 1 • Entropy is - 1 log(1) - 0 log(0) log(1) = 0, ignore second term, so this is 0 bits
  • 15.
  • 16. Random Number Generators (RNGs) and 
 Pseudorandom Number Generators (PRNGs)
  • 17. RNGs and PRNGs • To generate randomness, computers need • A source of entropy • Provided by a Random Number Generator (RNG) • An algorithm to produce random bits from the entropy • Pseudorandom Number Generator (PRNG)
  • 18. RNG • Randomness comes from the environment • Analog, chaotic, unpredictable • Temperature, acoustic noise, random electrical fluctuations • Sensors: I/O devices, network or disk activity, logs, running processes, keypresses, mouse movements
  • 19. QRNG • Quantum Random Noise Generator • Radioactive decay, vacuum polarization, photons
  • 20. PRNG • Pseudorandom Noise Generator • Create many artificial random bits • From a few truly random bits • Continues working even if physical source stops (e.g., the mouse stops moving)
  • 21. How PRNGs Work • PRNG receives random bits from RNG • at regular intervals • Updates the entropy pool • Mixes pool's bits together when updating • To remove bias
  • 22. DRBG • The PRNG uses a Deterministic Random Bit Generator (DRBG) • Expands some bits from the entropy pool into a much longer sequence • Deterministic: not randomized • Always produces the same stream of bits from the same input
  • 23. PRNG Operations • init() • Initializes the entropy pool and the internal state of the PRNG • refresh() • Updates the entropy pool using R (data from the RNG), called reseeding • R is called the seed • next() • Returns N pseudorandom bits and updates the entropy pool
  • 24. Security Concerns • Backtracking resistance • Also called forward secrecy • Previously generated bits are impossible to recover • Prediction resistance • Future bits are impossible to predict
  • 25. • NSA stores exabytes of captured encrypted traffic • 1 EB is 1 million TB • Waiting for cryptographic keys to be found
  • 26.
  • 27. Achieving Resistance • Backtracking resistance • refresh and next operations must be irreversible, so • If attacker obtains the entropy pool, they still can't determine previously generated bits • Prediction resistance • PRNG must refresh regularly with R values that the attacker cannot find or guess
  • 28. Fortuna • A PRNG designed in 2003 by Neils Ferguson and Bruce Schneier • Used in Windows • Uses 32 entropy pools, a 16-byte key, and a 16-byte counter • Mac OS and iOS use Yarrow • Designed in 1998 by Kelsey and Schneier
  • 29. Security Failures • If RNGs fail to produce enough random bits • Fortuna might not notice, and produce lower- quality pseudorandom bits • Or stop delivering bits • If seed files are stolen or re-used, • Fortuna will produce identical sequences of bits
  • 30. Cryptographic vs. Non- Cryptographic PRNGs • Most PRNGs provided for programming languages are non-cryptographic • Only concerned with statistical randomness, not predictability • Often use Mersenne Twister algorithm • Cryptographic PRNGs are unpredictable
  • 32. Unix-Based Systems • /dev/urandom gets data from the crypto PRNG • Non-blocking: always returns data, even if entropy is low • /dev/random • Blocking: refuses to return data if entropy is low
  • 33. Blocking • Blocking turned out to be a bad idea • Entropy estimates are unreliable • Attackers can fool them • /dev/random runs out of entropy quickly • Producing denial of service while waiting for more entropy • In practice, /dev/urandom is better
  • 34. • Links Ch 2b, Ch 2c
  • 35. Linux Commands • To see entropy pool • for i in {1..100}; do cat /proc/sys/kernel/ random/entropy_avail; sleep 2; done • To consume entropy • dd if=/dev/random bs=8 count=8 | base64
  • 38. Windows • CryptGenRandom() function • Now replaced by BcryptGenRandom() • Takes entropy from the kernel mode driver cng.sys (formerly ksedd.sys) • Loosely based on Fortuna
  • 39. Intel RDRAND • Hardware RNG introduced in 2012 with Ivy Bridge • Uses RDRAND assembly language instruction • Only partially documented • Some people fear that it has an NSA backdoor
  • 40. • Talk given in 2007 • Link Ch 2d
  • 41.
  • 42. • Dual_EC_DRBG is 1000x slower that other options • Championed by the NSA • Schneier said to avoid it in 2007 • Link Ch 2f
  • 43. • TOP SECRET leaks from Snowden • New York Times, 2013 (Link Ch 2h)
  • 44.
  • 46. How Things Can Go Wrong
  • 47. Poor Entropy Sources • Netscape's SSL in 1996 • Seeded from process ID and system time in microseconds • Predictable values • Total entropy only 47 bits, but should have had 128
  • 48. • In 2012, researchers tested 7.1 million 1024- bit RSA public keys • 27,000 of them had a shared prime factor (p or q) • Link Ch 2i
  • 49. Insufficient Entropy 
 at Boot Time • Cause: devices generated public keys early after bootup, before collecting enough entropy
  • 50. Non-Cryptographic PRNG • Old version of MediaWiki, used for Wikipedia • mt_rand is a Mersenne Twister
  • 51. Sampling Bug with
 Strong Randomness • Cryptocat had an off-by-one error • Values had 45 bits of entropy instead of 53