This document discusses an entropy downgrade attack and provides solutions to strengthen a system's entropy and random number generation. It explains that computers have limited entropy for generating strong cryptographic keys. An attacker can force a system to generate keys using less entropy, making the keys easier to crack. The document recommends increasing the entropy pool size, optimizing entropy collection, using hardware entropy sources, and caching previously generated strong primes to strengthen a system against this attack. It provides code examples and tools to help implement these solutions.

1. Defeating the
entropy downgrade
attack

2. Bio: Seth Wahle
Founding Partner:
www.Cyberdonix.com
Founder:
www.DemonBucket.com
Electronics engineer and Hardware Hacker
Previously spoken at Hackmiami and B-sides Las Vegas
Featured in Forbes and BBC for hacking android phones using an implanted NFC
chip.
& Lead engineer
twitter.com/SethWahle Linkedin.com/in/seth-wahle-92b28269
Website: SethWahle.com

3. "Browser Exploit Against
SSL/TLS"
BEAST Factoring RSA Export
Keys
FREAK
buying and selling a product or
service. It includes advertising,
selling and delivering products
BRANDING COMPANY
"Padding Oracle On
Downgraded Legacy
Encryption"
POODLE
Security Losses from Obsolete
and Truncated Transcript
Hashes
SLOTH
20152011 2015
2014 2016
Brief Company History

4. Background Info
Demon Bucket server kept locking up mysteriously.
Many user doing 2048 bit or 4096 bit encryption
/random
● Uses entropy gathered from actual
entropy sources.
● Locks CPU until entropy is collected
to complete encryption
● Used for critical random(encryption)
/urandom
● sudo random random numbers based
on an openly distributed algorithm
● Does not lock CPU ever
● acceptable for low grade random
generation (games,etc)

5. Continued
● Spurred an interest and a need to learn about encryption and entropy to make
my server work properly.
● Implemented several modifications that we will go over shortly.
● Later learned of the possibility of an entropy downgrade attack.

6. 1. Choose two prime numbers
2. Multiply the prime numbers together to
form a semi-prime number (N)
3. This becomes the modulus
4. Find the (phi) function of the modulus
5. Choose an encryption number(E)
where E is between 1 and (phi) of N
and is coprime with the modulus
1: P = 2 ,Q = 7
2: N = 14 is the modulus
3:(phi)N=(P-1)(Q-1) = 1*6 = 6
4: E = 5
5: E,N = public key
6: M= message
so we will encrypt using the
equation
Encrypt
M5(mod 14)=Cypher Text (C)

7. 1. Choose a decryption number(D) where
the decryption times the encryption
number to the modulus of (phi)N is equal
to 1
2. D and N are the private key
5*D(mod 6) = 1
D = every 6th multiple, so we
choose 11
D=11
Decryption
Remember: P = 2 , Q = 7, N = 14, (phi)N= 6, E=5
M= Message, C = Cypher Text
Decrypt using the equation
CD mod N = M

8. How This Applies
1. Choose a RANDOM prime number = P
2. Choose a RANDOM prime number = Q
3. Choose a RANDOM number that fits a criteria E
4. Choose a RANDOM number that fits a criteria D
This all requires RANDOM numbers!
and random numbers come from entropy.

9. How the entropy
downgrade attack
works.

10. Choose P =
Select any random number, Then find find the next prime number larger than
the chosen number. (uses blah blah blah algorithm, ask me if you wanna see
how it’s done)
Random Numbers are generated using ENTROPY
Entropy - Random noise
# cat /proc/sys/kernel/random/entropy_avail
Computers average between 50 and 1000 bits of entropy when not
modified for better entropy gathering VM’s are worse due to a lack of IO.

11. Breaking an Encryption
● Capture the public key
● Guess the second Prime
● Run that though the RSA algorithms
● See if it comes out clear text
Rinse and repeat until it comes out clear text.
This is extremely hard to do against large primes (1024 bit+)
trivial to do against small primes

12. Entropy Vs Encryption
Perform a 1024 bit encryption with 2000 bits of entropy out of the entropy pool
remove 1024 bits of entropy from the pool and use it to generate a 1024
character long number then find the next higher number that is prime.
Prime = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX~
Perform a 1024 bit encryption with 1 bit of entropy in the pool
Prime = X00000000000000000000000000000000000~ = X
X = 1 or 0
Only 2 combinations to try!

13. Downgrading Entropy
Find a server serving employing SSL
Hit it with thousands of session requests
a second
Capture legitimate sessions and
decrypt with ease

14. The Pool size Problem
# cat /proc/sys/kernel/random/poolsize
all current linux systems hard coded in kernel at 4096

15. Pool Size Fix
Recompile The Kernel with a larger poolsize
It’s easy, ask me after and I will show you how.

16. Watermarking Problem
100%
0%
35%
85%
4096 Bit Pool
Start Collecting
Entropy
Stop Collecting
Entropy
SysCtl has a watermarking feature that stops and
starts collecting entropy on to the entropy pool at
certain levels +/- churn
This was done to save ridiculously tiny amounts of
system resources.
This is hardcoded as well : (

17. Watermarking Fix
100%
0%
75%
16,384 Bit Pool
Start Collecting
Entropy
Stop Collecting
Entropy
Install RNG-tools and set new
watermark
RNG-tools over writes some of the
systems entropy setting one of them
being the watermarking options, This
allows you to fix the watermarking
without recompiling sysctl
RNG-tools also give you control over
entropy sources and setting and
optimizations

18. The Sourcing Problem

19. The Sourcing Fix
Install haveged - This generates entropy based on system timing and will generally bump your entropy up to
2000-3500
Get a Hardware RNG - $50 Make Your own HRNG from
an RTL-SDR dongle ~$10
(do your homework on
making it a secure source or
ask me after)
Borrow some entropy From a friend???
https://github.com/pwarren/rtl-entropy

20. https://github.com/dustinkirkland/pollinate
Seeds startup entropy from another computer on boot to get things started faster.
Easy to install
good for VM’s
A good codebase to start from

21. Entropy Broker
https://www.vanheusden.com/entropybroker/

22. Prime Caching
● Generate large random numbers in small chunks over time to reduce
impact and requirements against the entropy pool.
● Use these to generate large primes
● Store a list of these cached large primes locally
● Roll a random selection against the cached
● Use and delete the randomly selected large prime
● Rinse and repeat

23. Where's The Easy Mode?
I have written a script that will apply the minimal
basic changes to better protect your systems
entropy as well as increase system performance!
Entropy-upgrade.sh
Is available at
http://pastebin.com/tKTwt471

24. DEMO TIME!
YAY!

25. Check entropy pool_size -- cat /proc/sys/kernel/random/pool_size
check entropy level -- cat /proc/sys/kernel/random/entropy_avail
Pull some random data -- cat /dev/random | tr -dc 'a-zA-Z0-9' | fold
-w 32 | head -n 1
Demo Notes