Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics

Transcription

1 Chair for Network Architectures ad Services Istitute of Iformatics TU Müche Prof. Carle Network Security Chapter 2 Basics 2.4 Radom Number Geeratio for Cryptographic Protocols Motivatio It is crucial to security that cryptographic keys are geerated with a truly radom or at least a pseudo-radom geeratio process (see subsequetly) Otherwise, a attacker might reproduce the key geeratio process ad easily fid the key used to secure a specific commuicatio Geeratio of pseudo-radom umbers is required i cryptographic protocols for the geeratio of Cryptographic keys Noces (Numbers Used Oce) Example usages Key geeratio ad peer autheticatio i IPSec ad SSL Autheticatio with challege-respose-mechaism, e.g. GSM ad UMTS autheticatio Network Security, WS 2009/10, Chapter 2.4 2

2 Radom Number Geerators A radom bit geerator is a device or algorithm which outputs a sequece of statistically idepedet ad ubiased biary digits. Remark: A radom bit geerator ca be used to geerate uiformly distributed radom umbers e.g. a radom iteger i the iterval [0, ] ca be obtaied by geeratig a radom bit sequece of legth lg ad covertig it ito a umber. If the resultig iteger exceeds it ca be discarded ad the process is repeated util a iteger i the desired rage has bee geerated. Network Security, WS 2009/10, Chapter Etropy (c.f. Niels Ferguso, Bruce Scheier: Practical Cryptography, pp. 155ff) The measure for radomess is called etropy Let X a radom variable which outputs a sequece of bits The Shao iformatio etropy is defied by: H ( X ) = P( X = x)l2( P( X = x)) x E.g. if all possible outputs are equally probable, the 2 H X = ( ) ( ) l 2 ( ) = 2 * * ( ) = i = A secure cryptographic key of legth bits should have bits of etropy. If k from the bits become kow to a attacker ad the attacker has o iformatio about the remaiig ( k) bits, the the key has a etropy of ( k) bits A bits sequece of arbitrary large legth that takes oly 4 differet values has oly 2 bits of etropy Passwords that ca be remembered by huma beigs have usually a much lower etropy tha their legth. Etropy ca be uderstood as the average umber of bits required to specify a bit-sequece if a ideal compressio algorithm is used. Network Security, WS 2009/10, Chapter 2.4 4

3 Pseudo-Radom Number Geerators (1) A pseudo-radom bit geerator (PRBG) is a determiistic algorithm which, give a truly radom biary sequece of legth k ( seed ), outputs a biary sequece of legth m >> k which appears to be radom. The iput to the PRBG is called the seed ad the output is called a pseudo-radom bit sequece. Remarks: The output of a PRBG is ot radom, i fact the umber of possible output sequeces of legth m with 2 k sequeces is at most a small fractio of 2 m, as the PRBG produces always the same output sequece for oe (fixed) seed The motivatio for usig a PRBG is that it is geerally too expesive to produce true radom umbers of legth m, e.g. by coi flippig, so just a smaller amout of radom bits is produced ad the a pseudo-radom bit sequece is produced out of the k truly radom bits I order to gai cofidece i the radomess of a pseudo-radom sequece, statistical tests are coducted o the produced sequeces Network Security, WS 2009/10, Chapter Pseudo-Radom Number Geerators (2) Example: A liear cogruetial geerator produces a pseudo-radom sequece of umbers y 1, y 2,... Accordig to the liear recurrece y i = a y i-1 + b MOD q with a, b, q beig parameters characterizig the PRBG Ufortuately, this geerator is predictable eve whe a, b ad q are ukow, ad should, therefore, ot be used for cryptographic purposes Network Security, WS 2009/10, Chapter 2.4 6

4 Radom ad Pseudo-Radom Number Geeratio (3) Security requiremets of PRBGs for use i cryptography: As a miimum security requiremet the legth k of the seed to a PRBG should be large eough to make brute-force search over all seeds ifeasible for a attacker The output of a PRBG should be statistically idistiguishable from truly radom sequeces The output bits should be upredictable for a attacker with limited resources, if he does ot kow the seed A PRBG is said to pass all polyomial-time statistical tests, if o polyomial-time algorithm ca correctly distiguish betwee a output sequece of the geerator ad a truly radom sequece of the same legth with probability sigificatly greater tha 0.5 Polyomial-time algorithm meas, that the ruig time of the algorithm is boud by a polyomial i the legth m of the sequece Network Security, WS 2009/10, Chapter Radom ad Pseudo-Radom Number Geeratio (4) A PRBG is said to pass the ext-bit test, if there is o polyomial-time algorithm which, o iput of the first m bits of a output sequece s, ca predict the (m + 1) st bit s m+1 of the output sequece with probability sigificatly greater tha 0.5 Theorem (uiversality of the ext-bit test): A PRBG passes the ext-bit test it passes all polyomial-time statistical tests For the proof, please see sectio 12.2 i [Sti95a] A PRBG that passes the ext-bit test possibly uder some plausible but uproved mathematical assumptio such as the itractability of the factorig problem for large itegers is called a cryptographically secure pseudo-radom bit geerator (CSPRBG) Network Security, WS 2009/10, Chapter 2.4 8

5 Hardware-Based Radom Number Geeratio Hardware-based radom bit geerators are based o physical pheomea, as: elapsed time betwee emissio of particles durig radioactive decay, thermal oise from a semicoductor diode or resistor, frequecy istability of a free ruig oscillator, the amout a metal isulator semicoductor capacitor is charged durig a fixed period of time, air turbulece withi a sealed disk drive which causes radom fluctuatios i disk drive sector read latecies, ad soud from a microphoe or video iput from a camera A hardware-based radom bit geerator should ideally be eclosed i some tamper-resistat device ad thus shielded from possible attackers Network Security, WS 2009/10, Chapter Software-Based Radom Number Geeratio Software-based radom bit geerators, may be based upo processes as: the system clock, elapsed time betwee keystrokes or mouse movemet, cotet of iput- / output buffers user iput, ad operatig system values such as system load ad etwork statistics Ideally, multiple sources of radomess should be mixed, e.g. by cocateatig their values ad computig a cryptographic hash value for the combied value, i order to avoid that a attacker might guess the radom value If, for example, oly the system clock is used as a radom source, tha a attacker might guess radom-umbers obtaied from that source of radomess if he kows about whe they were geerated Usually, such geerators are used to iitialize PRNGs, i.e. to set their seed. Network Security, WS 2009/10, Chapter

6 De-skewig Cosider a radom geerator that produces biased but ucorrelated bits, e.g. it produces 1 s with probability p 0.5 ad 0 s with probability 1 - p, where p is ukow but fixed The followig techique ca be used to obtai a radom sequece that is ucorrelated ad ubiased: The output sequece of the geerator is grouped ito pairs of bits All pairs 00 ad 11 are discarded For each pair 10 the ubiased geerator produces a 1 ad for each pair 01 it produces a 0 Aother practical (although ot provable) de-skewig techique is to pass sequeces whose bits are correlated or biased through a cryptographic hash fuctio such as MD-5 or SHA-1 Network Security, WS 2009/10, Chapter Statistical Tests for Radom Numbers The followig tests allow to check if a geerated radom or pseudoradom sequece ihibits certai statistical properties: Moobit Test: Are there equally may 1 s as 0 s? Serial Test (Two-Bit Test): Are there equally may 00-, 01-, 10-, 11-pairs? Rus Test: Are the umbers of rus (sequeces cotaiig oly either 0 s or 1 s) of various legths as expected for radom umbers? Autocorrelatio Test: Are there correlatios betwee the sequece ad (o-cyclic) shifted versios of it? Maurer s Uiversal Test: Ca the sequece be compressed? The above descriptios just give the basic ideas of the tests. For a more detailed ad mathematical treatmet, please refer to sectios ad i [Me97a] Network Security, WS 2009/10, Chapter

7 Addtioal Refereces [Ferg03] [Me97a] [Sti95a] Niels Ferguso, Bruce Scheier, Practical Cryptography, Joh Wiley & Sos, 2003 A. J. Meezes, P. C. Va Oorschot, S. A. Vastoe. Hadbook of Applied Cryptography. CRC Press Series o Discrete Mathematics ad Its Applicatios, Hardcover, 816 pages, CRC Press, D. R. Stiso. Cryptography: Theory ad Practice (Discrete Mathematics ad Its Applicatios). Hardcover, 448 pages, CRC Press, Network Security, WS 2009/10, Chapter