Evaluation Criteria for True (Physical) Random Number Generators Used in Cryptographic Applications

Similar documents
Network Security. Chapter 6 Random Number Generation. Prof. Dr.-Ing. Georg Carle

Network Security. Chapter 6 Random Number Generation

Bundesnetzagentur für Elektrizität, Gas, Telekommunikation, Post und Eisenbahnen

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc Theoretical Computer Science Konstantinos Vamvourellis

Cryptography and Key Management Basics

Description of the Technical Component:

Predictive Models for Min-Entropy Estimation

Protection Profile Digital Tachograph Vehicle Unit (VU PP) Version 1.0 BSI-CC-PP

CS 758: Cryptography / Network Security

SECURITY EVALUATION OF ENCRYPTION USING RANDOM NOISE GENERATED BY LCG

CESG ASSURED SERVICE CAS SERVICE REQUIREMENT PSN CA (IPSEC)

ETSI TS : Electronic Signatures and Infrastructures (ESI): Policy

Details for the structure and content of the ETR for Site Certification. Version 1.0

1 Signatures vs. MACs

BSI-PP for. Protection Profile Secure Signature-Creation Device Type 1, Version developed by

Caught in the Maze of Security Standards

VoIP Security. Seminar: Cryptography and Security Michael Muncan

BSI-DSZ-CC-S for. Dream Chip Technologies GmbH Germany. Dream Chip Technologies GmbH

Spoof Detection and the Common Criteria

Designing Gain and Offset in Thirty Seconds

Authentication requirement Authentication function MAC Hash function Security of

BSI-DSZ-CC-S for. GLOBALFOUNDRIES Singapore Pte. Ltd. GLOBALFOUNDRIES Singapore Pte. Ltd.

National Sun Yat-Sen University CSE Course: Information Theory. Gambling And Entropy

ARCHITECTING HIGH-SECURITY SYSTEMS FOR MULTILATERAL COOPERATION

IMPLEMENTATION NOTE. Validating Risk Rating Systems at IRB Institutions

Pulse Secure, LLC. January 9, 2015

Technical information on the IT security certification of products, protection profiles and sites

Certification Report. NXP Secure Smart Card Controller P40C012/040/072 VD

Security IC Platform Protection Profile

Security Analysis of DRBG Using HMAC in NIST SP

Cryptographic Modules, Security Level Enhanced. Endorsed by the Bundesamt für Sicherheit in der Informationstechnik

Copyright. Network and Protocol Simulation. What is simulation? What is simulation? What is simulation? What is simulation?

Lecture 24: Oscillators. Clapp Oscillator. VFO Startup

A Security Flaw in the X.509 Standard Santosh Chokhani CygnaCom Solutions, Inc. Abstract

The Effective Number of Bits (ENOB) of my R&S Digital Oscilloscope Technical Paper

Problem of the Month: Fair Games

Primes, Factoring, and RSA A Return to Cryptography. Table of contents

Biometrics for Public Sector Applications

by Maria Heiden, Berenberg Bank

SLE66CX322P or SLE66CX642P / CardOS V4.2B FIPS with Application for Digital Signature

MTAT Cryptology II. Digital Signatures. Sven Laur University of Tartu

Certification Report. Utimaco Safeware AG. debiszert-dsz-itsec SafeGuard Sign&Crypt, Version 2.0. The Modern Service Provider

Crittografia e sicurezza delle reti. Digital signatures- DSA

DAC Digital To Analog Converter

Lecture 5 - CPA security, Pseudorandom functions

MAS.836 HOW TO BIAS AN OP-AMP

MACs Message authentication and integrity. Table of contents

Introduction to Learning & Decision Trees

Lecture 3: One-Way Encryption, RSA Example

Preventing fraud in epassports and eids

TRU Math Conversation Guide

IT Networks & Security CERT Luncheon Series: Cryptography

Conformance test specification for BSI-TR Biometrics for public sector applications

Low Assurance Protection Profile for a VPN gateway

CrypTool Claudia Eckert / Thorsten Clausius Bernd Esslinger / Jörg Schneider / Henrik Koy

CPE 462 VHDL: Simulation and Synthesis

No Solution Equations Let s look at the following equation: 2 +3=2 +7

Using ISO/IEC for mobile devices

Hideo Okawara s Mixed Signal Lecture Series. DSP-Based Testing Fundamentals 46 Per-pin Signal Generator

Yale University Department of Computer Science

Securing VoIP Networks using graded Protection Levels

Symmetric Mechanisms for Authentication in IDRP

Lecture 13 - Basic Number Theory.

12.0 Statistical Graphics and RNG

Randomized Hashing for Digital Signatures

Notes from Week 1: Algorithms for sequential prediction

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Procedural Animation. An introduction

Digital Signatures. What are Signature Schemes?

Sicherheitsaspekte des neuen deutschen Personalausweises

Effective Secure Encryption Scheme [One Time Pad] Using Complement Approach Sharad Patil 1 Ajay Kumar 2

How To Calculate The Power Gain Of An Opamp

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Common Criteria v3.1 Vulnerability Assessment: What is new?

COMMON CERTIFICATE POLICY FOR THE EXTENDED ACCESS CONTROL INFRASTRUCTURE FOR PASSPORTS AND TRAVEL DOCUMENTS ISSUED BY EU MEMBER STATES

Table of Contents. Bibliografische Informationen digitalisiert durch

Primality Testing and Factorization Methods

HOB Remote Desktop VPN Secure access for remote workers and business partners to your enterprise network

74. Selecting Web Services with Security Compliances: A Managerial Perspective

What is the purpose of this document? What is in the document? How do I send Feedback?

Teaching Pre-Algebra in PowerPoint

Probability Using Dice

SUSE Linux Enterprise 12 Security Certifications Common Criteria, EAL, FIPS, PCI DSS,... What's All This About?

Oscillation Monitoring System

Program Contact: Prof. Rebecca Herb Phone: ext

SIMPLE EPROM PROGRAMMER. EPROM Programmer Design. Hardware

FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY

smart grids forum Intelligent power grids: How to build in Safety and Security Conference March 21 22, 2013 in Munich, Germany

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Current requirements for a major (page 83 of current catalog)

A.Besson, IPHC-Strasbourg

Information security audit (IS audit) - A guideline for IS audits based on IT-Grundschutz

The German eid-card. Jens Bender. Federal Office for Information Security Bundesamt für Sicherheit in der Informationstechnik

Intrusion Detection Systems

Rating Methodology. Alternative Investment Funds Open-Ended Real Estate Funds. June Contact

White Paper Business Continuity and the Role of Communication

Hill s Cipher: Linear Algebra in Cryptography

Security for Computer Networks

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Transcription:

Evaluation Criteria for True (Physical) Random Number Generators Used in Cryptographic Applications Werner Schindler 1, Wolfgang Killmann 2 1 Bundesamt für Sicherheit in der Informationstechnik (BSI) Bonn, Germany 2 T-Systems ISS GmbH Bonn, Germany

Random numbers in cryptographic applications Examples: - random session keys - RSA prime factors - random numbers for DSS - zero-knowledge-proofs - challenge-response-protocols - IV vectors -...

Random number generators - true (physical) random number generators (TRNGs) - deterministic random number generators (DRNGs) (output completely determined by the seed) - hybrid generators (refreshing their seed regularly; e.g. by exploiting user s interaction, mouse movement, key strokes or register values)

Requirements on random numbers The requirements on the used random numbers depend essentially on the intended application! R1: The random numbers should have good statistical properties R2: The knowledge of subsequences of random numbers shall not enable to compute predecessors or successors or to guess them with non-negligible probability.

TRNGs vs. DRNGs For sensitive applications requirement R2 is indispensable! DRNGs rely on computational complexity ( practical security ) TRNGs: If the entropy per random number is sufficiently large this ensures theoretical security.

Objectives of a TRNG evaluation (I): Verification of the general suitability of the TRNG-design at hand of theoretical considerations and carefully investigated prototypes

TRNGs in operation: General problems and risks - total breakdown of the noise source - aging effects - tolerances of components

tot-test / startup test / online test test tot-test startup test online test aim shall detect a total breakdown of the noise source very soon shall ensure the functionality of the TRNG at the start shall detect non-tolerable weaknesses or deterioration of the quality of random numbers

Objectives of a TRNG evaluation (II): Verification of the suitability of the tot-, startup- and online test at hand of theoretical considerations

TRNG (schematic design) analog digital external interface noise source algorithmic postprocessing buffer (optional) (optional) digitised analog signal (das-random numbers) internal r.n. external r.n.

Which random numbers should be tested? (I) Example: linear feedback shift register das-r.n....... internal r.n. worst case scenario: total breakdown of the noise sorce das-r.n.s : constant, i.e. entropy /bit = 0... but... internal r.n.s: good statistical properties!!!

Which random numbers should be tested? (II) Example (continued): Statistical blackbox tests applied on the internal random numbers will not detect a total breakdown of the noise source (unless the linear complexity profile is tested). The relevant property is the increase of entropy per random bit.

Entropy (I) General demand (-> R2): - Entropy / random bit should be sufficiently large Fundamental problems: - Entropy is a property of random variables but not of observed random numbers! - general entropy estimators do not exist Consequences: - Entropy cannot be measured as voltage etc. - at least the distribution class of the underlying random variables has to be known

Entropy (II) das-random numbers: - may not be equidistributed - may be dependent on predecessors - but there should not be complicated algebraic long-term dependencies (-> math. model of the noise source) Conclusion: The das-random numbers should be tested.

ITSEC and CC ITSEC (Information Technology Security Evaluation Criteria) and CC (Common Criteria) - provide evaluation criteria which shall permit the comparability between independent security evaluations. - A product or system which has been successfully evaluated is awarded with an internationally recognized IT security certificate.

CC: Evaluation of Random Number Generators ITSEC, CC and the corresponding evaluation manuals do not specify any uniform evaluation criteria for random number generators! In the German evaluation and certification scheme the evaluation guidance document AIS 31: Functionality Classes and Evaluation Methodology for Physical Random Number Generators has been effective since September 2001

AIS 31 (I) - provides clear evaluation criteria for TRNGs - distinguishes between two functionality classes P1 (for less sensitive applications as challenge-response mechanisms) P2 (for sensitive applications as key generation) - no statistical blackbox tests for class P2 - discusses positive and negative examples

AIS 31 (II) - does not favour or exclude any reasonable TRNG design; if necessary, the applicant has give and to justify alternative criteria - mathematical-technical reference: W. Schindler, W. Killmann: A Proposal for: Functionality Classes and Evaluation Methodology for True (Physical) Random Number Generators www.bsi.bund.de/zertifiz/zert/interpr/trngk31.pdf

AIS 31: Alternative Criteria (I) P2-specific requirement P2.d)(vii): Digitised noise signal sequences meet particular criteria or pass statistical tests intended to rule out features such as multi-step dependencies...... Tests and evaluation rules are specified in sub-section P2.i) Aim of this requirement: to guarantee a minimum entropy limit for the das-random numbers and, consequently, for the internal random numbers.

AIS 31: Alternative Criteria (II) Case A): The das-random numbers do not meet these criteria. Using an appropriate (data-compressing) mathematical postprocessing the entropy of the internal r.n.s may yet be sufficiently large. The applicant has to give clear proof that the entropy of the internal random numbers is sufficiently large, taking into account the mathematical postprocessing on basis of the empirical properties of the digitized noise signal sequence.

AIS 31: Alternative Criteria (III) Case B): Due to construction of the TRNG there is no access to the das-random numbers possible. The applicant additionally has to give a comprehensible and plausible description of a mathematical model of the noise source and of the das random numbers (specifying a distribution class!).

AIS 31: Reference Implementation The AIS 31 has been well-tried in a number of product evaluations A reference implementation of the applied statistical tests will be put on the BSI website in September www.bsi.bund.de/zertifiz/zert/interpr/ais_cc.htm

Proposals and ideas for improvement of the AIS 31 are always welcome!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information