Predictive Models for Min-Entropy Estimation



Similar documents
Predictive Models for Min-Entropy Estimation

Network Security. Chapter 6 Random Number Generation

Randomized Hashing for Digital Signatures

Authentication requirement Authentication function MAC Hash function Security of

Network Security. Chapter 6 Random Number Generation. Prof. Dr.-Ing. Georg Carle

C O M P U T E R S E C U R I T Y

National Sun Yat-Sen University CSE Course: Information Theory. Gambling And Entropy

Security Analysis of DRBG Using HMAC in NIST SP

Lecture 9: Application of Cryptography

Cryptographic Algorithms and Key Size Issues. Çetin Kaya Koç Oregon State University, Professor

Recommendation for Applications Using Approved Hash Algorithms

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Performance Investigations. Hannes Tschofenig, Manuel Pégourié-Gonnard 25 th March 2015

Computer Security: Principles and Practice

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Office of Liquor Gaming and Regulation Random Number Generators Minimum Technical Requirements Version 1.4

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Algorithms and Parameters for Secure Electronic Signatures V.1.44 DRAFT May 4 th., 2001

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

Cryptography Lecture 8. Digital signatures, hash functions

The NIST SP A Deterministic Random Bit Generator Validation System (DRBGVS)

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Hash Function JH and the NIST SHA3 Hash Competition

Modeling and verification of security protocols

ARCHIVED PUBLICATION

Security Protocols/Standards

Secure Programming and Source-Code Reviews - In the UNIX Environment. Thomas Biege <thomas@suse.de>

How To Encrypt Data With Encryption

Capture Resilient ElGamal Signature Protocols

Side Channel Analysis and Embedded Systems Impact and Countermeasures

Princeton University Computer Science COS 432: Information Security (Fall 2013)

Designing a Secure Client-Server System Master of Science Thesis in the Programme Software Engineering & Technology

Authentication, digital signatures, PRNG

Statistical Testing of Randomness Masaryk University in Brno Faculty of Informatics

Recommendation for Applications Using Approved Hash Algorithms

SECURITY EVALUATION OF ENCRYPTION USING RANDOM NOISE GENERATED BY LCG

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Lukasz Pater CMMS Administrator and Developer

Image Compression through DCT and Huffman Coding Technique

12.0 Statistical Graphics and RNG

Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised)

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

SMPTE Standards Transition Issues for NIST/FIPS Requirements v1.1

Statistics in Retail Finance. Chapter 6: Behavioural models

IT Networks & Security CERT Luncheon Series: Cryptography

A Simple Inventory System

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

Key Agreement from Close Secrets over Unsecured Channels Winter 2010

Usable Crypto: Introducing minilock. Nadim Kobeissi HOPE X, NYC, 2014

Caught in the Maze of Security Standards

CRYPTOGRAPHY AS A SERVICE

Introduction to Cryptography CS 355

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

MIMO CHANNEL CAPACITY

Lab 7. Answer. Figure 1

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

Textbooks: Matt Bishop, Introduction to Computer Security, Addison-Wesley, November 5, 2004, ISBN

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc Theoretical Computer Science Konstantinos Vamvourellis

A Security Flaw in the X.509 Standard Santosh Chokhani CygnaCom Solutions, Inc. Abstract

Network Security. Modes of Operation. Steven M. Bellovin February 3,

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

EXAM questions for the course TTM Information Security May Part 1

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS

SEC 2: Recommended Elliptic Curve Domain Parameters

Fundamentals of Computer Security

RSA Keys with Common Factors

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Web Security. Introduction: Understand applicable laws, legal issues and ethical issues regarding computer crime

Practice Questions. CS161 Computer Security, Fall 2008

Arithmetic Coding: Introduction

Yale University Department of Computer Science

CPSC 467b: Cryptography and Computer Security

Recommendation for Cryptographic Key Generation

WebSphere DataPower Release FIPS and NIST SP a support.

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Authentication Types. Password-based Authentication. Off-Line Password Guessing

CESG ASSURED SERVICE CAS SERVICE REQUIREMENT PSN CA (IPSEC)

Crittografia e sicurezza delle reti. Digital signatures- DSA

Lightweight and Secure PUF Key Storage Using Limits of Machine Learning

Overview of Public-Key Cryptography

Testing Random- Number Generators

Privacy Preserving Similarity Evaluation of Time Series Data

Message Authentication

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

Evaluation of Digital Signature Process

SHA3 WHERE WE VE BEEN WHERE WE RE GOING

E- Encryption in Unix

Digital Signature Standard (DSS)

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

CSCE 465 Computer & Network Security

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631

ARCHIVED PUBLICATION

CS 161 Computer Security Spring 2010 Paxson/Wagner MT2

Cloud and Big Data Summer School, Stockholm, Aug Jeffrey D. Ullman

Strengths and Weaknesses of Cybersecurity Standards

NIST Cryptographic Algorithm Validation Program (CAVP) Certifications for Freescale Cryptographic Accelerators

Transcription:

Predictive Models for Min-Entropy Estimation John Kelsey Kerry A. McKay Meltem Sönmez Turan National Institute of Standards and Technology meltem.turan@nist.gov September 15, 2015

Overview Cryptographic random numbers and entropy NIST SP 800 90 Series - Recommendations on random number generation A framework to estimate entropy based on predictors Experimental results using simulated and real noise sources

Random Numbers in Cryptography We need random numbers for cryptography (e.g., secret keys, IVs, nonce, salts) Cryptographic PRNGs (based on hash functions, block ciphers etc.) generate strong random numbers for crypto applications. PRNGs need random seeds.

Entropy sources Entropy sources depend on physical events (e.g. thermal noise). The outputs of entropy sources are usually statistically weak, (e.g. correlated outputs). Entropy sources are fragile, sensitive to external factors (e.g. temperature).

Entropy sources Entropy sources depend on physical events (e.g. thermal noise). The outputs of entropy sources are usually statistically weak, (e.g. correlated outputs). Entropy sources are fragile, sensitive to external factors (e.g. temperature). How many bits are needed to be drawn from the entropy source to produce a good seed?

Low Entropy leads to weak keys! Heninger et al. (2012) performed the largest network survey of TLS and SSH servers. Why? Collected 5.8 million unique certificates from 12.8 million TLS hosts and 6.2 million unique SSH host keys from 10.2 million hosts. Observed that 0.75% of TLS certificates share keys during key generation. Obtained RSA private keys for 0.50% of TLS hosts and 0.03% of SSH hosts, DSA private keys for 1.03% of SSH hosts. Using manufacturers-default keys, Low entropy during key generation.

Entropy Measure of the amount of information contained in a message. Different measurements of entropy: Shannon ( p i log p i ), Renyi ( 1 1 α log( pi α )), Min-entropy ( log max i p i ). Entropy estimation Plug-in estimators (maximum likelihood estimators), methods based on compression algorithms etc. Challenging, when underlying distribution is unknown, and the i.i.d. assumption cannot be made. Under/over estimation

NIST Special Publication 800-90 Series

Entropy Source Model used in SP 800-90B

Entropy Estimation - 90B Perspective In order to comply with Federal Information Processing Standard 140-2, designers/submitters first submit analysis of their noise source. Labs check the noise source specification, and then generate raw data from the noise source, and estimate entropy using the 90B estimators. For validation purposes, estimation process cannot be too complex, due to time and cost constraints, and the process cannot require expert knowledge. Any two validation labs must get the same result for same outputs.

NIST s Entropy Estimation Suite Draft SP 800-90B (Aug.2012) includes five estimators for non-i.i.d. sources: Collision test (based on the mean time for a repeated sample value.) Partial collection test (based on the number of distinct sample values observed in segments of the outputs.) Markov test (models the noise source outputs as a first-order Markov model.) Compression test (based on how much the noise source outputs can be compressed.) Frequency test (based on the number of occurrences of the most-likely value. ) The final entropy estimate is the minimum of all the estimates.

Drawbacks of SP 800 90B Estimators Estimators do not always catch bad behavior e.g. Higher-order Markov models Prone to underestimate when there are many probability levels (e.g., discrete approximation of a normal distribution) Estimators may not work very well if the probability distribution changes over time

New Framework based on Predictors Predictors behave more like an attacker, who observes source outputs and makes guesses based on previous observations. Predictor approach complements 90B suite without significantly lowering estimates Initialize the predictor model Predict the next output Observe the next output Compare the prediction to the observed value Update the predictor model

Global vs. Local Predictability Two ways to estimate probability of predicting the next value: Global predictability Proportion of correct guesses over a long sequence Captures attacker s ability to guess next output, on average Local Predictability Probability of guessing correctly given the longest run of correct guesses over a long sequence Captures attacker s ability to guess next output, should the entropy source fall into a predictable state Estimate min-entropy using the higher probability, with a 99% confidence interval approach.

Global vs. Local Predictability Two ways to estimate probability of predicting the next value: Global predictability Proportion of correct guesses over a long sequence Captures attacker s ability to guess next output, on average Local Predictability Probability of guessing correctly given the longest run of correct guesses over a long sequence Captures attacker s ability to guess next output, should the entropy source fall into a predictable state Estimate min-entropy using the higher probability, with a 99% confidence interval approach. Raw data 1 Prediction 0 Correct

Global vs. Local Predictability Two ways to estimate probability of predicting the next value: Global predictability Proportion of correct guesses over a long sequence Captures attacker s ability to guess next output, on average Local Predictability Probability of guessing correctly given the longest run of correct guesses over a long sequence Captures attacker s ability to guess next output, should the entropy source fall into a predictable state Estimate min-entropy using the higher probability, with a 99% confidence interval approach. Raw data 1 Prediction 0 Correct 0

Global vs. Local Predictability Two ways to estimate probability of predicting the next value: Global predictability Proportion of correct guesses over a long sequence Captures attacker s ability to guess next output, on average Local Predictability Probability of guessing correctly given the longest run of correct guesses over a long sequence Captures attacker s ability to guess next output, should the entropy source fall into a predictable state Estimate min-entropy using the higher probability, with a 99% confidence interval approach. Raw data 1 Prediction 0 1 Correct 0

Global vs. Local Predictability Two ways to estimate probability of predicting the next value: Global predictability Proportion of correct guesses over a long sequence Captures attacker s ability to guess next output, on average Local Predictability Probability of guessing correctly given the longest run of correct guesses over a long sequence Captures attacker s ability to guess next output, should the entropy source fall into a predictable state Estimate min-entropy using the higher probability, with a 99% confidence interval approach. Raw data 1 0 Prediction 0 1 Correct 0

Global vs. Local Predictability Two ways to estimate probability of predicting the next value: Global predictability Proportion of correct guesses over a long sequence Captures attacker s ability to guess next output, on average Local Predictability Probability of guessing correctly given the longest run of correct guesses over a long sequence Captures attacker s ability to guess next output, should the entropy source fall into a predictable state Estimate min-entropy using the higher probability, with a 99% confidence interval approach. Raw data 1 0 Prediction 0 1 Correct 0 0

Global vs. Local Predictability Two ways to estimate probability of predicting the next value: Global predictability Proportion of correct guesses over a long sequence Captures attacker s ability to guess next output, on average Local Predictability Probability of guessing correctly given the longest run of correct guesses over a long sequence Captures attacker s ability to guess next output, should the entropy source fall into a predictable state Estimate min-entropy using the higher probability, with a 99% confidence interval approach. Raw data 1 0 Prediction 0 1 1 Correct 0 0

Global vs. Local Predictability Two ways to estimate probability of predicting the next value: Global predictability Proportion of correct guesses over a long sequence Captures attacker s ability to guess next output, on average Local Predictability Probability of guessing correctly given the longest run of correct guesses over a long sequence Captures attacker s ability to guess next output, should the entropy source fall into a predictable state Estimate min-entropy using the higher probability, with a 99% confidence interval approach. Raw data 1 0 1 Prediction 0 1 1 Correct 0 0

Global vs. Local Predictability Two ways to estimate probability of predicting the next value: Global predictability Proportion of correct guesses over a long sequence Captures attacker s ability to guess next output, on average Local Predictability Probability of guessing correctly given the longest run of correct guesses over a long sequence Captures attacker s ability to guess next output, should the entropy source fall into a predictable state Estimate min-entropy using the higher probability, with a 99% confidence interval approach. Raw data 1 0 1 Prediction 0 1 1 Correct 0 0 1

Global vs. Local Predictability Two ways to estimate probability of predicting the next value: Global predictability Proportion of correct guesses over a long sequence Captures attacker s ability to guess next output, on average Local Predictability Probability of guessing correctly given the longest run of correct guesses over a long sequence Captures attacker s ability to guess next output, should the entropy source fall into a predictable state Estimate min-entropy using the higher probability, with a 99% confidence interval approach. Raw data 1 0 1 Prediction 0 1 1 0 Correct 0 0 1

Global vs. Local Predictability Two ways to estimate probability of predicting the next value: Global predictability Proportion of correct guesses over a long sequence Captures attacker s ability to guess next output, on average Local Predictability Probability of guessing correctly given the longest run of correct guesses over a long sequence Captures attacker s ability to guess next output, should the entropy source fall into a predictable state Estimate min-entropy using the higher probability, with a 99% confidence interval approach. Raw data 1 0 1 0 Prediction 0 1 1 0 Correct 0 0 1

Global vs. Local Predictability Two ways to estimate probability of predicting the next value: Global predictability Proportion of correct guesses over a long sequence Captures attacker s ability to guess next output, on average Local Predictability Probability of guessing correctly given the longest run of correct guesses over a long sequence Captures attacker s ability to guess next output, should the entropy source fall into a predictable state Estimate min-entropy using the higher probability, with a 99% confidence interval approach. Raw data 1 0 1 0 Prediction 0 1 1 0 Correct 0 0 1 1

Global vs. Local Predictability Two ways to estimate probability of predicting the next value: Global predictability Proportion of correct guesses over a long sequence Captures attacker s ability to guess next output, on average Local Predictability Probability of guessing correctly given the longest run of correct guesses over a long sequence Captures attacker s ability to guess next output, should the entropy source fall into a predictable state Estimate min-entropy using the higher probability, with a 99% confidence interval approach. Raw data 1 0 1 0 0 1 1 1 0 0 1 Prediction 0 1 1 0 0 1 0 1 1 0 0 Correct 0 0 1 1 1 1 0 1 0 1 0

Set of Predictors Single predictors LZ78Y most common sample that follows value according to dictionary Most Common in Window (MCW) most common sample in last w observations Markov Model with Counting (MMC) most common sample that follows last N values Single Lag sample that appeared N observations back Moving average prediction based on moving average of last w samples D1 prediction based on difference equation of two most recent observations

Set of Predictors Ensemble predictors Contain multiple instances of single predictors of the same type with different parameter values Scoreboard keeps track of instance that is performing best Use best prediction from best-performing instance at the time

Experimental Results - Simulated Sources Discrete uniform distribution: an i.i.d. source in which the samples are equally-likely. Discrete near-uniform distribution: an i.i.d source where all samples but one are equally-likely; the remaining sample has a higher probability than the rest. Normal distribution rounded to integers: an i.i.d. source where samples are drawn from a normal distribution and rounded to integer values. Time-varying normal distribution rounded to integers: a non-i.i.d. source where samples are drawn from a normal distribution and rounded to integer values, but the mean of the distribution moves along a sine curve to simulate a time-varying signal. Markov Model: a non-i.i.d. source where samples are generated using a kth-order Markov model.

Result Summary: Simulated Sources Error measures for the lowest 90B and predictor estimates by simulated source class Simulated data class 90B MSE Predictor MSE 90B MPE Predictor MPE Uniform 2.4196 0.5031 37.9762 17.4796 Near-uniform 1.4136 0.1544 26.6566 6.4899 Normal 4.9680 0.4686 62.6330 14.1492 Time-varying normal 3.0706 0.2564 54.1453 3.1706 Markov 0.9973 0.8294 6.4339-11.7939 MSE = mean squared error, MPE = mean percentage error

Result Summary: Real-World Sources Entropy estimates for real world sources. The lowest entropy estimate for each source is shown in bold font Estimator RDTSC1 RDTSC4 RDTSC8 RANDOM.ORG Ubld.it1 Ubld.it8 Collision 0.9125 3.8052 5.3240 5.1830 0.9447 5.2771 Compression 0.9178 3.6601 5.3134 5.1926 0.9285 5.5081 Frequency 0.9952 3.9577 5.8666 5.6662 0.8068 5.8660 Markov 0.9983 3.9582 5.7858 5.3829 0.8291 5.7229 Partial Collection 0.9258 3.7505 5.3574 5.5250 0.9407 5.8238 D1 0.9616 3.9986 7.9619 7.9126 0.8734 7.9489 Lag 0.7075 3.9883 7.9546 7.9237 0.7997 7.9862 LZ78Y 0.9079 3.9989 11.9615 11.5924 0.7997 11.8375 MultiMA 0.9079 3.6458 7.9594 7.8508 0.8073 7.9441 MultiMCW 0.9079 3.9888 7.9381 7.9744 0.8072 7.9544 MultiMMC 0.9079 3.6457 7.9663 7.9237 0.8072 7.9880

Conclusion For the designer: The best efforts of the designer to understand the behavior of his noise source may not be fully successful. An independent test of the unpredictability of the source can help the designer recognize these errors. For an evaluator: A testing lab or independent evaluator trying to decide how much entropy per sample a source provides will have limited time and expertise to understand and verify the designer s analysis of his design. Entropy tests are very useful as a way for the evaluator to double-check the claims of the designer. For the user: A developer making use of one or more noise sources can sensibly use an entropy estimation tool to verify any assumptions made by the designer.

Thanks for you attention! meltem.turan@nist.gov

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information