Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics



Similar documents
Network Security. Chapter 6 Random Number Generation. Prof. Dr.-Ing. Georg Carle

Network Security. Chapter 6 Random Number Generation

A Combined Continuous/Binary Genetic Algorithm for Microstrip Antenna Design

Chapter 6: Variance, the law of large numbers and the Monte-Carlo method

Soving Recurrence Relations

On Formula to Compute Primes. and the n th Prime

A Faster Clause-Shortening Algorithm for SAT with No Restriction on Clause Length

5 Boolean Decision Trees (February 11)


Modified Line Search Method for Global Optimization

A proposal for: Functionality classes for random number generators 1

Universal coding for classes of sources

In nite Sequences. Dr. Philippe B. Laval Kennesaw State University. October 9, 2008

I. Chi-squared Distributions

CHAPTER 3 DIGITAL CODING OF SIGNALS

Output Analysis (2, Chapters 10 &11 Law)

Section 11.3: The Integral Test

Integer Factorization Algorithms

Project Deliverables. CS 361, Lecture 28. Outline. Project Deliverables. Administrative. Project Comments

Incremental calculation of weighted mean and variance

Week 3 Conditional probabilities, Bayes formula, WEEK 3 page 1 Expected value of a random variable

Center, Spread, and Shape in Inference: Claims, Caveats, and Insights

Asymptotic Growth of Functions

5: Introduction to Estimation

Sampling Distribution And Central Limit Theorem

Properties of MLE: consistency, asymptotic normality. Fisher information.

Department of Computer Science, University of Otago

Confidence Intervals. CI for a population mean (σ is known and n > 30 or the variable is normally distributed in the.

1 The Gaussian channel

Chapter 7 Methods of Finding Estimators

Systems Design Project: Indoor Location of Wireless Devices

1 Correlation and Regression Analysis

Overview on S-Box Design Principles

Lecture 2: Karger s Min Cut Algorithm

Confidence Intervals

The Stable Marriage Problem

where: T = number of years of cash flow in investment's life n = the year in which the cash flow X n i = IRR = the internal rate of return

Your organization has a Class B IP address of Before you implement subnetting, the Network ID and Host ID are divided as follows:

CS103A Handout 23 Winter 2002 February 22, 2002 Solving Recurrence Relations

, a Wishart distribution with n -1 degrees of freedom and scale matrix.

Confidence Intervals for One Mean

1. C. The formula for the confidence interval for a population mean is: x t, which was

MEI Structured Mathematics. Module Summary Sheets. Statistics 2 (Version B: reference to new book)

Statistical inference: example 1. Inferential Statistics

THE REGRESSION MODEL IN MATRIX FORM. For simple linear regression, meaning one predictor, the model is. for i = 1, 2, 3,, n

A gentle introduction to Expectation Maximization

PSYCHOLOGICAL STATISTICS

1 Computing the Standard Deviation of Sample Means

Engineering Data Management

On the Capacity of Hybrid Wireless Networks

A probabilistic proof of a binomial identity

Maximum Likelihood Estimators.

Convention Paper 6764

Basic Measurement Issues. Sampling Theory and Analog-to-Digital Conversion

Multi-server Optimal Bandwidth Monitoring for QoS based Multimedia Delivery Anup Basu, Irene Cheng and Yinzhe Yu

SECTION 1.5 : SUMMATION NOTATION + WORK WITH SEQUENCES

Normal Distribution.

Institute of Actuaries of India Subject CT1 Financial Mathematics

The following example will help us understand The Sampling Distribution of the Mean. C1 C2 C3 C4 C5 50 miles 84 miles 38 miles 120 miles 48 miles

Determining the sample size

Data Analysis and Statistical Behaviors of Stock Market Fluctuations

hp calculators HP 12C Statistics - average and standard deviation Average and standard deviation concepts HP12C average and standard deviation

ODBC. Getting Started With Sage Timberline Office ODBC

.04. This means $1000 is multiplied by 1.02 five times, once for each of the remaining sixmonth

Overview of some probability distributions.

Lecture 5: Span, linear independence, bases, and dimension

Running Time ( 3.1) Analysis of Algorithms. Experimental Studies ( 3.1.1) Limitations of Experiments. Pseudocode ( 3.1.2) Theoretical Analysis

Approximating Area under a curve with rectangles. To find the area under a curve we approximate the area using rectangles and then use limits to find

LECTURE 13: Cross-validation

Annuities Under Random Rates of Interest II By Abraham Zaks. Technion I.I.T. Haifa ISRAEL and Haifa University Haifa ISRAEL.

(VCP-310)

*The most important feature of MRP as compared with ordinary inventory control analysis is its time phasing feature.

MTO-MTS Production Systems in Supply Chains

Theorems About Power Series

Discrete Mathematics and Probability Theory Spring 2014 Anant Sahai Note 13

Baan Service Master Data Management

The Power of Free Branching in a General Model of Backtracking and Dynamic Programming Algorithms

Iran. J. Chem. Chem. Eng. Vol. 26, No.1, Sensitivity Analysis of Water Flooding Optimization by Dynamic Optimization

Concept: Types of algorithms

THE HEIGHT OF q-binary SEARCH TREES

Non-life insurance mathematics. Nils F. Haavardsson, University of Oslo and DNB Skadeforsikring

INVESTMENT PERFORMANCE COUNCIL (IPC)

2-3 The Remainder and Factor Theorems

CS100: Introduction to Computer Science

An Efficient Polynomial Approximation of the Normal Distribution Function & Its Inverse Function

Vladimir N. Burkov, Dmitri A. Novikov MODELS AND METHODS OF MULTIPROJECTS MANAGEMENT

Domain 1 - Describe Cisco VoIP Implementations

GCSE STATISTICS. 4) How to calculate the range: The difference between the biggest number and the smallest number.

Optimal Adaptive Bandwidth Monitoring for QoS Based Retrieval

Confidence Intervals for Linear Regression Slope

CHAPTER 7: Central Limit Theorem: CLT for Averages (Means)

Partial Di erential Equations

Study on the application of the software phase-locked loop in tracking and filtering of pulse signal

Quadrat Sampling in Population Ecology

Transcription:

Chair for Network Architectures ad Services Istitute of Iformatics TU Müche Prof. Carle Network Security Chapter 2 Basics 2.4 Radom Number Geeratio for Cryptographic Protocols Motivatio It is crucial to security that cryptographic keys are geerated with a truly radom or at least a pseudo-radom geeratio process (see subsequetly) Otherwise, a attacker might reproduce the key geeratio process ad easily fid the key used to secure a specific commuicatio Geeratio of pseudo-radom umbers is required i cryptographic protocols for the geeratio of Cryptographic keys Noces (Numbers Used Oce) Example usages Key geeratio ad peer autheticatio i IPSec ad SSL Autheticatio with challege-respose-mechaism, e.g. GSM ad UMTS autheticatio Network Security, WS 2009/10, Chapter 2.4 2

Radom Number Geerators A radom bit geerator is a device or algorithm which outputs a sequece of statistically idepedet ad ubiased biary digits. Remark: A radom bit geerator ca be used to geerate uiformly distributed radom umbers e.g. a radom iteger i the iterval [0, ] ca be obtaied by geeratig a radom bit sequece of legth lg 2 + 1 ad covertig it ito a umber. If the resultig iteger exceeds it ca be discarded ad the process is repeated util a iteger i the desired rage has bee geerated. Network Security, WS 2009/10, Chapter 2.4 3 Etropy (c.f. Niels Ferguso, Bruce Scheier: Practical Cryptography, pp. 155ff) The measure for radomess is called etropy Let X a radom variable which outputs a sequece of bits The Shao iformatio etropy is defied by: H ( X ) = P( X = x)l2( P( X = x)) x E.g. if all possible outputs are equally probable, the 2 H X = 1 1 1 1 ( ) ( ) l 2 ( ) = 2 * * ( ) = i = 0 2 2 2 A secure cryptographic key of legth bits should have bits of etropy. If k from the bits become kow to a attacker ad the attacker has o iformatio about the remaiig ( k) bits, the the key has a etropy of ( k) bits A bits sequece of arbitrary large legth that takes oly 4 differet values has oly 2 bits of etropy Passwords that ca be remembered by huma beigs have usually a much lower etropy tha their legth. Etropy ca be uderstood as the average umber of bits required to specify a bit-sequece if a ideal compressio algorithm is used. Network Security, WS 2009/10, Chapter 2.4 4

Pseudo-Radom Number Geerators (1) A pseudo-radom bit geerator (PRBG) is a determiistic algorithm which, give a truly radom biary sequece of legth k ( seed ), outputs a biary sequece of legth m >> k which appears to be radom. The iput to the PRBG is called the seed ad the output is called a pseudo-radom bit sequece. Remarks: The output of a PRBG is ot radom, i fact the umber of possible output sequeces of legth m with 2 k sequeces is at most a small fractio of 2 m, as the PRBG produces always the same output sequece for oe (fixed) seed The motivatio for usig a PRBG is that it is geerally too expesive to produce true radom umbers of legth m, e.g. by coi flippig, so just a smaller amout of radom bits is produced ad the a pseudo-radom bit sequece is produced out of the k truly radom bits I order to gai cofidece i the radomess of a pseudo-radom sequece, statistical tests are coducted o the produced sequeces Network Security, WS 2009/10, Chapter 2.4 5 Pseudo-Radom Number Geerators (2) Example: A liear cogruetial geerator produces a pseudo-radom sequece of umbers y 1, y 2,... Accordig to the liear recurrece y i = a y i-1 + b MOD q with a, b, q beig parameters characterizig the PRBG Ufortuately, this geerator is predictable eve whe a, b ad q are ukow, ad should, therefore, ot be used for cryptographic purposes Network Security, WS 2009/10, Chapter 2.4 6

Radom ad Pseudo-Radom Number Geeratio (3) Security requiremets of PRBGs for use i cryptography: As a miimum security requiremet the legth k of the seed to a PRBG should be large eough to make brute-force search over all seeds ifeasible for a attacker The output of a PRBG should be statistically idistiguishable from truly radom sequeces The output bits should be upredictable for a attacker with limited resources, if he does ot kow the seed A PRBG is said to pass all polyomial-time statistical tests, if o polyomial-time algorithm ca correctly distiguish betwee a output sequece of the geerator ad a truly radom sequece of the same legth with probability sigificatly greater tha 0.5 Polyomial-time algorithm meas, that the ruig time of the algorithm is boud by a polyomial i the legth m of the sequece Network Security, WS 2009/10, Chapter 2.4 7 Radom ad Pseudo-Radom Number Geeratio (4) A PRBG is said to pass the ext-bit test, if there is o polyomial-time algorithm which, o iput of the first m bits of a output sequece s, ca predict the (m + 1) st bit s m+1 of the output sequece with probability sigificatly greater tha 0.5 Theorem (uiversality of the ext-bit test): A PRBG passes the ext-bit test it passes all polyomial-time statistical tests For the proof, please see sectio 12.2 i [Sti95a] A PRBG that passes the ext-bit test possibly uder some plausible but uproved mathematical assumptio such as the itractability of the factorig problem for large itegers is called a cryptographically secure pseudo-radom bit geerator (CSPRBG) Network Security, WS 2009/10, Chapter 2.4 8

Hardware-Based Radom Number Geeratio Hardware-based radom bit geerators are based o physical pheomea, as: elapsed time betwee emissio of particles durig radioactive decay, thermal oise from a semicoductor diode or resistor, frequecy istability of a free ruig oscillator, the amout a metal isulator semicoductor capacitor is charged durig a fixed period of time, air turbulece withi a sealed disk drive which causes radom fluctuatios i disk drive sector read latecies, ad soud from a microphoe or video iput from a camera A hardware-based radom bit geerator should ideally be eclosed i some tamper-resistat device ad thus shielded from possible attackers Network Security, WS 2009/10, Chapter 2.4 9 Software-Based Radom Number Geeratio Software-based radom bit geerators, may be based upo processes as: the system clock, elapsed time betwee keystrokes or mouse movemet, cotet of iput- / output buffers user iput, ad operatig system values such as system load ad etwork statistics Ideally, multiple sources of radomess should be mixed, e.g. by cocateatig their values ad computig a cryptographic hash value for the combied value, i order to avoid that a attacker might guess the radom value If, for example, oly the system clock is used as a radom source, tha a attacker might guess radom-umbers obtaied from that source of radomess if he kows about whe they were geerated Usually, such geerators are used to iitialize PRNGs, i.e. to set their seed. Network Security, WS 2009/10, Chapter 2.4 10

De-skewig Cosider a radom geerator that produces biased but ucorrelated bits, e.g. it produces 1 s with probability p 0.5 ad 0 s with probability 1 - p, where p is ukow but fixed The followig techique ca be used to obtai a radom sequece that is ucorrelated ad ubiased: The output sequece of the geerator is grouped ito pairs of bits All pairs 00 ad 11 are discarded For each pair 10 the ubiased geerator produces a 1 ad for each pair 01 it produces a 0 Aother practical (although ot provable) de-skewig techique is to pass sequeces whose bits are correlated or biased through a cryptographic hash fuctio such as MD-5 or SHA-1 Network Security, WS 2009/10, Chapter 2.4 11 Statistical Tests for Radom Numbers The followig tests allow to check if a geerated radom or pseudoradom sequece ihibits certai statistical properties: Moobit Test: Are there equally may 1 s as 0 s? Serial Test (Two-Bit Test): Are there equally may 00-, 01-, 10-, 11-pairs? Rus Test: Are the umbers of rus (sequeces cotaiig oly either 0 s or 1 s) of various legths as expected for radom umbers? Autocorrelatio Test: Are there correlatios betwee the sequece ad (o-cyclic) shifted versios of it? Maurer s Uiversal Test: Ca the sequece be compressed? The above descriptios just give the basic ideas of the tests. For a more detailed ad mathematical treatmet, please refer to sectios 5.4.4 ad 5.4.5 i [Me97a] Network Security, WS 2009/10, Chapter 2.4 12

Addtioal Refereces [Ferg03] [Me97a] [Sti95a] Niels Ferguso, Bruce Scheier, Practical Cryptography, Joh Wiley & Sos, 2003 A. J. Meezes, P. C. Va Oorschot, S. A. Vastoe. Hadbook of Applied Cryptography. CRC Press Series o Discrete Mathematics ad Its Applicatios, Hardcover, 816 pages, CRC Press, 1997. D. R. Stiso. Cryptography: Theory ad Practice (Discrete Mathematics ad Its Applicatios). Hardcover, 448 pages, CRC Press, 1995. Network Security, WS 2009/10, Chapter 2.4 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information