Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia...
Transcript of Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia...
![Page 1: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/1.jpg)
Random number generationdone wrong
Nadia Heninger
University of Pennsylvania
April 30, 2017
![Page 2: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/2.jpg)
2008: The Debian OpenSSL entropy disaster
August 2008: Discovered by Luciano Bello
Keys dependent only on pid and machine architecture:294,912 keys per key size.
[Yilek, Rescorla, Shacham, Enright, Savage 2009]
![Page 3: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/3.jpg)
Debian OpenSSL weak keys in 2013
31,111 (0.34%) of RSA SSH hosts
[Durumeric Wustrow Halderman 2013]
![Page 4: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/4.jpg)
[Heninger Durumeric Wustrow Halderman 2012], [Lenstra, Hughes, Augier, Bos,
Kleinjung, Wachter 2012]
Motivating question:
What does cryptography look like on a broad scale?
Methodology:
1. Collect cryptographic data (keys, signatures...)
2. Look for interesting things.
Results:
Stumble upon random number generation flaws in the wild.
![Page 5: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/5.jpg)
Public-key cryptography in practice.
End host cipher preference November 2016(censys.io and custom Zmap scans)
Key exchange Signatures
Hosts RSA DH ECDH RSA DSA ECDSA
HTTPS 39M 39% 10% 51% 99% ≈ 0 1%SSH 17M ≈ 0 52% 48% 93% 7% 0.3%IKEv1 1.1M - 97% 3% - - -IKEv2 1.2M - 98% 2% - - -
(* Preferences depend on client ordering.)
![Page 6: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/6.jpg)
Cryptography relies on good randomness.
If you use bad randomness, an attacker might beable to guess your private key.
End of story?
![Page 7: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/7.jpg)
What could go wrong: Repeated keys
RSA Public Keys
N = pq modulus
e encryption exponent
I Two hosts share e: not a problem.
I Two hosts share N: → both know private key of the other.
Hosts share the same public and private keys, and can decrypt andsign for each other.
![Page 8: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/8.jpg)
What could go wrong: Repeated keys
RSA Public Keys
N = pq modulus
e encryption exponent
I Two hosts share e: not a problem.
I Two hosts share N: → both know private key of the other.
Hosts share the same public and private keys, and can decrypt andsign for each other.
![Page 9: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/9.jpg)
What happens if we look for repeated moduli?
> 60% of HTTPS and SSH hosts served non-unique publickeys.
HTTPS:default certificates/keys:670,000 hosts (5%)
low-entropy repeated keys:40,000 hosts (0.3%)
SSH:default or low-entropy keys:1,000,000 hosts (10%)
![Page 10: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/10.jpg)
What happens if we look for repeated moduli?
> 60% of HTTPS and SSH hosts served non-unique publickeys.
Many valid (and common) reasons to share keys:
I Shared hosting situations. Virtual hosting.
I A single organization registers many domain names with thesame key.
I Expired certificates that are renewed with the same key.
HTTPS:default certificates/keys:670,000 hosts (5%)
low-entropy repeated keys:40,000 hosts (0.3%)
SSH:default or low-entropy keys:1,000,000 hosts (10%)
![Page 11: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/11.jpg)
What happens if we look for repeated moduli?
> 60% of HTTPS and SSH hosts served non-unique publickeys.
Common (and unwise) reasons to share keys:
I Device default certificates/keys.
I Apparent entropy problems in key generation.
HTTPS:default certificates/keys:670,000 hosts (5%)
low-entropy repeated keys:40,000 hosts (0.3%)
SSH:default or low-entropy keys:1,000,000 hosts (10%)
![Page 12: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/12.jpg)
What happens if we look for repeated moduli?
> 60% of HTTPS and SSH hosts served non-unique publickeys.
Common (and unwise) reasons to share keys:
I Device default certificates/keys.
I Apparent entropy problems in key generation.
HTTPS:default certificates/keys:670,000 hosts (5%)
low-entropy repeated keys:40,000 hosts (0.3%)
SSH:default or low-entropy keys:1,000,000 hosts (10%)
![Page 13: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/13.jpg)
Subjects of most repeated TLS Certificates
C=TW, ST=HsinChu, L=HuKou, O=DrayTek Corp., OU=DrayTek Support, CN=Vigor Router
C=UA, ST=Califonia, L=Irvine, O=Broadcom, OU=Broadband, CN=Daniel/[email protected]
C=US, ST=AL, L=Huntsville, O=ADTRAN, Inc., CN=NetVanta/[email protected]
C=CA, ST=Quebec, L=Gatineau, O=Axentraserver Default Certificate 863B4AB, CN=localdomain/[email protected]
C=US, ST=California, L=Santa Clara, O=NETGEAR Inc., OU=Netgear Prosafe, CN=NetGear/[email protected]
C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain/[email protected]
C=US, ST=Texas, L=Round Rock, O=Dell Inc., OU=Remote Access Group, CN=iDRAC6 default certificate
C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain/[email protected]
C=IN, ST=WA, L=WA, O=lxlabs, OU=web, CN=*.lxlabs.com/[email protected]
C=TW, ST=none, L=Taipei, O=NetKlass Techonoloy Inc, OU=NetKlass, CN=localhost
C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain/[email protected]
C=US, CN=ORname_Jungo: OpenRG Products Group
C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain/[email protected]
C=LT, L=Kaunas, O=Ubiquiti Networks Inc., OU=devint, CN=ubnt/[email protected]
C=PL, ST=Some-State, O=Mini Webservice Ltd
C=US, ST=Texas, L=Round Rock, O=Dell Inc., OU=Remote Access Group, CN=DRAC5 default certificate
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=TS Series NAS
C=DE, ST=NRW, L=Wuerselen, O=LANCOM Systems, OU=Engineering, CN=www.lancom systems.de/[email protected]
![Page 14: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/14.jpg)
x509 Subject Alt Name of Repeated Trusted TLSCertificates
DNS:*.opentransfer.com, DNS:opentransfer.com
DNS:*.home.pl, DNS:home.pl
DNS:a248.e.akamai.net, DNS:*.akamaihd.net, DNS:*.akamaihd-staging.net
DNS:*.c11.hesecure.com, DNS:c11.hesecure.com
DNS:*.pair.com, DNS:pair.com
DNS:*.c12.hesecure.com, DNS:c12.hesecure.com
DNS:*.c10.hostexcellence.com, DNS:c10.hostexcellence.com
DNS:*.securesitehosting.net, DNS:securesitehosting.net
DNS:*.sslcert19.com, DNS:sslcert19.com
DNS:*.c11.ixsecure.com, DNS:c11.ixsecure.com
DNS:*.c9.hostexcellence.com, DNS:c9.hostexcellence.com
DNS:*.naviservers.net, DNS:naviservers.net
DNS:*.c10.ixwebhosting.com, DNS:c10.ixwebhosting.com
DNS:*.google.com, DNS:google.com, DNS:*.atggl.com, DNS:*.youtube.com, DNS:youtube.com, DNS:*.youtube-nocookie.com, DNS:youtu.be, DNS:*.ytimg.com, DNS:*.google.com.br, DNS:*.google.co.in, DNS:*.google.es, DNS:*.google.co.uk, DNS:*.google.ca, DNS:*.google.fr, DNS:*.google.pt, DNS:*.google.it, DNS:*.google.de, DNS:*.google.cl, DNS:*.google.pl, DNS:*.google.nl, DNS:*.google.com.au, DNS:*.google.co.jp, DNS:*.google.hu, DNS:*.google.com.mx, DNS:*.google.com.ar, DNS:*.google.com.co, DNS:*.google.com.vn, DNS:*.google.com.tr, DNS:*.android.com, DNS:*.googlecommerce.com
DNS:*.hospedagem.terra.com.br
DNS:*.c8.ixwebhosting.com, DNS:c8.ixwebhosting.com
DNS:www.control.tierra.net, DNS:control.tierra.net
![Page 15: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/15.jpg)
Classifying repeated SSH host keys
104
105
50 most repeated RSA SSH keys
Num
bero
frep
eats
DevicesHosting providersUnknown/other
![Page 16: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/16.jpg)
What could go wrong: Shared factors
If two RSA moduli share a common factor,
N1 = pq1 N2 = pq2
gcd(N1,N2) = p
You can factor both keys with GCD algorithm.
Time to factor768-bit RSA modulus:2.5 calendar years[Kleinjung et al. 2010]
Time to calculate GCDfor 1024-bit RSA moduli:15µs
![Page 17: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/17.jpg)
What could go wrong: Shared factors
If two RSA moduli share a common factor,
N1 = pq1 N2 = pq2
gcd(N1,N2) = p
You can factor both keys with GCD algorithm.
Time to factor768-bit RSA modulus:2.5 calendar years[Kleinjung et al. 2010]
Time to calculate GCDfor 1024-bit RSA moduli:15µs
![Page 18: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/18.jpg)
Should we expect to find key collisions in the wild?
Experiment: Compute GCD of each pair of M RSA modulirandomly chosen from P primes.
What should happen? Nothing.
Prime Number Theorem:∼ 10150 512-bit primes
Birthday bound:Pr[nontrivial gcd] ≈ 1− e−2M2/P
1 1020 1040 1060 1080 101000
1
Earth’s population #atoms in Earth #atoms in universe
#moduli M
P[non
trivialgcd]
![Page 19: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/19.jpg)
Should we expect to find key collisions in the wild?
Experiment: Compute GCD of each pair of M RSA modulirandomly chosen from P primes.
What should happen? Nothing.
Prime Number Theorem:∼ 10150 512-bit primes
Birthday bound:Pr[nontrivial gcd] ≈ 1− e−2M2/P
1 1020 1040 1060 1080 101000
1
Earth’s population #atoms in Earth #atoms in universe
#moduli M
P[non
trivialgcd]
![Page 20: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/20.jpg)
How to efficiently compute pairwise GCDs
Computing pairwise gcd(Ni ,Nj) the naive way on all of the uniqueRSA keys in a single set of scans would take
15µs×(
14× 106
2
)pairs ≈ 1100 years
of computation time.
Algorithm from (Bernstein 2004)A few hours for 10M keys.
Implementation available at
https://factorable.net.
N1N2N3N4
×
N4N3
×
N2N1
N1N2N3N4
mod N21 N2
2
mod N21
/N1
·
mod N22
/N2
·
mod N23 N2
4
mod N23
/N3
·
mod N24
/N4
·gcd( ,N1) gcd( ,N2)gcd( ,N3) gcd( ,N4)
producttree
remaindertree
![Page 21: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/21.jpg)
How to efficiently compute pairwise GCDs
Computing pairwise gcd(Ni ,Nj) the naive way on all of the uniqueRSA keys in a single set of scans would take
15µs×(
14× 106
2
)pairs ≈ 1100 years
of computation time.
Algorithm from (Bernstein 2004)A few hours for 10M keys.
Implementation available at
https://factorable.net.
N1N2N3N4
×
N4N3
×
N2N1
N1N2N3N4
mod N21 N2
2
mod N21
/N1
·
mod N22
/N2
·
mod N23 N2
4
mod N23
/N3
·
mod N24
/N4
·gcd( ,N1) gcd( ,N2)gcd( ,N3) gcd( ,N4)
producttree
remaindertree
![Page 22: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/22.jpg)
What happens if we compute GCDs of some RSA moduli?
What did happen when we GCDed all the keys in2012?
Computed private keys for
I 64,081 HTTPS servers (0.50%).
I 2,459 SSH servers (0.03%).
I 2 PGP users (and a few hundred invalid keys).
![Page 23: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/23.jpg)
What happens if we compute GCDs of some RSA moduli?
What did happen when we GCDed all the keys in2012?
Computed private keys for
I 64,081 HTTPS servers (0.50%).
I 2,459 SSH servers (0.03%).
I 2 PGP users (and a few hundred invalid keys).
![Page 24: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/24.jpg)
... only two of the factored https certificates were signed by a CA,and both were expired. The web pages weren’t active.
Subject information for certificates:
CN=self-signed, CN=system generated, CN=0168122008000024
CN=self-signed, CN=system generated, CN=0162092009003221
CN=self-signed, CN=system generated, CN=0162122008001051
C=CN, ST=Guangdong, O=TP-LINK Technologies CO., LTD., OU=TP-LINK SOFT, CN=TL-R478+1145D5C30089/[email protected]
C=CN, ST=Guangdong, O=TP-LINK Technologies CO., LTD., OU=TP-LINK SOFT, CN=TL-R478+139819C30089/[email protected]
CN=self-signed, CN=system generated, CN=0162072011000074
CN=self-signed, CN=system generated, CN=0162122009008149
CN=self-signed, CN=system generated, CN=0162122009000432
CN=self-signed, CN=system generated, CN=0162052010005821
CN=self-signed, CN=system generated, CN=0162072008005267
C=US, O=2Wire, OU=Gateway Device/serialNumber=360617088769, CN=Gateway Authentication
CN=self-signed, CN=system generated, CN=0162082009008123
CN=self-signed, CN=system generated, CN=0162072008005385
CN=self-signed, CN=system generated, CN=0162082008000317
C=CN, ST=Guangdong, O=TP-LINK Technologies CO., LTD., OU=TP-LINK SOFT, CN=TL-R478+3F5878C30089/[email protected]
CN=self-signed, CN=system generated, CN=0162072008005597
CN=self-signed, CN=system generated, CN=0162072010002630
CN=self-signed, CN=system generated, CN=0162032010008958
CN=109.235.129.114
CN=self-signed, CN=system generated, CN=0162072011004982
CN=217.92.30.85
CN=self-signed, CN=system generated, CN=0162112011000190
CN=self-signed, CN=system generated, CN=0162062008001934
CN=self-signed, CN=system generated, CN=0162112011004312
CN=self-signed, CN=system generated, CN=0162072011000946
C=US, ST=Oregon, L=Wilsonville, CN=141.213.19.107, O=Xerox Corporation, OU=Xerox Office Business Group,
CN=XRX0000AAD53FB7.eecs.umich.edu, CN=(141.213.19.107|XRX0000AAD53FB7.eecs.umich.edu)
CN=self-signed, CN=system generated, CN=0162102011001174
CN=self-signed, CN=system generated, CN=0168112011001015
CN=self-signed, CN=system generated, CN=0162012011000446
CN=self-signed, CN=system generated, CN=0162112011004041
CN=self-signed, CN=system generated, CN=0162112011000617
CN=self-signed, CN=system generated, CN=0162042011006791
CN=self-signed, CN=system generated, CN=0162072011005063
CN=self-signed, CN=system generated, CN=0162122008003402
CN=self-signed, CN=system generated, CN=0162072011005032
CN=self-signed, CN=system generated, CN=0162042011005343
CN=self-signed, CN=system generated, CN=0162012008002101
CN=self-signed, CN=system generated, CN=0162072008005492
CN=self-signed, CN=system generated, CN=0162092008000776
CN=self-signed, CN=system generated, CN=0162092008000852
CN=self-signed, CN=system generated, CN=0162112008000044
![Page 25: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/25.jpg)
... only two of the factored https certificates were signed by a CA,and both were expired. The web pages weren’t active.
Subject information for certificates:
CN=self-signed, CN=system generated, CN=0168122008000024
CN=self-signed, CN=system generated, CN=0162092009003221
CN=self-signed, CN=system generated, CN=0162122008001051
C=CN, ST=Guangdong, O=TP-LINK Technologies CO., LTD., OU=TP-LINK SOFT, CN=TL-R478+1145D5C30089/[email protected]
C=CN, ST=Guangdong, O=TP-LINK Technologies CO., LTD., OU=TP-LINK SOFT, CN=TL-R478+139819C30089/[email protected]
CN=self-signed, CN=system generated, CN=0162072011000074
CN=self-signed, CN=system generated, CN=0162122009008149
CN=self-signed, CN=system generated, CN=0162122009000432
CN=self-signed, CN=system generated, CN=0162052010005821
CN=self-signed, CN=system generated, CN=0162072008005267
C=US, O=2Wire, OU=Gateway Device/serialNumber=360617088769, CN=Gateway Authentication
CN=self-signed, CN=system generated, CN=0162082009008123
CN=self-signed, CN=system generated, CN=0162072008005385
CN=self-signed, CN=system generated, CN=0162082008000317
C=CN, ST=Guangdong, O=TP-LINK Technologies CO., LTD., OU=TP-LINK SOFT, CN=TL-R478+3F5878C30089/[email protected]
CN=self-signed, CN=system generated, CN=0162072008005597
CN=self-signed, CN=system generated, CN=0162072010002630
CN=self-signed, CN=system generated, CN=0162032010008958
CN=109.235.129.114
CN=self-signed, CN=system generated, CN=0162072011004982
CN=217.92.30.85
CN=self-signed, CN=system generated, CN=0162112011000190
CN=self-signed, CN=system generated, CN=0162062008001934
CN=self-signed, CN=system generated, CN=0162112011004312
CN=self-signed, CN=system generated, CN=0162072011000946
C=US, ST=Oregon, L=Wilsonville, CN=141.213.19.107, O=Xerox Corporation, OU=Xerox Office Business Group,
CN=XRX0000AAD53FB7.eecs.umich.edu, CN=(141.213.19.107|XRX0000AAD53FB7.eecs.umich.edu)
CN=self-signed, CN=system generated, CN=0162102011001174
CN=self-signed, CN=system generated, CN=0168112011001015
CN=self-signed, CN=system generated, CN=0162012011000446
CN=self-signed, CN=system generated, CN=0162112011004041
CN=self-signed, CN=system generated, CN=0162112011000617
CN=self-signed, CN=system generated, CN=0162042011006791
CN=self-signed, CN=system generated, CN=0162072011005063
CN=self-signed, CN=system generated, CN=0162122008003402
CN=self-signed, CN=system generated, CN=0162072011005032
CN=self-signed, CN=system generated, CN=0162042011005343
CN=self-signed, CN=system generated, CN=0162012008002101
CN=self-signed, CN=system generated, CN=0162072008005492
CN=self-signed, CN=system generated, CN=0162092008000776
CN=self-signed, CN=system generated, CN=0162092008000852
CN=self-signed, CN=system generated, CN=0162112008000044
![Page 26: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/26.jpg)
Attributing SSL and SSH vulnerabilities to implementations
Evidence strongly suggested widespread implementation problems.
Clue #1: Vast majority of weak keys generated by networkdevices:
I Juniper network security devices
I Cisco routers
I IBM server management cards
I Intel server management cards
I Innominate industrial-grade firewalls
I . . .
Identified devices from > 50 manufacturers
![Page 27: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/27.jpg)
Attributing SSL and SSH vulnerabilities to implementations
Evidence strongly suggested widespread implementation problems.
Clue #2: Very different behavior for different devices. Differentcompanies, implementations, underlying software, distributions ofprime factors.
![Page 28: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/28.jpg)
Distribution of prime factorsIBM Remote Supervisor Adapter II and Bladecenter Management Module
0
50
100
Mod
ulus
freq
uenc
y
![Page 29: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/29.jpg)
![Page 30: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/30.jpg)
Distribution of prime factorsJuniper SRX branch devices
100
101
102
103
Mod
ulus
freq
uenc
y
![Page 31: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/31.jpg)
Random number generation in software
crypto keys
application pseudorandom
number generator
time
OS entropy pool
pid
![Page 32: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/32.jpg)
Random number generation in software
crypto keys
application pseudorandom
number generator
time
OS entropy pool
pid
Hypothesis: Devices automaticallygenerate crypto keys on first boot.
I OS random number generator maynot have incorporated any entropywhen queried by software.
I Headless or embedded devices maylack these entropy sources.
![Page 33: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/33.jpg)
Random number generation in software
crypto keys
application pseudorandom
number generator
time
OS entropy pool
pid
Hypothesis: Devices automaticallygenerate crypto keys on first boot.
I OS random number generator maynot have incorporated any entropywhen queried by software.
I Headless or embedded devices maylack these entropy sources.
![Page 34: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/34.jpg)
Random number generation in software
crypto keys
application pseudorandom
number generator
time
OS entropy pool
pid
Hypothesis: Devices automaticallygenerate crypto keys on first boot.
I OS random number generator maynot have incorporated any entropywhen queried by software.
I Headless or embedded devices maylack these entropy sources.
![Page 35: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/35.jpg)
Linux boot-time entropy hole
Experiment: Instrument Linux kernel to track entropy estimates.
Ubuntu Server 10.04
0 5 10 15 20 25 30 35 40 45 50 55 60 65 700
50
100
150
200
250
SSH urandom read(32)
Threshold to add kernel randomness
Time since boot (s)
Inpu
tpoo
lent
ropy
(bits
)
0
5,000
10,000
15,000
20,000
25,000
Byt
esre
adfr
omno
nblo
ckin
gpo
ol
Input pool entropy estimateInput threshold to update entropy poolBytes read from nonblocking poolSSH process seeds from /dev/urandom
SSH process starts entropy pool updated
Patched since July 2012.
![Page 36: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/36.jpg)
Generating vulnerable RSA keys in software
I Insufficiently random seeds for pseudorandom numbergenerator =⇒ we should see repeated keys.
prng.seed()
p = prng.random_prime()
q = prng.random_prime()
N = p*q
I We do:I > 60% of hosts share keysI At least 0.3% due to bad randomness.
I Repeated keys may be a sign that implementation isvulnerable to a targeted attack.
But why do we see factorable keys?
![Page 37: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/37.jpg)
Generating factorable RSA keys in software
prng.seed()
p = prng.random_prime()
prng.add_randomness()
q = prng.random_prime()
N = p*q
OpenSSL adds time in seconds
Insufficient randomness can lead to factorable keys.
8F 2B C1 13 EA F1 AA
8F 2B C1 13 EA 92 41
device 1
device 2
time=0 time=1
← generating p → ← generating q →
Experimentally verified OpenSSL generates factorable keys in thissituation.
![Page 38: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/38.jpg)
GCDing RSA keys is surprisingly fruitful...
2013 Factored 103 Taiwanese citizen smart card keys.[Bernstein, Chang, Cheng, Chou, Heninger, Lange, van
Someren 2013]
2015 Factored 90 export-grade HTTPS keys.[Albrecht, Papini, Paterson, Villanueva-Polanco 2015]
2017 Factored 3,337 Tor relay RSA keys.[Kadianakis, Roberts, Roberts, Winter 2017]
![Page 39: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/39.jpg)
Were RNG issues fixed since 2012? A follow-up study.[Hastings, Fried, Heninger 2016]
I Did vendors fix their broken implementations?
I Can we observe patching behavior in end users?
![Page 40: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/40.jpg)
Methodology for this study
What happens when we ask vendorsto fix a vulnerability?
1. Aggregated internet-wide TLS scans from 2010-2016
2. Computed batch GCD for 81.2 million RSA moduli
3. Identified vendors of vulnerable implementations
4. Examined results based on response to 2012 notification
![Page 41: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/41.jpg)
Data sources: how to read the plots
I Scan sources along top of plot
I Scan dates on x-axis
I Absolute counts on y-axis
07/2010
12/2010
10/2011
06/2012
02/2014
07/2015
05/20160M
10M
20M
30M
40M
HT
TP
SH
osts
CensysRapid7EcosystemP&QEFF
![Page 42: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/42.jpg)
Six years of factoring keysI 51 million distinct HTTPS RSA moduli : 0.43% vulnerableI 65 million distinct HTTPS certificates : 2.2% vulnerableI 1.5 billion HTTPS host records : 0.19% vulnerable
0M
10M
20M
30M
40M
Tot
al
07/2010
12/2010
10/2011
06/2012
02/2014
07/2015
05/2016
0K
20K
40K
60K
80K
Vu
lner
able
CensysRapid7EcosystemP&QEFF
![Page 43: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/43.jpg)
Original notification
I Low response rates from vendors
I Took place March-June 2012
Vendor response to original notification
183115
Public Response
Private Response
Auto-responder
No response
![Page 44: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/44.jpg)
InnominatemGuard network security devices (Smart, PCI, Industrial RS, Blade, Delta, EAGLE)
I Public advisory in June 2012
I Consistent population of vulnerable devices since 2012
I New devices not vulnerable, but old devices not patched
07-2010
12-2010
10-2011
06-2012
02-2014
07-2015
05-20160
200
400
600
Hos
ts
CensysRapid7EcosystemP&QEFF
Total
Vulnerable
![Page 45: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/45.jpg)
JuniperSRX Series Service Gateways (SRX100, SRX110, SRX210, SRX220, SRX240, SRX550,SRX650), LN1000 Mobile Secure Router
I Public security bulletin in April 2012, out-of-cycle securitynotice in July 2012
I Majority of factored keys in 2012 were Juniper hosts
I Weird behavior in April 2014
07-2010
12-2010
10-2011
06-2012
02-2014
07-2015
05-20160K
20K
40K
60K
80K
Hos
ts
CensysRapid7EcosystemP&QEFF
Total
Vulnerable
![Page 46: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/46.jpg)
JuniperSRX Series Service Gateways (SRX100, SRX110, SRX210, SRX220, SRX240, SRX550,SRX650), LN1000 Mobile Secure Router
I 30,000 Juniper-fingerprinted hosts (9000 vulnerable) cameoffline after Heartbleed
I IPs do not reappear in later scans: TLS disabled, scansblocked, devices offline?
07-2010
12-2010
10-2011
06-2012
02-2014
07-2015
05-20160K
20K
40K
60K
80K
Hos
ts
CensysRapid7EcosystemP&QEFF
Total
Vulnerable
Heartbleed
![Page 47: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/47.jpg)
JuniperSRX Series Service Gateways (SRX100, SRX110, SRX210, SRX220, SRX240, SRX550,SRX650), LN1000 Mobile Secure Router
Did Juniper users ever patch?
Vulnerable Not vulnerable
1100
![Page 48: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/48.jpg)
JuniperSRX Series Service Gateways (SRX100, SRX110, SRX210, SRX220, SRX240, SRX550,SRX650), LN1000 Mobile Secure Router
Did Juniper users ever patch?
Vulnerable Not vulnerable
1100
1200
![Page 49: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/49.jpg)
JuniperSRX Series Service Gateways (SRX100, SRX110, SRX210, SRX220, SRX240, SRX550,SRX650), LN1000 Mobile Secure Router
Did Juniper users ever patch?
Vulnerable Not vulnerable
1100
1200
250
![Page 50: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/50.jpg)
IBMRemote Supervisor Adapter II, BladeCenter Management Module
I Public security advisory (CVE-2012-2187) in September 2012
I Prime generation bug: 36 possible public keys from 9 primes
I 100% of fingerprintable moduli are vulnerable
07-2010
12-2010
10-2011
06-2012
02-2014
07-2015
05-20160
200
400
600
Vu
lner
able
Hos
ts
CensysRapid7EcosystemP&QEFF
Heartbleed
![Page 51: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/51.jpg)
Huawei
I Introduced vulnerability in 2014
I Security advisory published Aug 2016
020,00040,00060,000
Tot
al
07-2010
12-2010
10-2011
06-2012
02-2014
07-2015
05-20160
1,0002,0003,000
Vu
lner
able
CensysRapid7EcosystemP&QEFF
![Page 52: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/52.jpg)
Non-RSA cryptographic RNG disasters
I DSA: 1% of SSH host private keys revealed from noncecollisions. [HDWH 2012]
I ECDSA: Android Bitcoin wallet vulnerability;dozens–hundreds of bitcoins stolen in 2013.
I AES-GCM: Fixed or colliding nonces. [Bock, Zauner, Devlin,Somorovsky, Joanovic 2016]
I Dual-EC: Juniper ScreenOS malicious code insertion.
![Page 53: Random number generation done wrong - CryptoExperts · Random number generation done wrong Nadia Heninger University of Pennsylvania April 30, 2017](https://reader031.fdocuments.in/reader031/viewer/2022020216/5bed51bd09d3f2351f8c06c3/html5/thumbnails/53.jpg)
Mining your Ps and Qs: Widespread Weak Keys in Network DevicesNadia Heninger, Zakir Durumeric, Eric Wustrow, and J. Alex HaldermanUsenix Security 2012 https://factorable.net
“Ron was wrong, Whit is right” published asPublic Keys Arjen K. Lenstra, James P. Hughes, Maxime Augier,Joppe W. Bos, Thorsten Kleinjung, and Christophe Wachter Crypto 2012
Elliptic Curve Cryptography in Practice Joppe W. Bos, J. AlexHalderman, Nadia Heninger, Jonathan Moore, Michael Naehrig, and EricWustrow. Financial Cryptography 2014
Factoring RSA keys from certified smart cards: Coppersmith in the wildDaniel J. Bernstein, Yun-An Chang, Chen-Mou Cheng, Li-Ping Chou,Nadia Heninger, Tanja Lange, and Nicko van Someren, Asiacrypt 2013.
A Systematic Analysis of the Juniper Dual EC Incident. StephenCheckoway, Jacob Maskiewicz, Christina Garman, Joshua Fried, ShaananCohney, Matthew Green, Nadia Heninger, Ralf-Philipp Weinmann, EricRescorla, and Hovav Shacham. CCS 2016.
Weak keys remain widespread in network devices Marcella Hastings,Joshua Fried, and Nadia Heninger. IMC 2016