1 / 18

PKCS #14 Status of Work

PKCS #14 Status of Work. Pseudo Random Number Generation. Jan-Ove Larsson RSA Laboratories Europe jlarsson@rsasecurity.com PKCS Workshop ’99 Sep 29 - Oct 1 Stockholm, Sweden. Outline. Motivation for PRNG Standard Design Criteria Building Blocks Set of Operations for PRNG

adonia
Download Presentation

PKCS #14 Status of Work

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PKCS #14 Status of Work Pseudo Random Number Generation Jan-Ove Larsson RSA Laboratories Europe jlarsson@rsasecurity.com PKCS Workshop ’99 Sep 29 - Oct 1 Stockholm, Sweden

  2. Outline • Motivation for PRNG Standard • Design Criteria • Building Blocks • Set of Operations for PRNG • Model for PRNG • Basic Security Properties • Attacks on PRNG:s • Algo Proposals

  3. Motivation for PRNG Standard • Increases Security • Complements Other Standards • Support to Developers • - strength, correctness via testvectors • Legal Aspects • - liability in cases of fraud • Public Trust • - home-banking • - e-commerce • - other services

  4. Design Criteria • Build On • - proven security properties if possible • - well-studied algorithms and primitives • Be Conservative • Promote Simplicity • - better performance, easier to analyse

  5. Building Blocks • In Accordance With Our Design Criteria We Build • the PRNG Using Well-Studied Algorithms and Primitives. • There Are Several Possibilities Including: • Block Ciphers • - CBCMAC:s • Stream Ciphers • Modular Exponentiation Based • Cryptographic Hash Functions • - HMAC:s • - NMAC:s

  6. Set of Operations for PRNG • State Update from New Seed • State Advance after Output Generation • Output Generation • Save / Restore State • Self-Test ?

  7. Model for PRNG I X[ ] Variables: I, Input to Seed Array X[ ], Array of Blocks of Seed Bytes Y[ ], Array of Output Bytes S, Internal State Functions: H, State Update From Seed F, State Advance After Output G, Generation of Output Bytes H S F G Y[ ]

  8. Basic Security Properties • Use Large Seed Blocks • Knowledge of Part of Seed Shall Be of • No Help For an Adversary • Good Seed Usage: Make the State Depend • on All Previous Seed • Large, Unbiased Internal State • Output Shall Pass Randomness Tests • Output Shall Be Unpredictable

  9. Attacks on PRNG:s 1 • Guessing of Seed • - Entropy of X[i] Need to Be Large to Prevent • an Exhaustive Search Attack. • Chosen Seed Input / State Cycle Shortening X[ i ] Old State H New State

  10. Attacks on PRNG:s 2 • Timing Attacks on State Advance Function • - Ensure That the Advance Function Takes • Constant Time. • - If That Is Not Possible, Random Delays? • Gives Worse Performance!

  11. Attacks on PRNG:s 3 • Direct Cryptanalytic Attacks on Output Generation • Function • - Strong Cipher or Preimage Resistant Hash • - Truncate Output From Output Generation • Function

  12. Attacks on PRNG:s 4 • Attacks After a Compromise of State • Backward Tracking Attack: After a Compromise of • State, Try to Determine Previous Outputs. • Forward Tracking

  13. Algo Proposals (due to Bob Baldwin) 1 Cipher Based Single Width Algorithm S = Counter Value, C = Counter Incr., K = Encr. Key State Update From Seed: K’ = Hash ( K || X[ i ] ) , K = ” ” at Initialization S = C = Odd( Enc( K’ , 0 )), (K’ determines State) State Advance after Output: S’ = S + C ( mod 2 ** |S| ) Output Generation: Y[ j ] = Enc( K , S)

  14. Algo Proposals 2 Digest Based Single Width Algorithm S = Counter Value, C = Counter Incr., K = Secret State State Update From Seed: K’ = Hash ( K || X[ i ] ) , K = ” ” at Initialization S = C = Odd( Hash( K’ , 0 )), (K’ determines State) State Advance after Output: S’ = S + C ( mod 2 ** |S| ) Output Generation: Y[ j ] = Hash( K || S)

  15. Algo Proposals 3 Cipher Based Double Width Algorithm KL = Cipher Key Length, BL = Cipher Block Length ”0x20” = Block of BL bytes equal to 0x20 Dmac(K1, K2, S) = Enc(K1, CbcMac(K2, S)) H2(x) = Dmac(”0x20”, ”0x20”, x) || Dmac(”0x21”, ”0x21”, x)

  16. Algo Proposals 4 Cipher Based Double Width Algorithm Cont’d State Update From Seed: Secret State is(K1, K2) K1 || K2 = H2 (K1 || K2 || X[ i ] ) , K1 = K2 = ” ” at Init C1 = DMac(K1, K2, 2BL-zeros) ; S = C1 || BL-zeros C2 = DMac(K1, K2, S) ; C = S = C1 || C2 ; C = Odd(C) State Advance after Output: S’ = S + C ( mod 2 ** BL ) Output Generation: Y[ j ] = DMac( K1, K2, S)

  17. Algo Proposals 5 Digest Based Double Width Algorithm BL = Output Block Length For Digest ML = Input Block Length For the Digest Compression Fcn H(x) = Digest of x Ext(x) = ML-byte value, x padded to the right with 0-bytes NMac(K1, K2, S) = H(Ext(K1) || H(Ext(K2) || S)) H2(K1, K2, x) = Nmac(K1, K2, x) || Nmac(K2, K1, x)

  18. Algo Proposals 6 Digest Based Double Width Algorithm Cont’d State Update From Seed: Secret State is(K1, K2) K1 || K2 = H2 (K1 || K2 || X[ i ] ) , K1 = K2 = ” ” at Init C1 = NMac(K1, K2, 2BL-zeros) ; S = C1 || BL-zeros C2 = NMac(K1, K2, S) ; C = S = C1 || C2 ; C = Odd(C) State Advance after Output: S’ = S + C ( mod 2 ** BL ) Output Generation: Y[ j ] = NMac( K1, K2, S)

More Related