180 likes | 198 Views
PKCS #14 Status of Work. Pseudo Random Number Generation. Jan-Ove Larsson RSA Laboratories Europe jlarsson@rsasecurity.com PKCS Workshop ’99 Sep 29 - Oct 1 Stockholm, Sweden. Outline. Motivation for PRNG Standard Design Criteria Building Blocks Set of Operations for PRNG
E N D
PKCS #14 Status of Work Pseudo Random Number Generation Jan-Ove Larsson RSA Laboratories Europe jlarsson@rsasecurity.com PKCS Workshop ’99 Sep 29 - Oct 1 Stockholm, Sweden
Outline • Motivation for PRNG Standard • Design Criteria • Building Blocks • Set of Operations for PRNG • Model for PRNG • Basic Security Properties • Attacks on PRNG:s • Algo Proposals
Motivation for PRNG Standard • Increases Security • Complements Other Standards • Support to Developers • - strength, correctness via testvectors • Legal Aspects • - liability in cases of fraud • Public Trust • - home-banking • - e-commerce • - other services
Design Criteria • Build On • - proven security properties if possible • - well-studied algorithms and primitives • Be Conservative • Promote Simplicity • - better performance, easier to analyse
Building Blocks • In Accordance With Our Design Criteria We Build • the PRNG Using Well-Studied Algorithms and Primitives. • There Are Several Possibilities Including: • Block Ciphers • - CBCMAC:s • Stream Ciphers • Modular Exponentiation Based • Cryptographic Hash Functions • - HMAC:s • - NMAC:s
Set of Operations for PRNG • State Update from New Seed • State Advance after Output Generation • Output Generation • Save / Restore State • Self-Test ?
Model for PRNG I X[ ] Variables: I, Input to Seed Array X[ ], Array of Blocks of Seed Bytes Y[ ], Array of Output Bytes S, Internal State Functions: H, State Update From Seed F, State Advance After Output G, Generation of Output Bytes H S F G Y[ ]
Basic Security Properties • Use Large Seed Blocks • Knowledge of Part of Seed Shall Be of • No Help For an Adversary • Good Seed Usage: Make the State Depend • on All Previous Seed • Large, Unbiased Internal State • Output Shall Pass Randomness Tests • Output Shall Be Unpredictable
Attacks on PRNG:s 1 • Guessing of Seed • - Entropy of X[i] Need to Be Large to Prevent • an Exhaustive Search Attack. • Chosen Seed Input / State Cycle Shortening X[ i ] Old State H New State
Attacks on PRNG:s 2 • Timing Attacks on State Advance Function • - Ensure That the Advance Function Takes • Constant Time. • - If That Is Not Possible, Random Delays? • Gives Worse Performance!
Attacks on PRNG:s 3 • Direct Cryptanalytic Attacks on Output Generation • Function • - Strong Cipher or Preimage Resistant Hash • - Truncate Output From Output Generation • Function
Attacks on PRNG:s 4 • Attacks After a Compromise of State • Backward Tracking Attack: After a Compromise of • State, Try to Determine Previous Outputs. • Forward Tracking
Algo Proposals (due to Bob Baldwin) 1 Cipher Based Single Width Algorithm S = Counter Value, C = Counter Incr., K = Encr. Key State Update From Seed: K’ = Hash ( K || X[ i ] ) , K = ” ” at Initialization S = C = Odd( Enc( K’ , 0 )), (K’ determines State) State Advance after Output: S’ = S + C ( mod 2 ** |S| ) Output Generation: Y[ j ] = Enc( K , S)
Algo Proposals 2 Digest Based Single Width Algorithm S = Counter Value, C = Counter Incr., K = Secret State State Update From Seed: K’ = Hash ( K || X[ i ] ) , K = ” ” at Initialization S = C = Odd( Hash( K’ , 0 )), (K’ determines State) State Advance after Output: S’ = S + C ( mod 2 ** |S| ) Output Generation: Y[ j ] = Hash( K || S)
Algo Proposals 3 Cipher Based Double Width Algorithm KL = Cipher Key Length, BL = Cipher Block Length ”0x20” = Block of BL bytes equal to 0x20 Dmac(K1, K2, S) = Enc(K1, CbcMac(K2, S)) H2(x) = Dmac(”0x20”, ”0x20”, x) || Dmac(”0x21”, ”0x21”, x)
Algo Proposals 4 Cipher Based Double Width Algorithm Cont’d State Update From Seed: Secret State is(K1, K2) K1 || K2 = H2 (K1 || K2 || X[ i ] ) , K1 = K2 = ” ” at Init C1 = DMac(K1, K2, 2BL-zeros) ; S = C1 || BL-zeros C2 = DMac(K1, K2, S) ; C = S = C1 || C2 ; C = Odd(C) State Advance after Output: S’ = S + C ( mod 2 ** BL ) Output Generation: Y[ j ] = DMac( K1, K2, S)
Algo Proposals 5 Digest Based Double Width Algorithm BL = Output Block Length For Digest ML = Input Block Length For the Digest Compression Fcn H(x) = Digest of x Ext(x) = ML-byte value, x padded to the right with 0-bytes NMac(K1, K2, S) = H(Ext(K1) || H(Ext(K2) || S)) H2(K1, K2, x) = Nmac(K1, K2, x) || Nmac(K2, K1, x)
Algo Proposals 6 Digest Based Double Width Algorithm Cont’d State Update From Seed: Secret State is(K1, K2) K1 || K2 = H2 (K1 || K2 || X[ i ] ) , K1 = K2 = ” ” at Init C1 = NMac(K1, K2, 2BL-zeros) ; S = C1 || BL-zeros C2 = NMac(K1, K2, S) ; C = S = C1 || C2 ; C = Odd(C) State Advance after Output: S’ = S + C ( mod 2 ** BL ) Output Generation: Y[ j ] = NMac( K1, K2, S)