1 / 12

Significance of Random Numbers in Application Security

Significance of Random Numbers in Application Security. Richard Lewis Tech Mahindra Ltd. richardl@techmahindra.com 91-022-66882000. July 31st 2006. Practical Uses of Randomness. Session ID generation Temporary file name generation Key generation (cryptography)

doli
Download Presentation

Significance of Random Numbers in Application Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Significance of Random Numbers in Application Security Richard Lewis Tech Mahindra Ltd. richardl@techmahindra.com 91-022-66882000 July 31st 2006

  2. Practical Uses of Randomness • Session ID generation • Temporary file name generation • Key generation (cryptography) • First-time password generation • Unique filename/directory name generation • Generation of CAPTCHAs • Random colour generation for schemes, user profiles etc.

  3. Need for Good Random Numbers • Prevents application malfunction • Application that relies on creation of several files on disk. • Increases strength of cryptographic operations • The entropy associated with the key increases • Automates otherwise manual tasks • Application can auto-generate first-time passwords instead of having users select one • Increases security of applications • Reduces guessability of session ids and other entities used by the application

  4. Random Number Terminology • Entropy • Determines the quality of random numbers. • However, high level of entropy does not guarantee randomness. • Seed • Initialises the random number generation process. • Sequence • Significant if the sequence is pseudo-random i.e. values are recycled after a very long index.

  5. Sources of Random Numbers • Random number generation APIs • Avoid “C” rand, rand (Windows), Perl rand, C# Random, PHP rand • Use FIPS-140 compliant random number library • Cryptographic key generation APIs • CryptGenKey for generating random numbers • Hashing data to get further random data • Network and system information APIs • Using output parameters of network functions • Extracting serial numbers from hardware devices and hashing them

  6. Sources of Random Numbers (Contd.) • Operating system sources • Eg. dev/random • GUID generators • Keyboard strokes • Measuring time between strokes (GetTickCount) • Characters typed • Mouse movements • Co-ordinates of mouse movements on screen (Mouse and Window functions) • Screen colours • Bitmap values of random portions of the screen (Bitmap functions) • Time • Time functions

  7. Random Number Generation Pitfalls • Using weak RNGs for critical operations • Generating cryptographic keys using linear sequential RNG (that wrap-around) • Using hard coded random number sequences • Using sequential numbers and treating them as random numbers (eg. session ids)

  8. Random Number Pitfall – Example 1 • Consider a cryptographic system that uses 56 bit keys. • If these 56 bit keys are derived by using a fixed PRNG seeded with an 8 bit seed. • Not the 2^56 keys that may at first appear to be the case.

  9. Random Number Pitfall – Example 2 • Application uses Ethernet address for generating random numbers. • What if… • Ethernet cards have been installed on DEC hardware within DEC?

  10. Random Number Solution • Scenario: • User passwords are changed once a month • Probability of guessing the password < 1/1000 • Problem Statement: • What should be the length of the password? • Solution • Introduce a “wrong password” delay, say 5 seconds • In 1 minute = 12 attempts, 1 hour = 720 attempts, • In 1 day = 17K, 1 month = 0.5M attempts • Probability required is < 1/1000 • Therefore, attempts = 0.5 M X 1 K = 0.5 G • 0.5 G = 229 approximately. 30 bits of randomness are needed • 229 = 109 approximately • 26? = 109 • ? = Number of characters in password

  11. RNG Best Practices • Use good sources of random numbers • Use FIPS 140-compliant RNG libraries, when possible • Use different seeds at different times when using RNGs. Do not use the same or blank seeds.

  12. Thank you!

More Related