270 likes | 400 Views
There’s Not Enough Randomosity In My Randomness:. The Importance of Random Number Generation to Cryptography. Dan Shumow SDE Windows Core Security dshumow@microsoft.com. Outline. Introduction Symmetric Key Encryption Key Distribution: Diffie-Hellman Key Generation Random Number Generation.
E N D
There’s Not Enough Randomosity In My Randomness: The Importance of Random Number Generation to Cryptography 1
Dan Shumow SDE Windows Core Security dshumow@microsoft.com 2
Outline • Introduction • Symmetric Key Encryption • Key Distribution:Diffie-Hellman Key Generation • Random Number Generation 3
Introduction • Cryptography, what is it and why should we care? • Cryptography is the science of communicating secretly. • Today so much communication is done over the internet and radio waves, and these media are very prone to eavesdropping. Cryptography allows people to communicate securely across these media. 4
Cryptography Allows Alice to communicate with Bob without being overheard by Eavesdropper Eve. Eve Bob Alice 5
Symmetric KeyEncryption • Alice and Bob share a key K. • They use an encryption function c=Ek(p). • p is the plaintext and c is the ciphertext. • It has to be reversible: p=Dk(c). • If Alice wants to send Bob a message m she computes c = EK(m) and sends Bob c. • Bob computes m = DK(c). 6
Symmetric KeyEncryption • Want it to be hard to compute p given c. So if Eve doesn’t know K it is hard for her to compute m even if she intercepts c. • Want Ekand Dk to be easy to compute. So there is little overhead to communication • Want K to be hard to calculate given p and c. Otherwise if Eve can guess parts of the message she can recover the key. 7
Symmetric KeyEncryption Examples: • Substitution Ciphers: Substitute each letter in the alphabet for another one. • One Time Pads: A key that is the same length as the message, used only once. • Modern Ciphers • Stream Ciphers: RC4 • Block Ciphers: DES, AES 8
Symmetric KeyEncryption Attacks on Encryption Algorithms: • Substitution Ciphers: Frequency Attacks • One Time Pads are provably secure. • Modern Attacks: • Linear Cryptanalysis looks for a linear relationship between plaintext and ciphertext. (Known Plaintext Attack.) • Differential Cryptanalysis looks at how differences in plaintext cause differences in ciphertext. (Chosen Plaintext Attack.) 9
Symmetric KeyEncryption Modern Encryption Algorithm Design Techniques • Confusion and Diffusion • Diffusion means many bits of the plaintext (possibly all) affect each bit of the ciphertext. • Confusion means there is a low statistical bias of bits in the ciphertext. • Non-Linearity: The encryption function is not linear (represented by a small matrix) • Prevents Linear Cryptanalysis. 10
Symmetric KeyEncryption Problem: Key Distribution • Can’t keep using same key, Eve will eventually recover K. • Need to establish shared secret key: • Could agree to physically meet and establish keys. • But what if you want to communicate with someone on the other side of the world? Key distribution is a big problem. 11
Diffie-HellmanKey Generation Basic Idea: • Alice and Bob agree on an integer g. • (a) Alice secretly chooses integer x, computes X = gx and sends it to Bob.(b) Bob secretly chooses integer y, computes Y = gy and sends it to Alice. • (a) Alice computes Yx=(gy)x=gxy.(b)Bob computes Xy=(gx)y=gxy. • Alice and Bob both share gxywhich they can use to create a secret key. 12
Diffie-HellmanKey Generation Wait!! It’s not secure. If Eve overhears what g,X, and Y are she can compute: x = loggX and y = loggY And use this information to calculate gxy. To make this secure Alice and Bob pick a large prime number P and reduce everything mod P (take the remainder after division by P) 13
Diffie-HellmanKey Generation New and Improved Idea: • Alice and Bob agree on an integer g and prime P. • (a) Alice secretly chooses integer x, computesX = gx mod P and sends it to Bob.(b) Bob secretly chooses integer y, computes Y = gy mod P and sends it to Alice. • (a) Alice computesYx mod P=(gy)x mod P =gxy mod P.(b)Bob computesXy mod P=(gx)y mod P =gxy mod P. • Alice and Bob both share the value gxymod P which they can use to create a secret key. 14
Diffie-HellmanKey Generation By adding the prime P into the equation we now need to make sure that g is a “generator” of P. This means that for every integer x in {1,2,3,…,P-1}there exists an integer d such that: x = gdmod P. d is called the “discrete log” of g mod P. 15
Diffie-HellmanKey Generation Why Does This Work? • Because the positive integers less than P form a multiplicative, cyclic group with generator g. • It is hard to compute the discrete log of a generator mod P. Given these two things: • This algorithm works. • It is hard for Eve to calculate gxymod P. 16
Random Numbers • There was a subtle assumption in the DH key exchange algorithm. • Alice and Bob were able to securely choose x and y. • This may seem simple, but it is really one of the hardest things in cryptography. • This is all done on computers. • Machines are good at being deterministic NOT random. 17
PseudoRandom Number Generation Q: How do you make a deterministic machine make random numbers? A: You don’t. You use a deterministic function parameterized by a random initial value that mimics a random sequence. 18
Random Number Generators So we define another crypto function: x = RS(n) A (pseudo) random number generator (or RNG for short) is a function parameterized by a state S. Such that given a natural number n returns an n bit number x. So R and an internal State S this defines a sequence of bits {xi} 19
Secure RNGs Intuition: We want it to be hard for an attacker to guess outputs of R. This is defined by: • Uniformity: for all n bit numbers xPrx[x = R(n)] = 2-n • Forward Security: given x it is hard to predict subsequent outputs of R. • Backward Security: given x it is hard to determine previous outputs of R. 20
Blum-Blum-Shub RNG Choose primes p and q. Let N = pq. And choose a random number a0less than N and not divisible by p or q. Let the internal state S be a tuple: { N, ai } 21
Blum-Blum-Shub To generate output bit xi from • Output xi= the least significant bit of ai. • Then let ai+1 =(ai)2 mod N. To calculate RS(n), repeat steps 1 and 2 and concatenate the output bits to form x. 22
Blum-Blum-ShubProvable Security BBS is provably secure. This means that we can prove each of the security properties of the the RNG. For uniformity, this is showing that for appropriately chosen p and q: Pr[1 = xi] = Pr[0 = xi] = ½ 23
Blum-Blum-ShubProvable Security Showing prediction and back tracking resistance involves another proof technique called security reductions: For BBS, this means that if there is an easily computable function that can be used to recover previous or predict subsequent outputs of BBS, then this function can be used in an efficient algorithm to factor the value N with out knowing p or q. This would imply that factoring N is easy, which no one knows how to do at this point. 24
Blum-Blum-ShubSecurity Reduction Let {xi} denote the set of outputs of an instance of BBS and suppose that : xj = f(xi, xi+1, … ,xi+n) where j < i or i+n < j. That is, if given subsequent outputs of BBS f predicts subsequent or recovers previous outputs of Blum-Blum-Shub. Then f can be used by to define an efficient function g to factorthe value N. 25
Entropy Security reductions can prove that RNGs have specific properties under certain assumptions (for example hardness of factoring with BBS.) However, how do you bootstrap a Pseudo Random Number Generator? How do you generate the initial state? This is very hard. You need a good source of “Entropy” to generate the initial state. 26
References http://en.wikipedia.org/wiki/Blum_Blum_Shub 27