Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

Insecurities in the Linux /dev/random (pdf, via Schneier)

Freewheeling spot to chew the fat on anything cryptostorm-related that doesn't fit elsewhere (i.e. support, howto, &c.). Criticism & praise & brainstorming & requests for explanation... this is where it goes when it's hot & ready for action! :-)
User avatar

Topic Author
Baneki
Posts: 49
Joined: Wed Jan 16, 2013 6:22 pm
Contact:

Insecurities in the Linux /dev/random (pdf, via Schneier)

Postby Baneki » Wed Jan 08, 2014 2:22 am

Insecurities in the Linux /dev/random
October 14, 2013


New paper: "Security Analysis of Pseudo-Random Number Generators with Input: /dev/random is not Robust," by Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault, Damien Vergnaud, and Daniel Wichs.

Abstract: A pseudo-random number generator (PRNG) is a deterministic algorithm that produces numbers whose distribution is indistinguishable from uniform. A formal security model for PRNGs with input was proposed in 2005 by Barak and Halevi (BH). This model involves an internal state that is refreshed with a (potentially biased) external random source, and a cryptographic function that outputs random numbers from the continually internal state. In this work we extend the BH model to also include a new security property capturing how it should accumulate the entropy of the input data into the internal state after state compromise. This property states that a good PRNG should be able to eventually recover from compromise even if the entropy is injected into the system at a very slow pace, and expresses the real-life expected behavior of existing PRNG designs. Unfortunately, we show that neither the model nor the specific PRNG construction proposed by Barak and Halevi meet this new property, despite meeting a weaker robustness notion introduced by BH. From a practical side, we also give a precise assessment of the security of the two Linux PRNGs, /dev/random and /dev/urandom. In particular, we show several attacks proving that these PRNGs are not robust according to our definition, and do not accumulate entropy properly. These attacks are due to the vulnerabilities of the entropy estimator and the internal mixing function of the Linux PRNGs. These attacks against the Linux PRNG show that it does not satisfy the "robustness" notion of security, but it remains unclear if these attacks lead to actual exploitable vulnerabilities in practice. Finally, we propose a simple and very efficient PRNG construction that is provably robust in our new and stronger adversarial model. We present benchmarks between this construction and the Linux PRNG that show that this construction is on average more efficient when recovering from a compromised internal state and when generating cryptographic keys. We therefore recommend to use this construction whenever a PRNG with input is used for cryptography.

338.pdf
(754.7 KiB) Downloaded 696 times

User avatar

DesuStrike
ForumHelper
Posts: 345
Joined: Thu Oct 24, 2013 2:37 pm

Re: Insecurities in the Linux /dev/random (pdf, via Schneier

Postby DesuStrike » Wed Jan 08, 2014 11:29 am

This is one of the things that usually go way over my head and I bet a lot of other people feel the same. But this abstract and some other website I unfortunately don't remember anymore explain the problem pretty well.

It's a shame I don't remember the other website because it also showed tools to add more entropy to random and also ways to "backup" entropy so you can add it to freshly installed servers (which have very little entropy).
home is where the artillery hits


Return to “general chat, suggestions, industry news”

Who is online

Users browsing this forum: No registered users and 37 guests

Login