A high quality random number generation (RNG) process is almost always required for security, and lack of quality generally provides attack vulnerabilities and so leads to lack of security, even to complete compromise, in cryptographic systems. The RNG process is particularly attractive to attackers. Modality to generate random sequences using software method. Unpredictable random number generator mimic a practical approximation of true random number generator. It extracts randomness from easily available devices. It based on the behavior of hardware devices. The intervention in the generation process disturbs the internal state. If an attacker can predict the key's value or even narrow down the number of keys that must be tried, the protocol can be broken with much less effort than if truly random keys had been used. Therefore, it is vital that the secret keys be generated from an unpredictable random-number source. In the common parlance, randomness is the apparent lack of pattern or predictability in events. A random sequence of events, symbols or steps often has no order and does not follow an intelligible pattern or combination. Individual random events are by definition unpredictable, but since they often follow a probability distribution, the frequency of different outcomes over numerous events is predictable. For example, when throwing two dice, the outcome of any particular roll is unpredictable, bu. The use of randomness in the key generation process in block cipher is novel in this domain. We have also compared our results with the original AES based upon some parameters such as nonlinearity.
Randomness has many uses in science, art, statistics, cryptography, gaming, gambling, and other fields. For example, random assignment in randomized controlled trials helps scientists to test hypotheses, and random numbers or pseudorandom numbers help video games such as video poker.
These uses have different levels of requirements, which leads to the use of different methods. Mathematically, there are distinctions between randomization, pseudorandomization, and quasirandomization, as well as between random number generators and pseudorandom number generators. For example, applications in cryptography usually have strict requirements, whereas other uses (such as generating a 'quote of the day') can use a looser standard of pseudorandomness.
Early uses[edit]Divination[edit]
Many ancient cultures saw natural events as signs from the gods; many attempted to discover the intentions of the gods through various sorts of divination. The underlying theory was that the condition of, (for example), a chicken's liver, was connected with the dangerous storms or military or political fortune. Divination is still practiced and on much the same basis as formerly.
Games[edit]
Unpredictable (by the humans involved) numbers (usually taken to be random numbers) were first investigated in the context of gambling developing, sometimes, pathological forms like apophenia. Many randomizing devices such as dice, shuffling playing cards, and roulette wheels, seem to have been developed for use in games of chance. Electronic gambling equipment cannot use these and so theoretical problems are less easy to avoid; methods of creating them are sometimes regulated by governmental gaming commissions.
Modern electronic casino games contain often one or more random number generators which decide the outcome of a trial in the game. Even in modern slot machines, where mechanical reels seem to spin on the screen, the reels are actually spinning for entertainment value only. They eventually stop exactly where the machine's software decided they would stop when the handle was first pulled. It has been alleged that some gaming machines' software is deliberately biased to prevent true randomness, in the interests of maximizing their owners' revenue; the history of biased machines in the gambling industry is the reason government inspectors attempt to supervise the machinesâelectronic equipment has extended the range of supervision. Some thefts from casinos have used clever modifications of internal software to bias the outcomes of the machinesâat least in those which have been discovered. Gambling establishments keep close track of machine payouts in an attempt to detect such alterations.
Random draws are often used to make a decision where no rational or fair basis exists for making a deterministic decision, or to make unpredictable moves.
Political use[edit]Athenian democracy[edit]
Fifth century BC Athenian democracy developed out of a notion of isonomia (equality of political rights), and random selection was a principal way of achieving this fairness.[1] Greek democracy (literally meaning 'rule by the people') was actually run by the people: administration was in the hands of committees allotted from the people and regularly changed. Although it may seem strange to those used to modern liberal democracy, the Athenian Greeks considered elections to be essentially undemocratic.[2][3] This was because citizens chosen on merit or popularity contradicted the democratic equality of all citizenry. In addition, allotment prevented the corrupt practice of buying votes as no one could know who would be selected as a magistrate, or to sit on a jury.
Modern use[edit]
Allotment is today restricted mainly to the selection of jurors in Anglo-Saxon legal systems like the UK and United States. Proposals have been made for its use in government such as a new constitution for Iraq[4] and various proposals for Upper Houses chosen by allotment. (See Lords reform.)
Science[edit]
Random numbers have uses in physics such as electronic noise studies, engineering, and operations research. Many methods of statistical analysis, such as the bootstrap method, require random numbers. Monte Carlo methods in physics and computer science require random numbers.
Random numbers are often used in parapsychology as a test of precognition.
Statistical sampling[edit]
Statistical practice is based on statistical theory which is, itself, founded on the concept of randomness. Many elements of statistical practice depend on randomness via random numbers. Where those random numbers fail to be actually random, any subsequent statistical analysis may suffer from systematic bias. Elements of statistical practice that depend on randomness include: choosing a representative sample of the population being examined, disguising the protocol of a study from a participant (see randomized controlled trial) and Monte Carlo simulation.
These applications are useful in auditing (for determining samples - such as invoices) and experimental design (for example in the creation of double-blind trials).
Analysis[edit]
Many experiments in physics rely on a statistical analysis of their output. For example, an experiment might collect X-rays from an astronomical source and then analyze the result for periodic signals. Since random noise can be expected to appear to have faint periodic signals embedded in it, statistical analysis is required to determine the likelihood that a detected signal actually represents a genuine signal. Such analysis methods requires the generation of random numbers. If the statistical method is extremely sensitive to patterns in the data (such as those used to search for binary pulsars), very large amounts of data with no recognizable pattern are needed.
Simulation[edit]
In many scientific and engineering fields, computer simulations of real phenomena are commonly used. When the real phenomena are affected by unpredictable processes, such as radio noise or day-to-day weather, these processes can be simulated using random or pseudo-random numbers.
Automatic random number generators were first constructed to carry out computer simulation of physical phenomena, notably simulation of neutron transport in nuclear fission.
Pseudo-random numbers are frequently used in simulation of statistical events, a very simple example being the outcome of tossing a coin. More complicated situations are simulation of population genetics, or the behaviour of sub-atomic particles. Such simulation methods, often called stochastic methods, have many applications in computer simulation of real-world processes.
Some more speculative projects, such as the Global Consciousness Project, monitor fluctuations in the randomness of numbers generated by many hardware random number generators in an attempt to predict the scope of an event in near future. The intent is to prove that large-scale events that are about to happen build up a 'pressure' which affects the RNGs.
Cryptography[edit]
A ubiquitous use of unpredictable random numbers is in cryptography which underlies most of the schemes which attempt to provide security in modern communications (e.g., confidentiality, authentication, electronic commerce, etc.).
For example, if a user wants to use an encryption algorithm, it is best that they select a random number as the key. The selection must have high entropy (i.e., unpredictability) to any attacker, thus increasing attack difficulty. With keys having low entropy (i.e., relatively easily guessable by attackers), security is likely to be compromised. To illustrate, imagine if a simple 32 bit linear congruential pseudo-random number generator of the type supplied with most programming languages (e.g., as the 'rand' or 'rnd' function) is used as a source of keys. There will only be some four billion possible values produced before the generator repeats itself. A suitably motivated adversary could simply test them all; this is practical as of 2010, using readily available computers. Even if a linear congruential RNG is used with 1000-bit parameters, it is a simple exercise in linear algebra to recover the modulus m, and the constants a and b, where x' = ax +b (mod m), given only five consecutive values. Even if a better random number generator is used, it might be insecure (e.g., the seed might be guessable), producing predictable keys and reducing security to nil. (A vulnerability of this sort was famously discovered in an early release of Netscape Navigator, forcing the authors to quickly find a source of 'more random' random numbers.) For these applications, truly random numbers are ideal, and very high quality pseudo-random numbers are necessary if truly random numbers, such as coming from a hardware random number generator, are unavailable.
Truly random numbers are absolutely required to be assured of the theoretical security provided by the one-time pad â the only provably unbreakable encryption algorithm. Furthermore, those random sequences cannot be reused and must never become available to any attacker, which implies a continuously operable generator. See Venona for an example of what happens when these requirements are violated when using a one-time pad.
For cryptographic purposes, one normally assumes some upper limit on the work an adversary can do (usually this limit is astronomically sized). If one has a pseudo-random number generator whose output is 'sufficiently difficult' to predict, one can generate true random numbers to use as the initial value (i.e., the seed), and then use the pseudo-random number generator to produce numbers for use in cryptographic applications. Such random number generators are called cryptographically secure pseudo-random number generators, and several have been implemented (for example, the /dev/urandom device available on most Unixes, the Yarrow and Fortuna designs, server, and AT&T Bell Laboratories 'truerand'). As with all cryptographic software, there are subtle issues beyond those discussed here, so care is certainly indicated in actual practice. In any case, it is sometimes impossible to avoid the need for true (i.e., hardware-based) random number generators.
Since a requirement in cryptography is high entropy, any published random sequence is a poor choice, as are such sequences as the digits in an irrational number such as the Ï or even in transcendental numbers such as Ï, or e. All are available to an enterprising attacker. Put another way, in cryptography, random bit streams need to be not only random, but also secret and hence unpredictable. Public or third-party sources of random values, or random values computed from publicly observable phenomena (weather, sports game results, stock prices), are almost never cryptographically acceptable. Their use may be tempting, but in reality, they permit easier attacks than attacking the cryptography.
![]()
Since most cryptographic applications require a few thousand bits at most, slow random number generators serve wellâif they are actually random. This use of random generators is important; many informed observers[who?] believe every computer should have a way to generate true random numbers.
![]() Literature, music and art[edit]
Some aesthetic theories claim to be based on randomness in one way or another. Little testing is done in these situations, and so claims of reliance on and use of randomness are generally poorly based in definite theory and more on an impression of randomness from technical fields.
An example of a need for randomness sometimes occurs in arranging items in an art exhibit. Usually this is avoided by using a theme. As John Cage pointed out, 'While there are many ways that sounds might be produced [i.e., in terms of patterns], few are attempted'. Similarly, the arrangement of art in exhibits is often deliberately non-random. One case of this was Hitler's attempt to portray modern art in the worst possible light by arranging works in worst possible manner.[citation needed] A case can be made for trying to make art in the worst possible way; i.e., either as anti-art, or as actually random art.
Dadaism, as well as many other movements in art and letters, has attempted to accommodate and acknowledge randomness in various ways. Often people mistake order for randomness based on lack of information; e.g., Jackson Pollock's drippaintings, Helen Frankenthaler's abstractions (e.g., 'For E.M.'). Thus, in some theories of art, all art is random in that it's 'just paint and canvas' (the explanation of Frank Stella's work).
Similarly, the 'unexpected' ending is part of the nature of interesting literature. An example of this is Denis Diderot's novel Jacques le fataliste (literally: James the Fatalist; sometimes referred to as Jacques the Fatalist or Jacques the Servant and his Master). At one point in the novel, Diderot speaks directly to the reader:
Now I, as the author of this novel might have them set upon by thieves, or I might have them rest by a tree until the rain stops, but in fact they kept on walking and then near night-fall they could see the light of an inn in the distance.
(not an exact quote). Diderot was making the point that the novel (then a recent introduction to European literature) seemed random (in the sense of being invented out of thin air by the author, not in a modern technical sense). See also Eugenio Montale, Theatre of the Absurd.
Randomness in music is generally thought[by whom?] to be postmodern, including John Cage's chance derived Music of Changes, stochastic music, aleatoric music, indeterminate music, or generative music.
Other uses[edit]
Random numbers are also used in situations where 'fairness' is approximated by randomization, such as selecting jurors and military draft lotteries. In the Book of Numbers (33:54), Moses commands the Israelites to apportion the land by lot.
Other examples include selecting, or generating, a 'Random Quote of the Day' for a website, or determining which way a villain might move in a computer game.
Weaker forms of randomness are also closely associated with hash algorithms and in creating amortizedsearching and sorting algorithms.
See also[edit]References[edit]
External links[edit]
Retrieved from 'https://en.wikipedia.org/w/index.php?title=Applications_of_randomness&oldid=915589686'
(Redirected from RNG attack)
The security of cryptographic systems depends on some secret data that is known to authorized persons but unknown and unpredictable to others. To achieve this unpredictability, some randomization is typically employed. Modern cryptographic protocols often require frequent generation of random quantities. Cryptographic attacks that subvert or exploit weaknesses in this process are known as random number generator attacks.
A high quality random number generation (RNG) process is almost always required for security, and lack of quality generally provides attack vulnerabilities and so leads to lack of security, even to complete compromise, in cryptographic systems.[1] The RNG process is particularly attractive to attackers because it is typically a single isolated hardware or software component easy to locate. If the attacker can substitute pseudo-random bits generated in a way they can predict, security is totally compromised, yet generally undetectable by any upstream test of the bits. Furthermore, such attacks require only a single access to the system that is being compromised. No data need be sent back in contrast to, say, a computer virus that steals keys and then e-mails them to some drop point.
Human generation of random quantities[edit]
Humans generally do poorly at generating random quantities. Magicians, professional gamblers and con artists depend on the predictability of human behavior. In World War II German code clerks were instructed to select three letters at random to be the initial rotor setting for each Enigma machine message. Instead some chose predictable values like their own or a girlfriend's initials, greatly aiding Allied breaking of these encryption systems. Another example is the often predictable ways computer users choose passwords (see password cracking).
Nevertheless, in the specific case of playing mixed strategy games, use of human gameplay entropy for randomness generation was studied by Ran Halprin and Moni Naor.[2]
Mac os x create ssh public key. Sep 26, 2019 To generate SSH keys in macOS, follow these steps: Enter the following command in the Terminal window. Press the ENTER key to accept the default location. Type in a passphrase. You can also hit the ENTER key to accept the default (no passphrase).
Attacks[edit]Software RNGs[edit]
Just as with other components of a cryptosystem, a software random number generator should be designed to resist certain attacks. Some attacks possible on a RNG include (from[3]):
Hardware RNGs[edit]
A number of attacks on hardware random number generators are possible, including trying to capture radio-frequency emissions from the computer (obtaining hard drive interrupt times from motor noise, for example), or trying to feed controlled signals into a supposedly random source (such as turning off the lights in a lava lamp or feeding a strong, known signal into a sound card).
RNG subversion[edit]
Subverted random numbers can be created using a cryptographically secure pseudorandom number generator with a seed value known to the attacker but concealed in the software. A relatively short, say 24 to 40 bit, portion of the seed can be truly random to prevent tell-tale repetitions, but not long enough to prevent the attacker from recovering, say, a 'randomly' produced key.
Random numbers typically go through several layers of hardware and software before they are used. Bits may be generated in a peripheral device, sent over a serial cable, collected in an operating system utility and retrieved by a system call. The subverted bits can be substituted at any point in this process with little likelihood of detection.
A hardware circuit to produce subverted bits can be built on an integrated circuit a few millimeters square. The most sophisticated hardware random number generator can be subverted by placing such a chip anywhere upstream of where the source of randomness is digitized, say in an output driver chip or even in the cable connecting the RNG to the computer. The subversion chip can include a clock to limit the start of operation to some time after the unit is first turned on and run through acceptance tests, or it can contain a radio receiver for on/off control. It could be installed by the manufacturer at the behest of their national signals intelligence service, or added later by anyone with physical access. CPU chips with built-in hardware random number generators can be replaced by compatible chips with a subverted RNG in the chips' firmware.
Defenses[edit]
Designing a secure random number generator requires at least as high a level of care as designing other elements of a cryptographic system.
Prominent examples[edit]Predictable Netscape seed[edit]
Early versions of Netscape's Secure Socket Layer (SSL) encryption protocol used pseudo-random quantities derived from a PRNG seeded with three variable values: the time of day, the process ID, and the parent process ID. These quantities are often relatively predictable, and so have little entropy and are less than random, and so that version of SSL was found to be insecure as a result. The problem was reported to Netscape in 1994 by Phillip Hallam-Baker, then a researcher in the CERN Web team, but was not fixed prior to release. The problem in the running code was discovered in 1995 by Ian Goldberg and David Wagner,[4] who had to reverse engineer the object code because Netscape refused to reveal the details of its random number generation (security through obscurity). That RNG was fixed in later releases (version 2 and higher) by more robust (i.e., more random and so higher entropy from an attacker's perspective) seeding.
Microsoft Windows 2000/XP random number generator[edit]
Microsoft uses an unpublished algorithm to generate random values for its Windows operating system. These random quantities are made available to users via the CryptGenRandom utility. In November 2007, Leo Dorrendorf et al. from the Hebrew University of Jerusalem and University of Haifa published a paper titled Cryptanalysis of the Random Number Generator of the Windows Operating System.[5] The paper presented serious weaknesses in Microsoft's approach at the time. The paper's conclusions were based on disassembly of the code in Windows 2000, but according to Microsoft applied to Windows XP as well.[6] Microsoft has stated that the problems described in the paper have been addressed in subsequent releases of Windows, which use a different RNG implementation.[6]
Possible backdoor in Elliptical Curve DRBG[edit]
The U.S. National Institute of Standards and Technology has published a collection of 'deterministic random bit generators' it recommends as NIST Special Publication 800-90.[7] One of the generators, Dual_EC_DRBG, was favored by the National Security Agency.[8] Dual_EC_DRBG uses elliptic curve technology and includes a set of recommended constants. In August 2007, Dan Shumow and Niels Ferguson of Microsoft showed that the constants could be constructed in such a way as to create a kleptographicbackdoor in the algorithm.[9] In September 2013 The New York Times wrote that 'the N.S.A. had inserted a back door into a 2006 standard adopted by N.I.S.T.. called the Dual EC DRBG standard',[10] thereby revealing that the NSA carried out a malware attack against the American people.In December 2013, Reuters reported that documents released by Edward Snowden indicated that the NSA had paid RSA Security $10 million to make Dual_EC_DRBG the default in their encryption software, and raised further concerns that the algorithm might contain a backdoor for the NSA.[11] Due to these concerns, in 2014, NIST withdrew Dual EC DRBG from its draft guidance on random number generators, recommending 'current users of Dual_EC_DRBG transition to one of the three remaining approved algorithms as quickly as possible.'[12]
MIFARE Crypto-1[edit]
Crypto-1 is a cryptosystem developed by NXP for use on MIFARE chips. The system is proprietary and originally the algorithm has not been published. Upon reverse engineering of the chip, researchers from the University of Virginia and the Chaos Computer Club found an attack on Crypto-1 exploiting a poorly initialized random number generator.[13]
Debian OpenSSL[edit]
In May 2008, security researcher Luciano Bello revealed his discovery that changes made in 2006 to the random number generator in the version of the OpenSSL package distributed with Debian GNU/Linux and other Debian-based distributions, such as Ubuntu, dramatically reduced the entropy of generated values and made a variety of security keys vulnerable to attack.[14][15] The security weakness was caused by changes made to the openssl code by a Debian developer in response to compiler warnings of apparently redundant code.[16] This caused a massive worldwide regeneration of keys, and despite all attention the issue got, it could be assumed many of these old keys are still in use. Key types affected include SSH keys, OpenVPN keys, DNSSEC keys, key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected as these programs used different methods to generate random numbers. Keys generated by non-Debian-based Linux distributions are also unaffected. The weak-key-generation vulnerability was promptly patched after it was reported, but any services still using keys that were generated by the old code remain vulnerable. A number of software packages now contain checks against a weak key blacklist to attempt to prevent use of any of these remaining weak keys, but researchers continue to find weak key implementations.[17]
PlayStation 3[edit]
In December 2010, a group calling itself fail0verflow announced recovery of the elliptic curve digital signature algorithm (ECDSA) private key used by Sony to sign software for the PlayStation 3 game console. The attack was made possible because Sony failed to generate a new random nonce for each signature.[18]
RSA public key factoring[edit]
An analysis comparing millions of RSA public keys gathered from the Internet was announced in 2012 by Lenstra, Hughes, Augier, Bos, Kleinjung, and Wachter. They were able to factor 0.2% of the keys using only Euclid's algorithm.[19][20] They exploited a weakness unique to cryptosystems based on integer factorization. If n = pq is one public key and nâ² = pâ²qâ² is another, then if by chance p = pâ², then a simple computation of gcd(n,nâ²) = p factors both n and nâ², totally compromising both keys. Nadia Heninger, part of a group that did a similar experiment, said that the bad keys occurred almost entirely in embedded applications, and explains that the one-shared-prime problem uncovered by the two groups results from situations where the pseudorandom number generator is poorly seeded initially and then reseeded between the generation of the first and second primes.
Java nonce collision[edit]
In August 2013, it was revealed that bugs in the Java class SecureRandom could generate collisions in the k nonce values used for ECDSA in implementations of Bitcoin on Android. When this occurred the private key could be recovered, in turn allowing stealing Bitcoins from the containing wallet.[21]
Lack Of Randomness In The Key Generation Process PdfSee also[edit]References[edit]
Lack Of Randomness In The Key Generation Process VideoFurther reading[edit]Lack Of Randomness In The Key Generation Processor
Lack Of Randomness In The Key Generation Process Theory
Retrieved from 'https://en.wikipedia.org/w/index.php?title=Random_number_generator_attack&oldid=946354223'
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2020
Categories |