Random Fail


I must be out of the security loop. I first learned about the latest random number bug via a cartoon. Schneier has a short summary of the problem.

This is very disturbing because it went unnoticed since September of 2006 in a number of Linux distributions. Both SSL certificates and SSH keys generated on these systems are affected.

This reminds me of a paper I wrote on a similarly weak RNG in Kerberos, with Steve Lodin and Gene Spafford 11 years ago. In the case of Kerberos Version 4, it used a RNG that depended only about 20 bits of entropy. The maintainers of Kerberos knew it was weak and implemented a much stronger one for Kerberos Version 5 and backported the new RNG to Version 4. However, the old RNG code was left in the source tree and due to a somewhat convoluted Makefile and source code, the new RNG was never called. The failure was masked by the existence of the old, weaker RNG code.

While working at Sun Microsystems, on the groundbreaking, but commercially unsuccessful SPF-100, I did more work on RNGs. These experiences confirmed to me the difficulty in writing a good, cryptographically strong, RNG.

The RNG that our group at Sun used was based on the RNG for PGP (the gold standard of crypto at the time). The seeding and generation of random numbers were fine, except the developer had gotten too clever. The algorithm used md5 to generate random bits based on a entropy pool. If you requested fewer bytes than were generated by the md5 block, those bits would be wasted. So instead, the algorithm saved the extra random bits for later. This was where the bug was, it wouldn't make any more random bits unless you asked for more than one md5 block worth of randomness. Session keys just happened to be short enough to never trigger new randomness. So while the Diffie-Hellman key exchange was secure, the underlying session keys were very weak.

Thankfully someone was debugging and noticed that the session keys stayed the same, even after they were renegotiated. Maybe it was Rich, I can't remember now.

The moral is: be very careful building your RNG and don't forget to test the randomness of the output. The Dieharder test suit is a good start. Make sure you test the right way too. Generate the random test data exactly like the RNG will get called in the code. Same number of bits, same pattern of calls. Then don't forget to retest before you ship. :)

Good luck, and stay random.

Write

Comments

Post a Comment

Popular posts from this blog

Weasley Location Clock Project

Image
I wanted to surprise my wife for Christmas. She is a redheaded Harry Potter fan and mom, which inspired the idea to build a Weasley Clock. I got the idea in February, so I had 10 months to get the project designed and built. For those unfamiliar with Harry Potter and the Weasley Family, the Weasley wizard family owns a magical clock that instead of telling time shows the location of each family member with a separate hand. Here's an excerpt from Harry Potter and the Goblet of Fire (J. K. Rowling, 2000): Mrs. Weasley glanced at the grandfather clock in the corner. Harry liked this clock. It was completely useless if you wanted to know the time, but otherwise very informative. It had nine golden hands, and each of them was engraved with one of the Weasley family’s names. There were no numerals around the face, but descriptions of where each family member might be. “Home,” “school,” and “work” were there, but there was also “traveling,” “lost,” “hospital,” “prison,” an
Read more

Top 100 Science Fiction Novels

http://www.npr.org/2011/08/11/139085843/your-picks-top-100-science-fiction-fantasy-books It is not exactly "top 100 books", as several entries are a series of books. So despite having read 44 books on this list, it looks like I have barely scratched the surface. Progress So far: (bold == read) 1. The Lord Of The Rings Trilogy , by J.R.R. Tolkien (3 books) 2. The Hitchhiker's Guide To The Galaxy , by Douglas Adams (4 books) 3. Ender's Game , by Orson Scott Card (and Ender's Shadow ) 4. The Dune Chronicles , by Frank Herbert (just the 1st Dune) 5. A Song Of Ice And Fire Series , by George R. R. Martin (multiple books) 6. 1984 , by George Orwell 7. Fahrenheit 451 , by Ray Bradbury 8. The Foundation Trilogy , by Isaac Asimov (3 books) 9. Brave New World , by Aldous Huxley 10. American Gods , by Neil Gaiman 11. The Princess Bride , by William Goldman 12. The Wheel Of Time Series , by Robert Jordan 13. Animal Farm , by George Orwell 14.
Read more

Coursera

Image
I have recently discovered Coursera . They offer hundreds of online courses in a wide range of subjects. Most courses are roughly equivalent to an semester-long undergraduate level course. Some are easier and some are equivalent to graduate-level coursework.  I got started with Andrew Ng's Machine Learning (ML) course . I have been curious about machine learning, but a little biased against the field based on my limited knowledge of Artificial Intelligence (AI). My impression (and that of many others) has been that AI has long over-promised and under-delivered. However, recent advances in ML and its use in analyzing big data sets made its potential impossible to ignore. When I started the course, I did not know that Professor Ng had helped found Coursera. Nor did I realize the extent of his influence in the field of machine learning . Learning these facts gave added weight to his personal anecdotes about applying machine learning techniques. When Prof. Ng includes advice on
Read more