Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attacks on PRNGs - By Nupura Neurgaonkar CS-265 (Prof. Mark Stamp)

Published byLeo Garrett Modified over 8 years ago

Similar presentations

Presentation on theme: "Attacks on PRNGs - By Nupura Neurgaonkar CS-265 (Prof. Mark Stamp)"— Presentation transcript:

1 Attacks on PRNGs - By Nupura Neurgaonkar CS-265 (Prof. Mark Stamp)

2 What is Pseudo Random Number Generator (PRNG)? It is a mechanism for generating random numbers on a computer that are indistinguishable from truly random numbers. Many applications don’t have source of truly random bits; instead they use PRNGs to generate these numbers. Pseudo random because it is not possible to generate truly random numbers from deterministic thing like computer.

3 Why Study PRNGs ? They are used everywhere in cryptography. Random numbers are in session keys, public key generation, initialization vector and many other places. PRNG is a single point of failure for many real-world cryptosystems. If random numbers are insecure then the entire application is insecure. Many systems use badly-designed PRNGs, or use them in ways that make various attacks easier than they need be.

4 Characteristics of good PRNGs ? Should generate on average as many 1’s as 0’s. 01111110 01101001 Should be random enough to hide patterns and correlation. 10101010 Should have a large period. 01101001 11001010 00011000 01101001 Should not produce preferred strings 11001100 Knowledge of some outputs should not help predict past or future outputs

5 PRNG Model Collect Collect unpredictable inputs. inputs are collected in a “seed pool”. State (secret state) After collecting sufficient seed data, move to a stable state. Generate Generate random outputs by performing various operations on the seed data.

6 RSA PRNG To generate a bit stream of size l Choose two prime numbers p = 11 and q = 19, (n= p*q = 209) m = (p-1)(q-1), (m = 180) Choose e such that gcd(e,m) is 1. (e = 7) Select X 0 (seed) such that 1 < X 0 < n (let X 0 = 72) For i = 1 to l do Xi = (Xi-1)^e mod n Zi = least significant bit of Xi X1 = 72^7 mod 209 X1 = 184 Z1 = 0 X2 = 200 Z2 = 0 X3 = 205Z3 = 1 00110110…………

7 Classes of Attacks on PRNGs Direct Attack: When the attacker can directly distinguish between PRNG numbers and random numbers (cryptanalyze the PRNG). Input Based Attack: When the attacker is able to use knowledge of PRNG inputs to cryptanalyze the PRNG. State Compromise Extension Attacks: When the attacker can guess some information due to an earlier breach of security.

8 Direct Attacks When the attacker can directly cryptanalyze the PRNG. Applicable to most PRNGs. They occur when outputs are predictable, biased and have definite patterns and correlation. Not applicable when the attacker is not able to directly see the output of the PRNG. E.g.:- A PRNG used to generate triple-DES keys. Here the output of the PRNG is never directly seen by an attacker.

9 Input Based Attacks Also called as Exhaustive seeding search attacks. The attacker uses knowledge of inputs to cyptanalyze the PRNG output. The attacker finds out the seed bytes that initialized the generator. The attacker can use same input again and again to repeat the same output forever. There are many poor sources for seed material, such as clock values, network statistics.

10 State Compromise Attacks Attacker tries to guess the internal state of the generator Design criteria is to make internal state of PRNG large enough to make exhaustive state search impractical. Backtracking attacks : Uses the compromise of PRNG state S to learn about all previous PRNG outputs. Permanent compromise attack: Once S has been compromised, all future and past outputs of the PRNG are vulnerable. Iterative guessing attacks : Uses the knowledge of state S that was compromised at time t and the intervening PRNG outputs to guess the state S’ at time t+Δ.

11 Netscape’s Implementation of SSL SSL protects communications by encrypting messages with a secret key--a large, random number known only to the sender and receiver. (Key size 40 bits) Netscape 1.1 uses MD5 algorithm that will be presumably known to any adversary. The seed generated depends only on the values of three quantities: the time of day, the process ID, and the parent process ID. An attacker can easily discover the pid and ppid values using the ps command. All that remains is to guess the time of day. Most popular Ethernet sniffing tools (including tcpdump) record the precise time they see each packet. Using the output from such a program, the attacker can guess the time of day on the system running the Netscape browser to within a second. It was attacked in 30 hours using spare CPU cycles from many machines

12 Conclusions Random number are the basis for many cryptographic applications. Attacks on many cryptographic applications are possible by attacks on PRNGs. There is no reliable “independent” function to generate random numbers. Present day computers can only approximate random numbers, using pseudo-random numbers generated by Pseudo Random Number Generators.

13 Questions??

Download ppt "Attacks on PRNGs - By Nupura Neurgaonkar CS-265 (Prof. Mark Stamp)"

Similar presentations

Asymmetric Encryption Prof. Ravi Sandhu. 2 © Ravi Sandhu PUBLIC KEY ENCRYPTION Encryption Algorithm E Decryption Algorithm D Plain- text Plain- text Ciphertext.

Asymmetric Encryption Prof. Ravi Sandhu. 2 © Ravi Sandhu PUBLIC KEY ENCRYPTION Encryption Algorithm E Decryption Algorithm D Plain- text Plain- text Ciphertext.
Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.

Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Network Security. Confidentiality Using Symmetric Encryption John wrote the letters of the alphabet under the letters in its first lines and tried it.

Network Security. Confidentiality Using Symmetric Encryption John wrote the letters of the alphabet under the letters in its first lines and tried it.
CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”

1 The Fortuna PRNG Niels Ferguson. 2 The problem We need to make “random” choices in cryptographic protocols. Computers are deterministic. Standard “random”
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 15 Implementation Flaws Part 3: Randomness and Timing Issues.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 15 Implementation Flaws Part 3: Randomness and Timing Issues.
Stream cipher diagram + + Recall: One-time pad in Chap. 2.

Stream cipher diagram + + Recall: One-time pad in Chap. 2.
RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem

RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem
Pseudorandom Number Generators

Pseudorandom Number Generators
On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.

On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.

Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Cryptography and Network Security Chapter 7

Cryptography and Network Security Chapter 7
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3

Similar presentations

Ads by Google