PKCS #14: Pseudo-Random Number Generation

Slides:



Advertisements
Similar presentations
Lecture 5: Cryptographic Hashes
Advertisements

“Advanced Encryption Standard” & “Modes of Operation”
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Hash and MAC Algorithms
Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.
Cryptography and Network Security Hash Algorithms.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Digital Signatures Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
The Misuse of RC4 in Microsoft Office A paper by: Hongjun Wu Institute for Infocomm Research, Singapore ECE 578 Matthew Fleming.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
1 Hashes and Message Digests. 2 Hash Also known as –Message digest –One-way function Function: input message -> output One-way: d=h(m), but not h’(d)
Hashing Algorithms: Basic Concepts and SHA-2 CSCI 5857: Encoding and Encryption.
Data & Network Security
Hash and MAC Functions CS427 – Computer Security
Multiple Encryption & DES  clearly a replacement for DES was needed Vulnerable to brute-force key search attacks Vulnerable to brute-force key search.
Shambhu Upadhyaya Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)
Hash and Mac Algorithms. Contents Hash Functions Secure Hash Algorithm HMAC.
6.375 Final Presentation Jeff Simpson, Jingwen Ouyang, Kyle Fritz FPGA Implementation of Whirlpool and FSB Hash Algorithms.
Hash Algorithms see similarities in the evolution of hash functions & block ciphers –increasing power of brute-force attacks –leading to evolution in algorithms.
Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
PKCS #5: Password-Based Cryptography Standard
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
Hash Algorithms Ch 12 of Cryptography and Network Security - Third Edition by William Stallings Modified from lecture slides by Lawrie Brown CIM3681 :
PKCS #5 v2.0: Password-Based Cryptography Standard
Message Authentication Codes CSCI 5857: Encoding and Encryption.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 13.Message Authentication.
Understanding Cryptography by Christof Paar and Jan Pelzl These slides were prepared by Christof Paar and Jan Pelzl Chapter 12.
@Yuan Xue 285: Network Security CS 285 Network Security Hash Algorithm Yuan Xue Fall 2012.
Modes of Operation block ciphers encrypt fixed size blocks – eg. DES encrypts 64-bit blocks with 56-bit key need some way to en/decrypt arbitrary amounts.
Chapter 12 – Hash Algorithms
Chapter6: More on Symmetric Ciphers
RSA Laboratories’ PKCS Series - a Tutorial
Network Security.
Pseudo Random Number Generation
Digital Signatures Last Updated: Oct 14, 2017.
Digital Signature Schemes and the Random Oracle Model
MAC: Message Authentication Code
ADVANCED ENCRYPTION STANDARD
ICS 454 Principles of Cryptography
Cryptography This week we are going to use OpenSSL
Cryptography Lecture 19.
Hash and MAC Algorithms
Cryptography: Basics (2)
ICS 454 Principles of Cryptography
Cryptography and Network Security Chapter 7
Message Authentication
Network Security.
IEEE MEDIA INDEPENDENT HANDOVER DCN: MuGM
Block Ciphers (Crypto 2)
Applying known techniques to WEP Keys Tim Newsham
Lecture 4.1: Hash Functions, and Message Authentication Codes
Cryptography Lecture 13.
Cryptography Lecture 18.
July 15, 2019 doc.: IEEE r0 May, 2002 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [AES.
Cryptography Lecture 15.
Secret-Key Encryption
By: Anthony Gervasi & Adam Dickinson
Presentation transcript:

PKCS #14: Pseudo-Random Number Generation Robert W. Baldwin - RSA Engineering baldwin@rsa.com James W. Gray, III - RSA Laboratories jgray@rsa.com PKCS Workshop ’98 October 7-9, 1998 RSA Data Security

Outline Motivation, Purpose and Scope Criteria and Requirements Algorithm Families Digest, Block-Cipher, Both Stream-Cipher, Modular-Exponentiation Discussion of Criteria & Families © RSA Data Security 1998 2

Goals Rough Consensus on Criteria and Requirements Start Discussion of Algorithms Signup Interested Participants For Further Development © RSA Data Security 1998 3

Motivation for PKCS #14 Honda-san: Ask why 3 times 1: Increase System Security 2: Users and Developers Feel Safer 3: Lawyers Are Happier :-) Generally Accepted Good Business Practice Clear Intellectual Property © RSA Data Security 1998 4

Possible Non-Purposes for PKCS #14 Is Not: “Entropy” Gathering Recommendations Is Not: Ensure Interoperability Maybe: state save format © RSA Data Security 1998 5

Possible Purposes For PKCS #14 Is: Establish Accepted Practice Is: Ensure Correctness Test Vectors Is: Ensure Strength Cite Literature (Provable Properties) Provide Focus for Research © RSA Data Security 1998 6

Possible Purposes For PKCS #14 Maybe: Document Evaluation Criteria Maybe: Evaluate Different Algorithms Is Not: Repeat RIPE project Is: Input to Other Standards © RSA Data Security 1998 7

Possible Scope For PKCS #14 Just Document the BSAFE Algorithms Catalog All Known Algorithms Unbroken Algorithms Create the One Ideal PRNG Algorithm Select a Few Good Algorithms One for Each Major Environment Need Criteria for Goodness © RSA Data Security 1998 8

Current Scope For PKCS #14 Document a Few Good Algorithms Including BSAFE Algorithms By May 1999 Based on Existing Literature New Construct OK With Proofs Cite Preliminary Analysis Literature & RSA Bulletins © RSA Data Security 1998 9

Outline Motivation, Purpose and Scope  Criteria and Requirements Algorithm Families Digest, Block-Cipher, Both Stream-Cipher, Modular-Exponentiation Discussion of Criteria & Families © RSA Data Security 1998 10

Meta-Criteria Any New Algorithm Must Be Better Than Existing Algorithms How To Measure Better? Perhaps Multiple Sets of Criteria © RSA Data Security 1998 11

Criteria - Conflicting Sets Performance Cipher-Based PRNG Export Regulations Digest-Based PRNG Provable Security Exponentiation-Based PRNG Hardware Primitives Use Full Digest, Not Hash-Compression © RSA Data Security 1998 12

Criteria - Security Checklist Output Passes Randomness Tests Large Minimum Cycle Length Avoid Brute Force State Guessing Large Output Range All 3DES Keys All 256-Bit AES Keys Full Use of Seed Material © RSA Data Security 1998 13

Criteria - Security Checklist Avoid Known Cryptanalytic Attacks Differential Against Cipher or Digest Input Timing Attack Limit Forward and Backward Attacks Attacker Control of Some Seed Does Not Help Much © RSA Data Security 1998 14

Criteria - Conservative Security Proven Security Properties Well-Studied Algorithm Well-Known Primitives Accepted Properties of Primitives © RSA Data Security 1998 15

Criteria - Intellectual Property Need Well-Defined Ownership Range Of Ownership: No Patents On Any Part Patents On Primitives Not Constructs Patents On Constructs Patents On Whole PRNG Well-Understood Licensing Terms Non-Discriminatory, etc. © RSA Data Security 1998 16

Criteria - API What are the Full Set of Operations for a PRNG? Add Initial Seed Generate “Random” Bytes Add New Seed Save and Restore State ? Self Test ? Test for Needs-More-Seed ? How Many Bytes Output Since Last Seed? © RSA Data Security 1998 17

Outline Motivation, Purpose and Scope Criteria and Requirements  Algorithm Families Introduction Digest, Block-Cipher, Both Stream-Cipher, Modular-Exponentiation Discussion of Criteria & Families © RSA Data Security 1998 18

Structure of PRNG Algorithms Reduce Seed Material to State Loop: Generate One Block of Output From State Advance State Without New Seed Update State With New Seed (Maybe) Save & Restore State (Maybe) © RSA Data Security 1998 19

Comparing PRNG & KDFs © RSA Data Security 1998 20

Notation || = Concatenation | x | = Bit Size of “x” + = Unsigned Integer Addition * = Unsigned Integer Multiplication ^ = Exponentiation xor = Exclusive-Or © RSA Data Security 1998 21

Notation S = State X = X1 .. Xn = Seed blocks Y= Y1 .. Ym = Output blocks D(z) = Digest of value z Enc(k, m) = Encrypt block m with k CbcRes(k, M) = CBC Residue of message M with key k © RSA Data Security 1998 22

Possible Algorithm Families  Digest Block-Cipher Digest and Block-Cipher Stream-Cipher Modular Exponentiation © RSA Data Security 1998 23

Digest (PRF) Family of PRNG BSAFE Algorithms Yarrow Gutmann SSL KDF © RSA Data Security 1998 24

Digest Family PRNG Seed Reduction via MD5, SHA1, RIPEMD-160 128 or 160 Bit Bottleneck 3DES needs 168-Bit Keys Generate Output by Digest of State © RSA Data Security 1998 25

Digest Family PRNG Advance State by Update State with New Seed Adding Constant (BSAFE) LFSR or LCG Iterative Digest (Gutmann, Yarrow) Update State with New Seed Integer Addition of Digested Seed (BSAFE 2) Digest (State || Seed) (BSAFE 3) © RSA Data Security 1998 26

Proposed Digest-PRNG Algorithm #1 Seed Reduction: X = Initial Seed S = S1 || S2 = Internal State | S | = 256 Bits, | S1 | = | S2 | = 128 Bits S1 = D(Pad1 || X) truncated to 128 bits S2 = D(Pad2 || X) truncated to 128 bits | Pad1 | = | Pad2 | = 512 bits Extract Up To 256 Bits of Entropy © RSA Data Security 1998 27

Proposed Digest-PRNG Algorithm #1 Output Generation Yj = HMAC (S, S || j) Alternative: Yj = HMAC (S, j) Yj = D (S xor Pad1 || D (S xor Pad2 || S|| j)) Yj = D (S xor Pad1 || D (S xor Pad2 || j)) | Pad1 | = | Pad2 | = 512 Bits | j | = 192 Bits (Room for End Padding) Advance State is just: j = j + 1 © RSA Data Security 1998 28

Output Diagram for Digest-PRNG Algorithm #1 - Shows Alternative: Yj = HMAC (S, j) | S | = | j | = 256 Bits S j Pad2 PRF = SHA1-HC 512 Bits 256 Bits 256 Bits EndPadding XOR 512 Bits 256 Bits IV PRF PRF 160 Bits Pad1 512 Bits EndPadding 256 Bits 352 Bits XOR 512 Bits Yj IV PRF PRF 160 Bits 160 Bits 160 Bits © RSA Data Security 1998 29

Proposed Digest-PRNG Algorithm #1 Update State With New Seed, Xk S1 = D(S xor Pad1 || Xk) truncated to 128 S2 = D(S xor Pad2 || Xk) truncated to 128 | Pad1 | = | Pad2 | = 512 bits Same as Initial Seeding With S = 0 © RSA Data Security 1998 30

Benefits of Digest-PRNG Algorithm #1 Large State Avoids 3DES Key Problem State Cycle Length of 2^192 Blocks - Output Cycle Length May Be Same Benefits From Literature on HMAC Some Literature (Krawczyk, Bellare, Rogaway) © RSA Data Security 1998 31

Drawbacks of Digest-PRNG Algorithm #1 New Algorithm, No Literature Does Not Avoid Back-Tracking Attacks No Proofs of Security for: Seed Reduction State Update Slower Than BSAFE’s Algorithm 2X for Output Generation © RSA Data Security 1998 32

Proposed New Digest-PRNG Algorithm #2 Being developed by Jim Gray “Provable” Security Properties Based on Hash Compression Function Rather than Full Digest Function Still Under development © RSA Data Security 1998 33

Possible Algorithm Families Digest  Block-Cipher Digest and Block-Cipher Stream-Cipher Modular Exponentiation © RSA Data Security 1998 34

Block-Cipher Family PRNG X9.17 Bellare, Rogaway, and others Related to MAC Literature Krawczyk, Davis, Meyer, and others © RSA Data Security 1998 35

Block-Cipher Family PRNG Seed Reduction Often Unspecified Cipher-Based Digest (MDC2, Davies-Meyer, etc.) State = Key and Message-Block Output by Encrypting Part of State Encrypt Single Block Counter CBC-Residue of Large Counter (Micro-BSAFE) © RSA Data Security 1998 36

Block-Cipher Family PRNG Advance Message-Block and/or Key by Adding Constant (Rogaway) LFSR or LCG Iterative Encryption (X9.17, Rogaway) Append Counter (Rogaway) © RSA Data Security 1998 37

Proposed Block-Cipher-PRNG Algorithm #1 Based on Rogaway and others Uses 64-bit block cipher With Keys Of At Least 128 bits IDEA, RC5, 3DES Can Generalize to AES Ciphers © RSA Data Security 1998 38

Proposed Block-Cipher-PRNG Algorithm #1 Seed Reduction: H() = Davies-Meyer One-Way Hash K = H(Prefix1 || X) -- 128 Bits C = S = S1 || S2 = H(Prefix2 || X) -- 128 Bits | Prefix1 | = | Prefix2 | = 64 Bits © RSA Data Security 1998 39

Proposed Block-Cipher-PRNG Algorithm #1 Output Generation Yj = CbcRes (GK, S) GK = H(K || j >> d) = Generation Key “d” sets key change rate. 0 < d < 20 CbcRes = 64-bit CBC Residue CbcRes (K, S1 || S2) = Enc (K, S2 xor Enc (K, S1)) | S1 | = | S2 | = 64 Bits | j >> d | = 64 Bits © RSA Data Security 1998 40

Proposed Block-Cipher-PRNG Algorithm #1 Advance S State (LCG) S = S + C modulo P P is 128-Bit Prime Take Care to Avoid Timing Attacks Advanced CbcRes Key State After 2^d Output Blocks GK = H(K || j >> d) | j >> d | = 64 Bits © RSA Data Security 1998 41

Proposed Block-Cipher-PRNG Algorithm #1 Update State With New Seed, Xk H() = Davies-Meyer Hash K = H(Prefix1 || K || Xk) M = H(Prefix2 || M || Xk) © RSA Data Security 1998 42

Benefits of Block-Cipher-PRNG Algorithm #1 Large State Avoids 3DES Key Problem State Cycle Length of P (~2^128) Blocks Output Cycle May Be Same A Bit Faster Than Digest Algorithms Some Literature (Rogaway, Bellare, Davies) © RSA Data Security 1998 43

Drawbacks of Block-Cipher-PRNG Algorithm #1 No Protection Against Back Tracking New Algorithm, No Direct Literature © RSA Data Security 1998 44

Possible Algorithm Families Digest Block-Ciphers  Digest and Block-Cipher Overview Only Stream-Ciphers Modular Exponentiation © RSA Data Security 1998 45

Digest and Block-Cipher PRNG Family Seed Reduction Using Digest Output by Encrypting Part of State Encrypt Single Block Counter CBC-Residue of Large Counter (Micro-BSAFE) © RSA Data Security 1998 46

Digest and Block Cipher PRNG Family Advance State and/or Key by Adding Constant (Rogaway) LFSR or LCG Iterative Encryption (X9.17) Iterative Hashing © RSA Data Security 1998 47

Possible Algorithm Families Digest Block Ciphers Digest and Block  Stream Ciphers Overview Only Modular Exponentiation © RSA Data Security 1998 48

Stream Cipher PRNG Family Seed Reduction Using ??? Output Key Stream Cipher RC4, PIKE, SEAL, VESTA, A5 Advance State Running Stream Cipher © RSA Data Security 1998 49

Possible Algorithm Families Digest Block Ciphers Digest and Block Stream Ciphers  Modular Exponentiation Overview Only © RSA Data Security 1998 50

Modular Exponentiation PRNG Family Seed Reduction Using ??? Output by: Output Function of Value (Parity, LSB, O(log log n) Bits, etc.) Advance State Iterate Exponentiation Literature for BBS, ACGS, and BM © RSA Data Security 1998 51

Outline Motivation, Purpose and Scope Criteria and Requirements Algorithm Families Digest, Block Cipher, Both Stream Cipher, Modular-Exponentiation  Discussion of Criteria & Families © RSA Data Security 1998 52

Discussion of Criteria Is Documenting BSAFE Enough? Are Cipher-Based PRNGs Needed? Is Patent-Free Required? PRNG Construct and/or Primitive? Is Re-Seeding Needed? Can Digest Function Internals Be Used? © RSA Data Security 1998 53

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.