Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKCS #14: Pseudo-Random Number Generation

Published byJuliana Rose Modified over 6 years ago

Similar presentations

Presentation on theme: "PKCS #14: Pseudo-Random Number Generation"— Presentation transcript:

1 PKCS #14: Pseudo-Random Number Generation
Robert W. Baldwin - RSA Engineering James W. Gray, III - RSA Laboratories PKCS Workshop ’98 October 7-9, 1998 RSA Data Security

2 Outline Motivation, Purpose and Scope Criteria and Requirements
Algorithm Families Digest, Block-Cipher, Both Stream-Cipher, Modular-Exponentiation Discussion of Criteria & Families © RSA Data Security 1998 2

3 Goals Rough Consensus on Criteria and Requirements
Start Discussion of Algorithms Signup Interested Participants For Further Development © RSA Data Security 1998 3

4 Motivation for PKCS #14 Honda-san: Ask why 3 times
1: Increase System Security 2: Users and Developers Feel Safer 3: Lawyers Are Happier :-) Generally Accepted Good Business Practice Clear Intellectual Property © RSA Data Security 1998 4

5 Possible Non-Purposes for PKCS #14
Is Not: “Entropy” Gathering Recommendations Is Not: Ensure Interoperability Maybe: state save format © RSA Data Security 1998 5

6 Possible Purposes For PKCS #14
Is: Establish Accepted Practice Is: Ensure Correctness Test Vectors Is: Ensure Strength Cite Literature (Provable Properties) Provide Focus for Research © RSA Data Security 1998 6

7 Possible Purposes For PKCS #14
Maybe: Document Evaluation Criteria Maybe: Evaluate Different Algorithms Is Not: Repeat RIPE project Is: Input to Other Standards © RSA Data Security 1998 7

8 Possible Scope For PKCS #14
Just Document the BSAFE Algorithms Catalog All Known Algorithms Unbroken Algorithms Create the One Ideal PRNG Algorithm Select a Few Good Algorithms One for Each Major Environment Need Criteria for Goodness © RSA Data Security 1998 8

9 Current Scope For PKCS #14
Document a Few Good Algorithms Including BSAFE Algorithms By May 1999 Based on Existing Literature New Construct OK With Proofs Cite Preliminary Analysis Literature & RSA Bulletins © RSA Data Security 1998 9

10 Outline Motivation, Purpose and Scope  Criteria and Requirements
Algorithm Families Digest, Block-Cipher, Both Stream-Cipher, Modular-Exponentiation Discussion of Criteria & Families © RSA Data Security 1998 10

11 Meta-Criteria Any New Algorithm Must Be Better Than Existing Algorithms How To Measure Better? Perhaps Multiple Sets of Criteria © RSA Data Security 1998 11

12 Criteria - Conflicting Sets
Performance Cipher-Based PRNG Export Regulations Digest-Based PRNG Provable Security Exponentiation-Based PRNG Hardware Primitives Use Full Digest, Not Hash-Compression © RSA Data Security 1998 12

13 Criteria - Security Checklist
Output Passes Randomness Tests Large Minimum Cycle Length Avoid Brute Force State Guessing Large Output Range All 3DES Keys All 256-Bit AES Keys Full Use of Seed Material © RSA Data Security 1998 13

14 Criteria - Security Checklist
Avoid Known Cryptanalytic Attacks Differential Against Cipher or Digest Input Timing Attack Limit Forward and Backward Attacks Attacker Control of Some Seed Does Not Help Much © RSA Data Security 1998 14

15 Criteria - Conservative Security
Proven Security Properties Well-Studied Algorithm Well-Known Primitives Accepted Properties of Primitives © RSA Data Security 1998 15

16 Criteria - Intellectual Property
Need Well-Defined Ownership Range Of Ownership: No Patents On Any Part Patents On Primitives Not Constructs Patents On Constructs Patents On Whole PRNG Well-Understood Licensing Terms Non-Discriminatory, etc. © RSA Data Security 1998 16

17 Criteria - API What are the Full Set of Operations for a PRNG?
Add Initial Seed Generate “Random” Bytes Add New Seed Save and Restore State ? Self Test ? Test for Needs-More-Seed ? How Many Bytes Output Since Last Seed? © RSA Data Security 1998 17

18 Outline Motivation, Purpose and Scope Criteria and Requirements
 Algorithm Families Introduction Digest, Block-Cipher, Both Stream-Cipher, Modular-Exponentiation Discussion of Criteria & Families © RSA Data Security 1998 18

19 Structure of PRNG Algorithms
Reduce Seed Material to State Loop: Generate One Block of Output From State Advance State Without New Seed Update State With New Seed (Maybe) Save & Restore State (Maybe) © RSA Data Security 1998 19

20 Comparing PRNG & KDFs © RSA Data Security 1998 20

21 Notation || = Concatenation | x | = Bit Size of “x”
+ = Unsigned Integer Addition * = Unsigned Integer Multiplication ^ = Exponentiation xor = Exclusive-Or © RSA Data Security 1998 21

22 Notation S = State X = X1 .. Xn = Seed blocks
Y= Y1 .. Ym = Output blocks D(z) = Digest of value z Enc(k, m) = Encrypt block m with k CbcRes(k, M) = CBC Residue of message M with key k © RSA Data Security 1998 22

23 Possible Algorithm Families
 Digest Block-Cipher Digest and Block-Cipher Stream-Cipher Modular Exponentiation © RSA Data Security 1998 23

24 Digest (PRF) Family of PRNG
BSAFE Algorithms Yarrow Gutmann SSL KDF © RSA Data Security 1998 24

25 Digest Family PRNG Seed Reduction via MD5, SHA1, RIPEMD-160
128 or 160 Bit Bottleneck 3DES needs 168-Bit Keys Generate Output by Digest of State © RSA Data Security 1998 25

26 Digest Family PRNG Advance State by Update State with New Seed
Adding Constant (BSAFE) LFSR or LCG Iterative Digest (Gutmann, Yarrow) Update State with New Seed Integer Addition of Digested Seed (BSAFE 2) Digest (State || Seed) (BSAFE 3) © RSA Data Security 1998 26

27 Proposed Digest-PRNG Algorithm #1
Seed Reduction: X = Initial Seed S = S1 || S2 = Internal State | S | = 256 Bits, | S1 | = | S2 | = 128 Bits S1 = D(Pad1 || X) truncated to 128 bits S2 = D(Pad2 || X) truncated to 128 bits | Pad1 | = | Pad2 | = 512 bits Extract Up To 256 Bits of Entropy © RSA Data Security 1998 27

28 Proposed Digest-PRNG Algorithm #1
Output Generation Yj = HMAC (S, S || j) Alternative: Yj = HMAC (S, j) Yj = D (S xor Pad1 || D (S xor Pad2 || S|| j)) Yj = D (S xor Pad1 || D (S xor Pad2 || j)) | Pad1 | = | Pad2 | = 512 Bits | j | = 192 Bits (Room for End Padding) Advance State is just: j = j + 1 © RSA Data Security 1998 28

29 Output Diagram for Digest-PRNG Algorithm #1
- Shows Alternative: Yj = HMAC (S, j) | S | = | j | = 256 Bits S j Pad2 PRF = SHA1-HC 512 Bits 256 Bits 256 Bits EndPadding XOR 512 Bits 256 Bits IV PRF PRF 160 Bits Pad1 512 Bits EndPadding 256 Bits 352 Bits XOR 512 Bits Yj IV PRF PRF 160 Bits 160 Bits 160 Bits © RSA Data Security 1998 29

30 Proposed Digest-PRNG Algorithm #1
Update State With New Seed, Xk S1 = D(S xor Pad1 || Xk) truncated to 128 S2 = D(S xor Pad2 || Xk) truncated to 128 | Pad1 | = | Pad2 | = 512 bits Same as Initial Seeding With S = 0 © RSA Data Security 1998 30

31 Benefits of Digest-PRNG Algorithm #1
Large State Avoids 3DES Key Problem State Cycle Length of 2^192 Blocks - Output Cycle Length May Be Same Benefits From Literature on HMAC Some Literature (Krawczyk, Bellare, Rogaway) © RSA Data Security 1998 31

32 Drawbacks of Digest-PRNG Algorithm #1
New Algorithm, No Literature Does Not Avoid Back-Tracking Attacks No Proofs of Security for: Seed Reduction State Update Slower Than BSAFE’s Algorithm 2X for Output Generation © RSA Data Security 1998 32

33 Proposed New Digest-PRNG Algorithm #2
Being developed by Jim Gray “Provable” Security Properties Based on Hash Compression Function Rather than Full Digest Function Still Under development © RSA Data Security 1998 33

34 Possible Algorithm Families
Digest  Block-Cipher Digest and Block-Cipher Stream-Cipher Modular Exponentiation © RSA Data Security 1998 34

35 Block-Cipher Family PRNG
X9.17 Bellare, Rogaway, and others Related to MAC Literature Krawczyk, Davis, Meyer, and others © RSA Data Security 1998 35

36 Block-Cipher Family PRNG
Seed Reduction Often Unspecified Cipher-Based Digest (MDC2, Davies-Meyer, etc.) State = Key and Message-Block Output by Encrypting Part of State Encrypt Single Block Counter CBC-Residue of Large Counter (Micro-BSAFE) © RSA Data Security 1998 36

37 Block-Cipher Family PRNG
Advance Message-Block and/or Key by Adding Constant (Rogaway) LFSR or LCG Iterative Encryption (X9.17, Rogaway) Append Counter (Rogaway) © RSA Data Security 1998 37

38 Proposed Block-Cipher-PRNG Algorithm #1
Based on Rogaway and others Uses 64-bit block cipher With Keys Of At Least 128 bits IDEA, RC5, 3DES Can Generalize to AES Ciphers © RSA Data Security 1998 38

39 Proposed Block-Cipher-PRNG Algorithm #1
Seed Reduction: H() = Davies-Meyer One-Way Hash K = H(Prefix1 || X) Bits C = S = S1 || S2 = H(Prefix2 || X) Bits | Prefix1 | = | Prefix2 | = 64 Bits © RSA Data Security 1998 39

40 Proposed Block-Cipher-PRNG Algorithm #1
Output Generation Yj = CbcRes (GK, S) GK = H(K || j >> d) = Generation Key “d” sets key change rate. 0 < d < 20 CbcRes = 64-bit CBC Residue CbcRes (K, S1 || S2) = Enc (K, S2 xor Enc (K, S1)) | S1 | = | S2 | = 64 Bits | j >> d | = 64 Bits © RSA Data Security 1998 40

41 Proposed Block-Cipher-PRNG Algorithm #1
Advance S State (LCG) S = S + C modulo P P is 128-Bit Prime Take Care to Avoid Timing Attacks Advanced CbcRes Key State After 2^d Output Blocks GK = H(K || j >> d) | j >> d | = 64 Bits © RSA Data Security 1998 41

42 Proposed Block-Cipher-PRNG Algorithm #1
Update State With New Seed, Xk H() = Davies-Meyer Hash K = H(Prefix1 || K || Xk) M = H(Prefix2 || M || Xk) © RSA Data Security 1998 42

43 Benefits of Block-Cipher-PRNG Algorithm #1
Large State Avoids 3DES Key Problem State Cycle Length of P (~2^128) Blocks Output Cycle May Be Same A Bit Faster Than Digest Algorithms Some Literature (Rogaway, Bellare, Davies) © RSA Data Security 1998 43

44 Drawbacks of Block-Cipher-PRNG Algorithm #1
No Protection Against Back Tracking New Algorithm, No Direct Literature © RSA Data Security 1998 44

45 Possible Algorithm Families
Digest Block-Ciphers  Digest and Block-Cipher Overview Only Stream-Ciphers Modular Exponentiation © RSA Data Security 1998 45

46 Digest and Block-Cipher PRNG Family
Seed Reduction Using Digest Output by Encrypting Part of State Encrypt Single Block Counter CBC-Residue of Large Counter (Micro-BSAFE) © RSA Data Security 1998 46

47 Digest and Block Cipher PRNG Family
Advance State and/or Key by Adding Constant (Rogaway) LFSR or LCG Iterative Encryption (X9.17) Iterative Hashing © RSA Data Security 1998 47

48 Possible Algorithm Families
Digest Block Ciphers Digest and Block  Stream Ciphers Overview Only Modular Exponentiation © RSA Data Security 1998 48

49 Stream Cipher PRNG Family
Seed Reduction Using ??? Output Key Stream Cipher RC4, PIKE, SEAL, VESTA, A5 Advance State Running Stream Cipher © RSA Data Security 1998 49

50 Possible Algorithm Families
Digest Block Ciphers Digest and Block Stream Ciphers  Modular Exponentiation Overview Only © RSA Data Security 1998 50

51 Modular Exponentiation PRNG Family
Seed Reduction Using ??? Output by: Output Function of Value (Parity, LSB, O(log log n) Bits, etc.) Advance State Iterate Exponentiation Literature for BBS, ACGS, and BM © RSA Data Security 1998 51

52 Outline Motivation, Purpose and Scope Criteria and Requirements
Algorithm Families Digest, Block Cipher, Both Stream Cipher, Modular-Exponentiation  Discussion of Criteria & Families © RSA Data Security 1998 52

53 Discussion of Criteria
Is Documenting BSAFE Enough? Are Cipher-Based PRNGs Needed? Is Patent-Free Required? PRNG Construct and/or Primitive? Is Re-Seeding Needed? Can Digest Function Internals Be Used? © RSA Data Security 1998 53

Download ppt "PKCS #14: Pseudo-Random Number Generation"

Similar presentations

Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Hash and MAC Algorithms

Hash and MAC Algorithms
Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.

Hashes and Message Digest Hash is also called message digest One-way function: d=h(m) but no h’(d)=m –Cannot find the message given a digest Cannot find.
Cryptography and Network Security Hash Algorithms.

Cryptography and Network Security Hash Algorithms.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)

1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Digital Signatures Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013.

Digital Signatures Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
The Misuse of RC4 in Microsoft Office A paper by: Hongjun Wu Institute for Infocomm Research, Singapore ECE 578 Matthew Fleming.

The Misuse of RC4 in Microsoft Office A paper by: Hongjun Wu Institute for Infocomm Research, Singapore ECE 578 Matthew Fleming.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.

Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.

Similar presentations

Ads by Google