Slides - School of Computer Science and Engineering

Download Report

Transcript Slides - School of Computer Science and Engineering 

Pseudo-Random-Number-Generators
Security Perspective
Zvi Gutterman
[email protected]
Outline

Motivation

Who needs random numbers?

Requirements
 Numerical generators
 Physical generators
 Examples



Java Object.toString( )
Attacking the Apache Servlet engine
Join us (projects) !
2
Motivation

Numerical Algorithms
 Simulations
 “Monte-Carlo” Methods
example:

Calculating
using
Monte-Carlo simulations
3
Motivation (cont.)

Security

Example: One-Time Pad
Truly Random?
Alice and Bob meet once, and set a one-time pad K.
Alice encrypt plaintext P with K (using xor) and sends the
cipher text C to Bob.
To decrypt P, Bob xor K with C.

Perfect encryption! (Pad used once, same length as P)




As old as Computer-Science ..
Turing, Von-Neumann
4
Requirements

Utopia

True random generators
• Hard to find
• Hard to proof
• Complex implementation

Reality

Pseudo random number generators
• Sequence appears random
“Any one who consider arithmetical methods of producing random digits is,
of course, in a state of sin.”
John von Neumann [1951]
5
Requirements – PRNG
 Statistical


Uniform distribution
… (e.g., number of ‘0’ equals number of ‘1’)
 Non

tests
predictable
Long Period
 Fast
computing
 Low memory consumption
6
Numeric Generators

Linear Congruential Generator (LCG)
Xn+1 = (Xn * a + b) mod m
Where –
[ Lehmer, 1949 ]
Xn – current number [x0 – seed]
Xn+1 – next number
a - multiplier
b - increment
m – modulus
7
LCG
 Used
in -

rand() function in C / C++ (libc)
Java.util.Random

..

 The
period is at most m
 Knuth [TAOCP] study the LCG period
8
LCG – Prediction Algorithm

Boyar [1982] algorithm





Input: Xn-k, …, X0
Output: a,b,m
Complexity: Log2m iterations
Assumes generator corrections during iterations
Krawczyk [1992]
extended for generators of the form:


Xn = P(Xi-n, … ,Xi-1) (mod m)
P – polynomial of fixed degree in n variables.
9
BBS – Blum, Blum, Shub
 p,q
- large prime numbers, congruent to 3
modulo 4.
 m = p*q
 k – relatively prime to m
 Set: X0 = k2 mod m [x0 – seed]
 Xn+1 = Xn2 mod m
 least-significant-bit(Xn+1) is the ith pseudorandom-bit
10
Blum-Blum-Shub Properties
 Cryptographically



strong !
As long as the factoring problem remains
hard, the (n+1)-th bit is not predictable.
This is true even if n is published (As long as
Xn are kept secret)
Slow ..
11
Other PRNGS
MT – Mersenne Twister
(cycle = 219937-1)
 ANSI X9.17


Based on triple-DES




Capstone/Fortezza
DSA (Digital Signature Specification)
Yarrow-160
Fortuna

And many others
12
Physical (True?) RNG

Radioactive decay
 Air Turbulence in disk drives
 Lava lamp
e.g., http://www.lavarnd.org

http://www.random.org
 Intel i8xx chipset
13
Example – Java Object.toString()
public String toString() {
return
getClass().getName() +
"@“ +
Integer.toHexString(hashCode( ));
}
 Example:
java.lang.Object@3179c3
14
Java Object.hashCode( )

From the JavaDoc:
• “As much as is reasonably practical, the
hashCode method defined by class Object
does return distinct integers for distinct
objects. (This is typically implemented by
converting the internal address of the
object into an integer, but this
implementation technique is not required by
the JavaTM programming language.)”
15
hashCode( ) implementation ..
















void os::init_random(long initval) {
_rand_seed = initval;
}
long os::random() {
/* standard, well-known linear congruential random generator with
* next_rand = (16807*seed) mod (2**31-1)
* see
* (1) "Random Number Generators: Good Ones Are Hard to Find",
*
S.K. Park and K.W. Miller, Communications of the ACM 31:10 (Oct 1988),
* (2) "Two Fast Implementations of the 'Minimal Standard' Random
* Number Generator", David G. Carta, Comm. ACM 33, 1 (Jan 1990), pp. 87-88.
*/
const long a = 16807;
const long m = 2147483647;
const long q = m / a;
assert(q == 127773, "weird math");
const long r = m % a;
assert(r == 2836, "weird math");
next_rand = (16807*seed) mod (2**31-1)
// compute az=2^31p+q
unsigned long lo = a * (long)(_rand_seed & 0xFFFF);
unsigned long hi = a * (long)((unsigned long)_rand_seed >> 16);
lo += (hi & 0x7FFF) << 16;




// if q overflowed, ignore the overflow and increment q
if (lo > m) {
lo &= m;
++lo;
}
lo += hi >> 15;






// if (p+q) overflowed, ignore the overflow and increment (p+q)
if (lo > m) {
lo &= m;
++lo;
}
return (_rand_seed = lo);







}
16
Object.toString( )
 Actually:
getClass().getName() +
"@“ +
Integer.toHexString(

LCG
);
We need to “guess” the object order of calling toString( )
17
toString & hashCode remarks
 PRNG
used in many protocols & systems
 Documentation may mislead
 Reverse-engineering is important
 Can
be used for fingerprinting?
18
Example - HTTP 1.1
 Defined
in RFC 2068
 Main e-commerce protocol today
 Stateless !

But we need a state …
19
HTTP Server side
PHP
CGI
Java
HTTP
SOAP
ASP
20
21
HTTP
cookie
demo
National
car rental
22
Attack motivation
 Can
I get someone else profile in
Amazon?
 Can I use the Amazon one-click option to
order books for you?
 Can I change your car reservation?
23
Java Servlets
 JCP:



Servlet 2.4
released 24 November, 2003
Java Session Framework
Must use: jsessionid as parameter (url or
cookie)
 Implementation

Apache Tomcat (25% market share, Apr2003)
• J2EE 1.4 recommendation + Bundled in the SDK!

Commercial
• Resin, IBM WebSphere, Oracle
24
Catalina
 Java Apache
web server = Tomcat
 Tomcat Servlet Engine = Catalina
 Version 5.0.xx (November 2003)
25
Tomcat – Brute Force
 Session

id – 16 Bytes
16 bytes = 128 bit
 Brute-force


attack
2128 options
Very, very long
• 1022 CPU years ..
26
Tomcat SessionID Attack
 Open


source …
Good
And Bad ..
27
Catalina – new SessionID
1.
2.
3.
128 bits = RandomEngine.Get next
random bits
Hash bits = MD5 (Bits)
Sessionid = Bits  Ascii representation
28
Catalina Algorithm
 Seed




C = current time in milliseconds (64 bit)
Ent = Entropy (default: toString() of
org.apache.catalina.StandardManager)
Seed = f(C,Ent)
Random.setSeed(Seed)
 Or

Initialization
–
Open /dev/urandom if exists
29
Catalina Attack
 Get
valid session ID
 reverse ASCII back to bit
representation
 Check
session id against all possible
seeds
 A <240
attack when assuming the server
uptime is at most one year
30
Catalina Attack - Remarks
 Once
broken we can get all valid sessionid immediately!
 The server do not know about it !!
 The attack is valid until the next reset
 This is a non targeted attack
31
Additional
Security Steps ..
32
Projects & Research

Attacking existing PRNG based schemes. examples:




HTTP Servers – PHP, Apache, ASP
Linux kernel based PRNG
SSL (?)
..

Building better theoretical understandings

Preliminary reading list:
http://www.cs.huji.ac.il/~zvikag

Contact: [email protected]
33