Attacks on PRNGs

- By Nupura NeurgaonkarCS-265 (Prof. Mark Stamp)

What is Pseudo Random Number Generator (PRNG)?

It is a mechanism for generating random numbers on a computer that are indistinguishable from truly random numbers.

Many applications don’t have source of truly random bits; instead they use PRNGs to generate these numbers.

Pseudo random because it is not possible to generate truly random numbers from deterministic thing like computer.

Why Study PRNGs ?

They are used everywhere in cryptography. Random numbers are in session keys, public key generation, initialization vector and many other places.

PRNG is a single point of failure for many real-world cryptosystems. If random numbers are insecure then the entire application is insecure.

Many systems use badly-designed PRNGs, or use them in ways that make various attacks easier than they need be. 

Characteristics of good PRNGs ?

Should generate on average as many 1’s as 0’s.01111110 01101001

Should be random enough to hide patterns and correlation.10101010

Should have a large period.01101001 11001010 00011000 01101001

Should not produce preferred strings 11001100

Knowledge of some outputs should not help predict past or future outputs

PRNG Model Collect

Collect unpredictable inputs. inputs are collected in a “seed pool”.

State (secret state)After collecting sufficient seed data, move to a stable state.

GenerateGenerate random outputs by performing various operations on the seed data.

RSA PRNG To generate a bit stream of size l Choose two prime numbers p = 11 and q = 19, (n= p*q = 209) m = (p-1)(q-1), (m = 180) Choose e such that gcd(e,m) is 1. (e = 7) Select X0 (seed) such that 1 < X0 < n (let X0 = 72) For i = 1 to l do

Xi = (Xi-1)^e mod n Zi = least significant bit of Xi

X1 = 72^7 mod 209 X1 = 184 Z1 = 0

X2 = 200 Z2 = 0 X3 = 205 Z3 = 1

00110110…………

Classes of Attacks on PRNGs Direct Attack:

When the attacker can directly distinguish between PRNG numbers and random numbers (cryptanalyze the PRNG). 

Input Based Attack:

When the attacker is able to use knowledge of PRNG inputs to  cryptanalyze the PRNG. 

State Compromise Extension Attacks:

When the attacker can guess some information due to an earlier breach of security.

Direct Attacks

When the attacker can directly cryptanalyze the PRNG. 

Applicable to most PRNGs.

They occur when outputs are predictable, biased and have definite patterns and correlation. 

Not applicable when the attacker is not able to directly see the output of the PRNG.

E.g.:- A PRNG used to generate triple-DES keys. Here the output of the PRNG is never directly seen by an attacker. 

Input Based Attacks Also called as Exhaustive seeding search attacks.

The attacker uses knowledge of inputs to cyptanalyze the PRNG output.

The attacker finds out the seed bytes that initialized the generator.

The attacker can use same input again and again to repeat the same output forever.

There are many poor sources for seed material, such as clock values, network statistics.

State Compromise Attacks Attacker tries to guess the internal state of the generator Design criteria is to make internal state of PRNG large enough to

make exhaustive state search impractical.

Backtracking attacks : Uses the compromise of PRNG state S to learn about all previous PRNG outputs.

Permanent compromise attack: Once S has been compromised, all future and past outputs of the PRNG are vulnerable.

Iterative guessing attacks : Uses the knowledge of state S that was compromised at time t and the intervening PRNG outputs to guess the state S’ at time t+Δ.

Netscape’s Implementation of SSL

SSL protects communications by encrypting messages with a secret key--a large, random number known only to the sender and receiver. (Key size 40 bits)

Netscape 1.1 uses MD5 algorithm that will be presumably known to any adversary.

The seed generated depends only on the values of three quantities: the time of day, the process ID, and the parent process ID.

An attacker can easily discover the pid and ppid values using the ps command.

All that remains is to guess the time of day. Most popular Ethernet sniffing tools (including tcpdump) record the precise time they see each packet. Using the output from such a program, the attacker can guess the time of day on the system running the Netscape browser to within a second.

It was attacked in 30 hours using spare CPU cycles from many machines

 Conclusions Random number are the basis for many cryptographic

applications. 

Attacks on many cryptographic applications are possible by attacks on PRNGs. 

There is no reliable “independent” function to generate random numbers. 

Present day computers can only approximate random numbers, using pseudo-random numbers generated by Pseudo Random Number Generators.  

Questions??