Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux RNG May Be Insecure After All

Posted by Unknown on from the proofs-ahead dept.

Okian Warrior writes "As a followup to Linus's opinion about people skeptical of the Linux random number generator, a new paper analyzes the robustness of /dev/urandom and /dev/random . From the paper: 'From a practical side, we also give a precise assessment of the security of the two Linux PRNGs, /dev/random and /dev/urandom. In particular, we show several attacks proving that these PRNGs are not robust according to our definition, and do not accumulate entropy properly. These attacks are due to the vulnerabilities of the entropy estimator and the internal mixing function of the Linux PRNGs. These attacks against the Linux PRNG show that it does not satisfy the "robustness" notion of security, but it remains unclear if these attacks lead to actual exploitable vulnerabilities in practice.'" Of course, you might not even be able to trust hardware RNGs. Rather than simply proving that the Linux PRNGs are not robust thanks to their run-time entropy estimator, the authors provide a new property for proving the robustness of the entropy accumulation stage of a PRNG, and offer an alternative PRNG model and proof that is both robust and more efficient than the current Linux PRNGs.

32 of 240 comments (clear)

  1. Dilbert RNG by johnsnails · · Score: 5, Funny

    http://dilbert.com/dyn/str_strip/000000000/00000000/0000000/000000/00000/2000/300/2318/2318.strip.gif

    1. Re:Dilbert RNG by The+MAZZTer · · Score: 4, Funny

      http://xkcd.com/221/

    2. Re:Dilbert RNG by AlphaWoIf_HK · · Score: 5, Funny

      I didn't even click on the link and knew it was some fag linking xkcd.

      Well, it is a link that leads to xkcd.com, so it's not exactly difficult to figure out that that's where the link leads.

      --
      Da derp dee derp da teedly derpee derpee dum. Rated PG-13.
    3. Re:Dilbert RNG by gandhi_2 · · Score: 5, Funny

      http://www.penny-arcade.com/comic/2004/03/19

      --
      THL phish sticks
    4. Re:Dilbert RNG by jmhobrien · · Score: 5, Insightful

      I think you need to re-assess your attitude. Perhaps some people have not seen those links? Did you consider the possibility that the comment was not for you? Like rhetorical questions?

      Lighten up or Fuck off. You are taking this way too seriously.

      --
      Where is moderation: -1 False?
  2. Dupe! by VanessaE · · Score: 5, Funny

    .....wait! it's not what you think.

    "a new paper analyzes the robustness of /dev/urandom and /dev/urandom."

    So now we're putting the dupes together into the same summary? Jeez, can't we at least wait a few hours first?

  3. At what scope of time or size of output data? by fishnuts · · Score: 4, Insightful

    At what scope/scale of time or range of values does it really matter if a PRNG is robust?
    A PRNG seeded by a computer's interrupt count, process activity, and sampled I/O traffic (such as audio input, fan speed sensors, keyboard/mouse input, which I believe is a common seeding method) is determined to be sufficiently robust if only polled once a second, or for only 8 bits of resolution, exactly how much less robust does it get if you poll the PRNG say, 1 million times per second, or in a tight loop? Does it get more or less robust when the PRNG is asked for a larger or smaller bit field?

    Unless I'm mistaken, the point is moot when the only cost of having a sufficiently robust PRNG is to wait for more entropy to be provided by its seeds or to use a larger modulus for its output, both rather trivial in the practical world of computing.

    1. Re:At what scope of time or size of output data? by jythie · · Score: 4, Insightful

      The headline is somewhat sensational. There is a pretty wide gulf between an abstract and rather arbitrary metric and a practical vulnerability. This is kinda the security equivalent of pixel peeping, a fun mathematical exercise at best and pissing contest at worst, but ultimately not all that important.

    2. Re:At what scope of time or size of output data? by Anonymous Coward · · Score: 5, Interesting

      First of all, not all computers are PCs. A server running in a VM has no audio input, fan speed, keyboard, mouse, or other similar devices that are good sources of entropy. A household router appliance running Linux not only has no audio input, fan, keyboard, or mouse -- it doesn't even have a clock it can use as a last resort source of entropy.

      Second, there are many services that require entropy during system startup. At that point, there are very few interrupts, no mouse or keyboard input yet, and some of the sources of entropy may even be initialized yet.

      One problematic situation is a initializing a household router. On startup it needs to generate random keys for its encryption, TCP sequence numbers, and so on. Without a clock, a disk, a fan, or any peripherals, the only good source of entropy it has is network traffic, and there hasn't been any yet. A router with very little traffic on its network may take ages to get enough packets to make a decent amount of entropy.

      dom

    3. Re:At what scope of time or size of output data? by steelfood · · Score: 5, Interesting

      Useless for you. But the NSA might disagree. The math is what keeps them at bay. If the math shows cracks, it'd be certain that the NSA has figured out some kind of exploit. Keep in mind that the NSA doesn't rely on just one technique, but can aggregate multiple data sources. So those interrupts that the RNG relies on can be tracked, and the number that results can be narrowed to a searchable space. Keep in mind that 2^32, which is big by any human standard, is minuscule for a GPU.

      --
      "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
    4. Re:At what scope of time or size of output data? by jhol13 · · Score: 5, Insightful

      Your attitude is exactly what is wrong with security. Quite a few still use MD5 because "it is not that broken". Linus really should take a look in this new provably better method and adapt it ASAP and not wait until it bites hard.

    5. Re:At what scope of time or size of output data? by FireFury03 · · Score: 4, Insightful

      It probably has a radio with signals of varying strengths and packet losses.

      This is true. Although I suspect a lot of the time the CPU isn't going to get to see a lot of that stuff (although with most wireless chipsets being softmac devices, maybe it does?)

      It also probably has a multitude of routed, nonrouted, and broadcast packets on its various network interfaces.

      In a dark-start situation (coming up from a wide area power outage), possibly not. Imagine an ADSL router whereby all the clients are connected via wireless. The clients can't talk to the router until it has managed to initialise the wireless encryption subsystems, which requires entropy. Even on a wired network, you may well only see a few DHCP requests from workstations. Obviously rebooting a router onto a large active network is different to rebooting the entire network at the same time, as would happen in a power outage.

      And on top of that, it's connected to a global network of nodes with varying packet delivery times, and where at any time it can ask for a multitude of continuously changing and a least partially stochastic metrics (e.g. exchange rates, 4th word of news headlines, youtube +1 counts, etc, etc).

      A global network that it may well be unable to access until it has enough entropy to make a cryptographic handshake with the upstream peer.

      --
      http://blog.nexusuk.org
    6. Re:At what scope of time or size of output data? by Rockoon · · Score: 4, Insightful

      Its trivial to show that typical PRNG's are frequently not good enough for the monte-carlo simulations and testing that they are thrown at. An N-bit PRNG can only produce at most half of all N+1 bit sequences, a quarter of all N+2 bit sequences, an eighth of all N+3 bit sequences, and so on....

      Given this, obviously the larger N is, the better. Of course most standard libraries use a 32-bit (or less) generator and most programmers are lazy or uneducated in the matter... so only half of all 8-billion to one shots are even possible with that 32-bit generator and then each can only be sampled if the generator just happens to be in the perfect 4-billion to one shot state....

      As the saying goes...Random numbers are too important to be left to chance.

      --
      "His name was James Damore."
  4. Yawn by Anonymous Coward · · Score: 5, Interesting

    The output of a software RNG, aka PRNG (pseudo random number generator), is completely determined by a seed. In other words, to a computer (or an attacker), what looks like a random sequence of numbers is no more random than, let's say,

    (2002, 2004, 2006, 2008, 2010, 2012...)

    However, the PRNG sequence is often sufficiently hashed up for many applications such as Monte Carlo simulations.

    When it comes to secure applications such as cryptography and Internet gambling, things are different. Now a single SRNG sequence is pathetically vulnerable and one needs to combine multiple SRNG sequences, using seeds that are somehow independently produced, to provide a combined stream that hopefully has acceptable security. But using COTS PC or phone doesn't allow developers to create an arbitary stream of independent RNG seeds, so various latency tricks are used. In general, these tricks can be defeated by sufficient research, so often a secure service relies partly on "security through obscurity", i.e. not revealing the precise techniques for generating the seeds.

    This is hardly news. For real security you need specialized hardware devices.

    1. Re:Yawn by Anonymous Coward · · Score: 4, Informative

      "For real security you need specialized hardware devices."

      Indeed. And it's worth considering that the Raspberry Pi has a Hardware RNG built in. Also, the tools to make it functional are in the latest updates to Raspian...

      Did I mention that an RPi B is actually cheaper than the least expensive HWRNG-device (the Simtec Entropy Key - which is waaaayyyy backordered at the moment) - and about three times faster?

  5. Hear me out: Locally Generated Entropy Pool by Anonymous Coward · · Score: 4, Interesting

    So, with all the 'revelations' and discussion surrounding this and encryption over the past several weeks, I've been wondering if a local hardware based entropy solution could be developed. By 'solution', I mean an actual piece of hardware that takes various static noise from your immediate area, ranging from 0-40+kHz( or into MHz or greater?), both internal and external to case, and with that noise builds a pool for what we use as /dev/random and /dev/urandom. Perhaps each user would decide what frequencies to use, with varying degrees of percentage to the pool, etc.. etc...

    It just seems that with so much 'noise' going on around us in our everyday environments, that we have an oppurtunity to use some of that as an entropy source. Is anyone doing this, cause it seems like a fairly obvious implementation.

  6. Incorrect and irresponsible headline by Anonymous Coward · · Score: 5, Interesting

    I swear, if I worked for the NSA I'd be pushing out headlines like this to make people ignore real security issues...

    The article is a highly academic piece that analyzes the security of the linux rng against a bizarre and probably pointless criteria: What is an attacker's ability to predict the future output of the RNG assuming he knows the entire state of your memory at arbitrary attacker selected points in time and can add inputs to the RNG. Their analysis that the linux rng is insecure under this (rather contrived) model rests on an _incorrect_ assumption that Linux stops adding to the entropy pool when the estimator concludes that the entropy pool is full. Instead they offer the laughable suggestion of using AES in counter mode as a "provably secure" alternative.

    (presumably they couldn't get a paper published that said "don't stop adding entropy just because you think the pool is at maximum entropy", either because it was too obviously good a solution or because their reviewers might have noticed that Linux already did that)

    1. Re:Incorrect and irresponsible headline by FrangoAssado · · Score: 5, Informative

      Their analysis that the linux rng is insecure under this (rather contrived) model rests on an _incorrect_ assumption that Linux stops adding to the entropy pool when the estimator concludes that the entropy pool is full.

      Exactly. The maintainer of the /dev/random driver explained this and a lot more about this paper here.

  7. Whatever happened to by mark_reh · · Score: 4, Interesting

    zener diodes biased into avalanche mode to generate random noise? I don't think even the NSA has figured out how to hack laws of thermodynamics.

    1. Re:Whatever happened to by mark_reh · · Score: 4, Insightful

      avalanche diodes conduct bursts of current at random times. A true random number generator simply measures time between those bursts of current then scales that value to whatever numerical range you need.

      You can also time the clicks produced by a geiger-mueller tube detecting beta radiation from a radioactive source, but that requires a lot more difficult-to-integrate hardware.

      Even if you base the final random number on a truly random source you have to ensure that the scaling routine doesn't introduce any sort of bias into the final value. THAT is the tricky part.

    2. Re:Whatever happened to by gman003 · · Score: 4, Interesting

      Well, Intel and VIA have such things integrated into their processors now. Unfortunately, they (at least Intel - not sure how VIA's implementation worked) decided to whiten the data in firmware - you run a certain instruction that gives you a "random" number, instead of just polling the diode. With all the current furor over the NSA stuff, many people are claiming that it *is* hacked.

  8. many times a day he says Linux needs changes by raymorris · · Score: 5, Informative

    Linus signs off on many changes everyday. He does expect you to read the code before trying to change it. That was the problem before - someone put up a change.org petition that made clear they had no idea how it worked.

  9. This is only for recovery after state compromise by gweihir · · Score: 4, Informative

    If the CPRNG state is not compromised, the Linux random generators are secure. In fact the property required for robustness is quite strong: Recovery from compromise even if entropy is only added slowly. For example, the OpenSSL generator also does not fulfill the property. Fortuna does, as it is explicitly designed for this scenario.

    I also have to say that the paper is not well-written as the authors seem to believe the more complicated formalism used the better. This may also explain why there is no analysis of the practical impact: The authors seem to not understand what "practical" means and why it is important.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  10. Re:Random number generators are hard by WaywardGeek · · Score: 5, Interesting

    No, RNGs are easy. Super easy. Just take a trustworthy source of noise, such as zener diode noise, and accumulate it with XOR operations. I built a 1/2 megabyte/second RNG that exposed a flaw in the Diehard RNG test suite. All it took was a 40 MHz 8-bit A/D conversion of amplified zener noise XORed into an 8-bit circular shift register . The Diehard tests took 10 megabytes and said if it found a problem. My data passed several times, so I ran it thousands of times, and found one test sometimes failed on my RNG data. Turns out the Diehard tests had a bug in that code. Sometimes the problem turns out to be in the test, not the hardware.

    --
    Celebrate failure, and then learn from it - Nolan Bushnell
  11. Re: Random number generators are hard by Anonymous Coward · · Score: 4, Informative

    Not all Linux systems use the GNU userspace.

  12. Ted Ts'o on Schneier.com by Mister+Liberty · · Score: 5, Informative

    has some thoughts on the study and the subject:
    https://www.schneier.com/blog/archives/2013/10/insecurities_in.html

  13. Re: Random number generators are hard by Anonymous Coward · · Score: 5, Insightful

    No, RNGs are easy. Super easy. Just take a trustworthy source of noise

    Therein lies the tricky part. Getting a trustworthy source of noise is harder than you may think. Especially when you're writing software with no control over the hardware it runs on.

  14. Re:Random number generators are hard by Anonymous Coward · · Score: 4, Informative

    Good for you. That is still not a viable solution for generating cryptographic keys, IVs, salts, and so on. Two drawbacks with your idea:

    1. Too slow. You need far more random data than a zener diode can generate. You could combine many of them, but then you need to combine them in the right way.

    2. Unreliable. Zener diodes are easy to affect with temperature, and you need to make sure that hardware flaws don't make them produce 1 more often than 0 (or the other way around).

    This is why we need software RNGs. We take a good hardware-based seed from multiple sources (combined using SHA256 or something), and then use that to seed the CSPRNG (not just a PRNG). The CSPRNG then generates a very long stream of secure random data which can then be used.

    I'm not too pleased about the design of Fortuna, but it seems like one of the better choices for how to combine HW input and generate an output stream.

  15. Re:So write a better one by Z00L00K · · Score: 5, Informative

    "Not so random" means that you can mathematically calculate how likely it is that you can predict the next number over a long time. If you can predict the next number with an accuracy of 1 in 250 while the random generator provides 1 in 1000 then the random generator isn't that random.

    Many random generators picks the previous value as a seed for the next value, but that is definitely predictable. Introduce some additional factors into the equation and you lower the predictability. One real problem with random generators using previous value as a seed without adding a second factor is that they can't generate the same number twice or three times in a row (which actually is allowed under the randomness rules).

    It's a completely different thing to create a true random number. For a 32 bit number you essentially should have one generator source for each bit that don't care about how the bit was set previously. It is a bit tricky to create that in a computer in a way that also allows for fast access to a large number of random numbers and prevent others from reading the same random number as you do.

    For computers it's more a question of "good enough" to make prediction an unfeasible attack vector.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  16. Re: Random number generators are hard by Vintermann · · Score: 5, Insightful

    The nice thing about randomness though, is that it adds up. If you xor one stream of hopefully random bits with another stream of hopefully random bits, you get a result that is at least as random as the best of the two streams, quite possibly better than either. It's a rare and precious thing in cryptography: something you can't make worse by messing up. At worst you make no difference.

    So if you're paranoid, come up personally with a ridiculously long phrase (you don't need to remember it), feed it through a key derivation function, and use it in a stream cipher with proven security guarantees (in particular one that passes the next-bit test for polynomial time). Instead of using this directly, xor it together with a source of hopefully random stuff.

    If you write to /dev/random this is more or less what happens. Write to it to your heart's content - it can only make it better, not worse. (This is as I recall, please check with an independent source before you try).

    Voila, no matter what NSA has done to your HRNG chip, this door is secured. Your time is better spent focusing on the other doors, or the windows.

    (But you should be very careful in using HRNG output directly. I am very surprised to read that some open source OSes disable the stream cipher if a HRNG is present - this is a very bad idea!)

    --
    xkcd is not in the sudoers file. This incident will be reported.
  17. Re:Very Informative. by Lennie · · Score: 4, Informative

    If you are gonna do that, might as well link to the comment:

    https://www.schneier.com/blog/archives/2013/10/insecurities_in.html#c1909001

    --
    New things are always on the horizon
  18. Re: Random number generators are hard by magic+maverick+ · · Score: 5, Informative

    Android. Many embedded systems. Many micro systems, such as tomsrtbt or similar (now virtually unneeded, due to the lack of floppy discs on new computers, and the prevalence of booting of CDs or USB flash drives). Many lightweight systems, such as Damn Small Linux.
    Etc.

    See also: Toybox.

    --
    HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!