Slashdot Mirror

← Back to Stories (view on slashdot.org)

NIST Updates Random Number Generation Guidelines

Posted by Soulskill on from the of-barn-doors-and-horses dept.

An anonymous reader writes: Encryption weighs heavily on the public consciousness these days, as we've learned that government agencies are keeping an eye on us and a lot of our security tools aren't as foolproof as we've thought. In response to this, the National Institute of Standards and Technology has issued a formal update to its document on how to properly generate a random number — crucial in many types of encryption. The update (as expected) removes a recommendation for the Dual_EC_DRBG algorithm. It also adds extra options for CTR_DRBG and points out examples for implementing SP 800-90A generators. The full document (PDF) is available online.

36 of 64 comments (clear)

  1. Bad RNG will make your crypto predictable by sinij · · Score: 4, Interesting

    One of they few poorly understood concepts in software development is that improperly initialized (called seeding) DRBG will break your crypto.

    For Linux, and especially for headless systems, use /dev/random for seeding. You want it to block if not enough randomness available.

    1. Re:Bad RNG will make your crypto predictable by ArylAkamov · · Score: 1

      Anywhere that somebody who knows jack shit about encryption could learn about this?

    2. Re:Bad RNG will make your crypto predictable by EmeraldBot · · Score: 4, Informative

      One of they few poorly understood concepts in software development is that improperly initialized (called seeding) DRBG will break your crypto. For Linux, and especially for headless systems, use /dev/random for seeding. You want it to block if not enough randomness available.

      Ehhhh, not always.

      --
      "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
    3. Re:Bad RNG will make your crypto predictable by Copid · · Score: 4, Informative

      The classic Schneier Applied Cryptography is a great read for anybody who wants a good starting point on the basic concepts and practical considerations. It's technical-ish but conceptual rather than mathematical and leans toward describing what the various crypto pieces do, why they exist, and what they're used for. To get a good intro to some math, try The Handbook of Applied Cryptography. If you have a little bit of number theory and are willing to do some exercises up front, the book is largely self-contained and very well written. It's free for personal use, but nobody I know regretted buying a hard copy.

      --
      An interesting anagram of "BANACH TARSKI" is "BANACH TARSKI BANACH TARSKI"
    4. Re:Bad RNG will make your crypto predictable by mlts · · Score: 1

      What I liked was the original version of PGP when it would ask you to type some random numbers/letters and would use that as a seed.

      It depends on the crypto I was doing: For a number of tasks, say if I were rolling dice for a game, /dev/urandom is good enough. For generating a nonpersistant key (like a session key that is used and tossed during a SSL transaction), /dev/random. For a key that is persistant, it might be even better to use /dev/random, but also ask the user to toss in some random keypresses/mouse movement [1], similar to how TrueCrypt and KeePass request it. This way, if there is something defective with the RNG, it is mitigated by a chunk of random bits from the user.

      [1]: Take the time down to as precise as possible, plus the keystroke result itself, hash it (using the hash function as a "bit blender"), toss that in. For mouse movements, take measurements every random fraction of a second, hash those, toss those in as well.

    5. Re:Bad RNG will make your crypto predictable by Bruce+Perens · · Score: 2

      The problem with FM static is that you could start receiving a station, and if you don't happen to realize you are now getting low-entropy data, that's a problem.

      There are many well-characterized forms of electronic noise: thermal noise, shot noise, avalanche noise, flicker noise, all of these are easy to produce with parts that cost a few dollars.

      --
      Bruce Perens.
    6. Re:Bad RNG will make your crypto predictable by Bruce+Perens · · Score: 3, Informative

      Most algorithms to do this use the time between keypresses, measured to very high precision so that the lower bits are chaotic. So it doesn't really matter what keys you hit, and it doesn't matter how rythmic your typing is.

      --
      Bruce Perens.
    7. Re:Bad RNG will make your crypto predictable by Alain+Williams · · Score: 1

      The trouble with FM static is that your ''enemy'' could also observe what you observe and thus have a good idea of what you are basing your random numbers on.

    8. Re:Bad RNG will make your crypto predictable by davester666 · · Score: 1

      yes, then drink the potassium chloride, and have someone time how long it takes you to die. that time will be sufficiently random for our purposes.

      --
      Sleep your way to a whiter smile...date a dentist!
    9. Re:Bad RNG will make your crypto predictable by bytesex · · Score: 1

      Sweeping statement - not necessarily. Pre-shared keys and all that. It is possible to make good crypto systems without using random. Sorry to be autistic about it.

      --
      Religion is what happens when nature strikes and groupthink goes wrong.
    10. Re:Bad RNG will make your crypto predictable by bytesex · · Score: 1

      It also means that you're allowing an outside source, which is extremely easy to manipulate (a van parked outside your house with a transmitter) to create your random.

      --
      Religion is what happens when nature strikes and groupthink goes wrong.
    11. Re: Bad RNG will make your crypto predictable by AvitarX · · Score: 1

      I would think non random pre shared keys are attackable.

      At the extreme case, you end up with a Caesar shift.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    12. Re:Bad RNG will make your crypto predictable by mlts · · Score: 1

      If we pull numbers off a high precision clock function like Linux's clock_gettime (which has a nanosecond precision rate), it matters less what exact key the user pressed, because the part that rapidly changes (interval between keys, or even the absolute time (year/month/day/hour/minute/second/billionths of a second) can be used by running the output through a hashing algorithm and tossed into the RNG pool.

      One you get into microsecond and nanosecond resolution, that is a quite usable random number source, since someone might be able to tap a key (even repeatedly) on a tenth to hundredth of a second scale, but definitely not be able to give repetitive keystrokes on a nanosecond level.

      What key they press might give around six bits of random data, but you can get significantly more bits (20-30) per keystroke just from the high precision timer.

    13. Re: Bad RNG will make your crypto predictable by MadChicken · · Score: 1

      Wouldn't they also have to know your sampling frequency for that to be of any use? And I'm guessing if you randomized that, they'd have to follow your entire tool chain to get the same random result. I'm just thinking out loud here...

      --
      SYS 64738 NO CARRIER
    14. Re:Bad RNG will make your crypto predictable by davester666 · · Score: 1

      No, it will be sooner and less random.

      --
      Sleep your way to a whiter smile...date a dentist!
    15. Re:Bad RNG will make your crypto predictable by sinij · · Score: 1

      Using /dev/random, among many things, ensures that your long-term keys are not easily factorable. If all you are concerned is performance, then why even bother with cryptography?

    16. Re:Bad RNG will make your crypto predictable by sinij · · Score: 2

      Also, when you are ready to take a leap from little knowledge, to a little bit more knowledge, read this paper: https://www.usenix.org/system/...

    17. Re:Bad RNG will make your crypto predictable by VTBlue · · Score: 1

      Great resource! Thanks for this link.

  2. Screw NIST by Guy+From+V · · Score: 1

    They're more like guidelines anyway.

  3. Randomness can't come from a computer program by Bruce+Perens · · Score: 2, Interesting

    True randomness comes from quantum mechanical phenomena. Linux /dev/random is chaotic, yes, enough to seed a software "R"NG. But we can do better and devices to do so are cheap these days.

    I wouldn't trust anything but diode noise for randomness. If I had a need to transmit messages privately, I'd only trust a one-time pad.

    --
    Bruce Perens.
    1. Re:Randomness can't come from a computer program by Anonymous Coward · · Score: 2, Interesting

      OneRNG - An Open and Verifiable hardware random number generator -- relevant talk from Linux.conf.au 2015. It uses diode and (optionally) RF noise to generate a stream of high-quality entropy which couples directly to the kernel.

      They touch upon a concept that I believe many admins should be aware of: if you do mass-deployment of machines, this might very well include generation of e.g. SSH keys. The problem is if the keys are generated in such an early stage that the random pool has not been able to be readily distinguished from other machines within the deployment. This might open up the possibility for an attacker who has knowledge about a less privileged machine within such a deployment to attack machines which in a later state got more important roles.

      I have even seen situations where companies have created images with pre-generated cryptographic signatures, making all machines within a deployment hold the exact same secret information...

    2. Re:Randomness can't come from a computer program by QuasiSteve · · Score: 1

      To throw another one out there - lower bitrate, different approach, much cheaper (especially if built yourself - designs are completely open): https://github.com/waywardgeek...

    3. Re:Randomness can't come from a computer program by Bruce+Perens · · Score: 1

      Most of us do have a need to transmit messages privately. Do you not make any online purchases?

      Yes, but those have to use public-key encryption. I am sure of my one-time-pad encryption because it's just exclusive-OR with the data, and I am sure that my diode noise is really random and there is no way for anyone else to predict or duplicate it. I can not extend the same degree of surety to public-key encryption. The software is complex, the math is hard to understand, and it all depends on the assumption that some algorithms are difficult to reverse - which might not be true.

      --
      Bruce Perens.
  4. A lot of effort to make sure bits aren't leaked by thogard · · Score: 2

    Why do so many systems still use the hashed root or admin password to seed tcp sequence numbers? Cisco, Sun, IBM and DEC all started doing it about the same time. So who suggested it to them and just how many groups know how what it takes to pull bits out of that hash?

  5. Re:Lottery machine? by black3d · · Score: 1

    From a code approach it's pointless, because the physical simulation would run exactly the same each time. Unless your randomize various factors such as for example, the release time of the balls, the speed the wheel which "mixes" them up. However, for this approach to work, you still need your underlying random number generator to already be working to generate the randomization required by the physics engine. And at the end of it all, you're putting a whole lot of effort into a limited entropy randomization system when you could just use a couple of dedicated algorithms to achieve a much greater result.

    From a device point of view, yes - this is basically what hardware random number generators are. There are lots of different ones out there that use different factors such as background radiation, RF noise, plasmas, etc, to create a non-reproducible value. Most of them are pretty good at what they do, and while some may be "better" than others, the differences in the degrees of entropy they produce are largely academic - almost any of them will do the job.

    --
    "The true measure of a person is how they act when they know they won't get caught." - DSRilk
  6. Re:Lottery machine? by Psychotria · · Score: 1

    I agree. The outcome from lottery machines is way too predictable and that's why I'm a billionaire having never worked a day in my life.

  7. Why should we trust NIST encryption? by Slayer · · Score: 4, Insightful

    NIST recklessly broke our trust in them by allowing known to be broken encryption into their standard. Their new document may come with all the best intentions, but it will take years to rebuild that trust. Let's wait for what the crypto community has to say about these documents, before we blindly follow their latest standards.

    1. Re:Why should we trust NIST encryption? by TechyImmigrant · · Score: 1

      NIST recklessly broke our trust in them by allowing known to be broken encryption into their standard. Their new document may come with all the best intentions, but it will take years to rebuild that trust. Let's wait for what the crypto community has to say about these documents, before we blindly follow their latest standards.

      Well you could go with the ANSI or ISO RNG specs.

      Oh wait, they're written by the same people.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    2. Re:Why should we trust NIST encryption? by sinij · · Score: 1

      All you say is true, but you only need to look at what NSA uses to protect their own stuff to know what is secure. Sure, given a chance they will backdoor your stuff, but they will never do this to their own security, since they know even their own backdoor could be used against them.

  8. Thanks for the link by xarragon · · Score: 1

    Thank you a thousand times to the link to the handbook! Now I can ditch the boring William Stallings crypto book which I never finished AND I don't need a physical copy!

  9. So the work begins again by bytesex · · Score: 2

    To find out where the NSA put the twist.

    --
    Religion is what happens when nature strikes and groupthink goes wrong.
    1. Re:So the work begins again by TechyImmigrant · · Score: 1

      To find out where the NSA put the twist.

      Well P-224 isn't twist secure, if that's what you're hinting at.

      In reality the backdoor isn't in SP800-90A, B or C. It's in FIPS 140-2 section 4.9.2. In a FIPS certified module, that procedure applies to all RNG outputs 16 bits and above. A test that changes the data to create a stream of known algebraic inequalities. Genius.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  10. Re:Hm.... by bytesex · · Score: 1

    Lucky for us, Diffie-Helmann requires a random sources on each side. If your RNG is broken and your counter-party's isn't, you're still good.

    --
    Religion is what happens when nature strikes and groupthink goes wrong.
  11. All these replies and no XKCD? by dwillmore · · Score: 1

    https://xkcd.com/221/

  12. Re:Lottery machine? by black3d · · Score: 1

    Your reading comprehension needs some work.

    --
    "The true measure of a person is how they act when they know they won't get caught." - DSRilk
  13. Yarrow isn't a thing? by kriston · · Score: 1

    The Yarrow algorithm, or its progeny Fortuna, are not yet a thing?
    Shame.

    https://en.wikipedia.org/wiki/...

    --

    Kriston