PseudoRandomNumberGenerators Security Perspective

1
Pseudo-Random-Number-Generators Security
Perspective

• Zvi Guttermanzvikag_at_cs.huji.ac.il

2
Outline

• Motivation
• Who needs random numbers?
• Requirements
• Numerical generators
• Physical generators
• Examples
• Java Object.toString( )
• Attacking the Apache Servlet engine
• Join us (projects) !

3
Motivation

• Numerical Algorithms
• Simulations
• Monte-Carlo Methods

example Calculating using Monte-Carlo
simulations
4
Motivation (cont.)

• Security
• Example One-Time Pad
• Alice and Bob meet once, and set a one-time pad
  K.
• Alice encrypt plaintext P with K (using xor) and
  sends the cipher text C to Bob.
• To decrypt P, Bob xor K with C.
• Perfect encryption! (Pad used once, same length
  as P)
• As old as Computer-Science ..Turing, Von-Neumann

Truly Random?
5
Requirements

• Utopia
• True random generators
• Hard to find
• Hard to proof
• Complex implementation
• Reality
• Pseudo random number generators
• Sequence appears random
• Any one who consider arithmetical methods of
  producing random digits is, of course, in a state
  of sin. John von Neumann 1951

6
Requirements PRNG

• Statistical tests
• Uniform distribution
• (e.g., number of 0 equals number of 1)
• Non predictable
• Long Period
• Fast computing
• Low memory consumption

7
Numeric Generators

• Linear Congruential Generator (LCG)
• Xn1 (Xn a b) mod m
• Where
• Xn current number x0 seed
• Xn1 next number
• a - multiplier
• b - increment
• m modulus

Lehmer, 1949
8
LCG

• Used in -
• rand() function in C / C (libc)
• Java.util.Random
• ..
• The period is at most m
• Knuth TAOCP study the LCG period

9
LCG Prediction Algorithm

• Boyar 1982 algorithm
• Input Xn-k, , X0
• Output a,b,m
• Complexity Log2m iterations
• Assumes generator corrections during iterations
• Krawczyk 1992 extended for generators of the
  form
• Xn P(Xi-n, ,Xi-1) (mod m)
• P polynomial of fixed degree in n variables.

10
BBS Blum, Blum, Shub

• p,q - large prime numbers, congruent to 3 modulo
  4.
• m pq
• k relatively prime to m
• Set X0 k2 mod m x0 seed
• Xn1 Xn2 mod m
• least-significant-bit(Xn1) is the ith
  pseudo-random-bit

11
Blum-Blum-Shub Properties

• Cryptographically strong !
• As long as the factoring problem remains hard,
  the (n1)-th bit is not predictable.
• This is true even if n is published (As long as
  Xn are kept secret)
• Slow ..

12
Other PRNGS

• MT Mersenne Twister (cycle 219937-1)
• ANSI X9.17
• Based on triple-DES
• Capstone/Fortezza
• DSA (Digital Signature Specification)
• Yarrow-160
• Fortuna
• And many others

13
Physical (True?) RNG

• Radioactive decay
• Air Turbulence in disk drives
• Lava lampe.g., http//www.lavarnd.org
• http//www.random.org
• Intel i8xx chipset

14
Example Java Object.toString()

• public String toString() return
  getClass().getName()
• "_at_
• Integer.toHexString(hashCode( ))
• Examplejava.lang.Object_at_3179c3

15
Java Object.hashCode( )

• From the JavaDoc
• As much as is reasonably practical, the hashCode
  method defined by class Object does return
  distinct integers for distinct objects. (This is
  typically implemented by converting the internal
  address of the object into an integer, but this
  implementation technique is not required by the
  JavaTM programming language.)

16
hashCode( ) implementation ..

• void osinit_random(long initval)
• _rand_seed initval
• long osrandom()
• / standard, well-known linear congruential
  random generator with
• next_rand (16807seed) mod (231-1)
• see
• (1) "Random Number Generators Good Ones Are
  Hard to Find",
• S.K. Park and K.W. Miller,
  Communications of the ACM 3110 (Oct 1988),
• (2) "Two Fast Implementations of the
  'Minimal Standard' Random
• Number Generator", David G. Carta, Comm.
  ACM 33, 1 (Jan 1990), pp. 87-88.
• /
• const long a 16807
• const long m 2147483647
• const long q m / a assert(q
  127773, "weird math")
• const long r m a assert(r 2836,
  "weird math")

next_rand (16807seed) mod (231-1)
17
Object.toString( )

• Actually
• getClass().getName()
• "_at_
• Integer.toHexString( LCG )
• We need to guess the object order of calling
  toString( )

18
toString hashCode remarks

• PRNG used in many protocols systems
• Documentation may mislead
• Reverse-engineering is important
• Can be used for fingerprinting?

19
Example - HTTP 1.1

• Defined in RFC 2068
• Main e-commerce protocol today
• Stateless !
• But we need a state

20
HTTP Server side
21
(No Transcript)
22
HTTPcookie demoNational car rental
23
Attack motivation

• Can I get someone else profile in Amazon?
• Can I use the Amazon one-click option to order
  books for you?
• Can I change your car reservation?

24
Java Servlets

• JCP Servlet 2.4
• released 24 November, 2003
• Java Session Framework
• Must use jsessionid as parameter (url or cookie)
• Implementation
• Apache Tomcat (25 market share, Apr-2003)
• J2EE 1.4 recommendation Bundled in the SDK!
• Commercial
• Resin, IBM WebSphere, Oracle

25
Catalina

• Java Apache web server Tomcat
• Tomcat Servlet Engine Catalina
• Version 5.0.xx (November 2003)

26
Tomcat Brute Force

• Session id 16 Bytes
• 16 bytes 128 bit
• Brute-force attack
• 2128 options
• Very, very long
• 1022 CPU years ..

27
Tomcat SessionID Attack

• Open source
• Good
• And Bad ..

28
Catalina new SessionID

• 128 bits RandomEngine.Get next random bits
• Hash bits MD5 (Bits)
• Sessionid Bits ? Ascii representation

29
Catalina Algorithm

• Seed Initialization
• C current time in milliseconds (64 bit)
• Ent Entropy (default toString() of
  org.apache.catalina.StandardManager)
• Seed f(C,Ent)
• Random.setSeed(Seed)
• Or
• Open /dev/urandom if exists

30
Catalina Attack

• Get valid session ID
• reverse ASCII back to bit representation
• Check session id against all possible seeds
• A at most one year

31
Catalina Attack - Remarks

• Once broken we can get all valid session-id
  immediately!
• The server do not know about it !!
• The attack is valid until the next reset
• This is a non targeted attack

32
Additional Security Steps ..
33
Projects Research

• Attacking existing PRNG based schemes. examples
• HTTP Servers PHP, Apache, ASP
• Linux kernel based PRNG
• SSL (?)
• ..
• Building better theoretical understandings
• Preliminary reading listhttp//www.cs.huji.ac.il
  /zvikag
• Contact zvikag_at_cs.huji.ac.il