Security
How do we know our PRNGs work properly?
December 29, 2016
11:30 AM – 12:30 PM Add to calendar
11:30 AM – 12:30 PM Add to calendar
Saal G
Pseudo-random number generators (PRNGs) are critical pieces of security
infrastructure. Yet, PRNGs are surprisingly difficult to design,
implement, and debug. The PRNG vulnerability that we recently found in
GnuPG/Libgcrypt (CVE-2016-6313) survived 18 years of service and several
expert audits. In this presentation, we not only describe the details of
the flaw but, based on our research, explain why the current state of
PRNG implementation and quality assurance downright provokes incidents.
We also present a PRNG analysis method that we developed and give
specific recommendations to implementors of software producing or
consuming pseudo-random numbers to ensure correctness.
Bugs in PRNGs often go unnoticed for years, as witnessed previously by
the Debian OpenSSL disaster (2006-2008; see presentation at 25C3) or the
Android PRNG vulnerability (2005-2013), which was responsible for a
series of bitcoin thefts. This longevity has good reasons, as currently
almost no effective technical safeguards against the PRNG flaws are in
place. In public forums, questions about quality assurance for PRNGs are
typically met with fatalistic shrugging, links to web comics, or links
to statistical test suites. None of these approaches is effective in
solving the problem.
In the past two years, we carried out research into correctness of
cryptographic PRNGs, studying the effectiveness of various measures, and
developing new ones. We analyzed numerous PRNGs that are currently in
deployment. With this presentation we aim to convey insights into:
the current state of PRNG implementations
why quality assurance of PRNGs is difficult and
why hardly any technical safeguards against flaws in PRNGs are currently in place
the details of the GnuPG flaw that we uncovered
the hidden technical similarities behind many PRNG flaws (such as the three mentioned above)
which safeguards are effective and which are not
how to improve the situation
Additional information
| Type | lecture |
|---|---|
| Language | English |
More sessions
| 12/27/16 |
Certificate transparency - what is it, and what can be done with it?
|
| 12/27/16 |
Hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputting a result. However, the internal state of the hardware leaks information about the programs that are executing. In this talk, we focus on how to extract information from the execution of simple x86 instructions that do not require any privileges. Beyond classical cache-based side-channel attacks, we demonstrate how to perform cache attacks without a single memory access, as well as ...
|
| 12/27/16 |
PHP-7 is a new version of the most prevalent server-side language in use today. Like previous version, this version is also vulnerable to memory corruptions. However, the language has gone through extensive changes and none of previous exploitation techniques are relevant. In this talk, we explore the new memory internals of the language from exploiters and vulnerability researchers point of view. We will explain newly found vulnerabilities in the 'unserialize' mechanism of the language and ...
|
| 12/27/16 |
Follow the steps taken to crack a conditional access and scrambling system used in millions of TV set-top-boxes across North America. From circuit board to chemical decapsulation, optical ROM extraction, glitching, and reverse engineering custom hardware cryptographic features. This talk describes the techniques used to breach the security of satellite and cable TV systems that have remained secure after 15+ years in use.
|
| 12/27/16 |
Heads is an open source custom firmware and OS configuration for laptops and servers that aims to provide slightly better physical security and protection for data on the system. Unlike Tails, which aims to be a stateless OS that leaves no trace on the computer of its presence, Heads is intended for the case where you need to store data and state on the computer. It targets specific models of commodity hardware and takes advantage of lessons learned from several years of vulnerability research. ...
|
| 12/27/16 |
We analyze the generation and management of WPA2 group keys. These keys protect broadcast and multicast Wi-Fi traffic. We discovered several issues and illustrate their importance by decrypting all group (and unicast) traffic of a typical Wi-Fi network.
|
| 12/27/16 |
We present DROWN, a novel cross-protocol attack on TLS that uses a server supporting SSLv2 as an oracle to decrypt modern TLS connections. Using Internet-wide scans, we find that 33% of all HTTPS servers are vulnerable to this protocol-level attack.
|
