Conceptual Foundanons of the Ivy Bridge Random Number Generator
Transcript of Conceptual Foundanons of the Ivy Bridge Random Number Generator
Conceptual Founda.ons of the Ivy Bridge Random Number Generator
Jesse Walker, Ph.D. Intel Corpora.on
Intel Labs Circuits and Systems Research
Security Research Lab
1
Agenda
• Engineering without a safety net • What is randomness? • Intel’s first genera.on RNG • A New Design
– Joint work with George Cox, Charles Dike, and D.J. Johnston
2
Randomness’ Role in Security • Implicit Expecta.on: “Secure” systems work as specified,
independent of what the environment (i.e., any aTacker) can do to it (i.e., without any constraints on the environment) – So we know a priori we will fail to meet expecta.ons
• Ques.on: How can we defeat ALL adversaries? – Even the ones we haven’t thought about?
• Strategy: Use randomness to wall off aTack below a computa.onal complexity threshold – Cryptographic algorithm designers seek to use n bits of randomness to
embed an O(2n/2) or O(2n) search problem into its designs – If n is sufficiently large and the embedding succeeds, then O(2n/2) or O
(2n) opera.ons is beyond anyone’s computa.onal resources
3 Engineering without a safety net
What if it’s not really Random?
4 Engineering without a safety net
• January 1996 -‐ Mozilla SSL Browser RNG Failure • September 28, 1999 -‐ How We Learned to Cheat at Online
Poker: A Study in Sodware Security – By Brad Arkin, Frank Hill, Sco2 Marks, Ma2 Schmid and Thomas
John Walls
• August 2007 – NSA’s Dual EC DRBG shown to have backdoor parameters
• November 19, 2007 – Microsod Windows Insecure Random Number Generator
– CVE-‐2007-‐6043
• May 13, 2008 -‐ Debian/OpenSSL Fiasco • November 4, 2008 -‐ MiFare Classic • March 29, 2010 -‐ Weak RNG in PHP session ID genera.on leads
to session hijacking • December 2010 Sony PlaySta.on* 3 Jailbreak
Debian/OpenSSL Fiasco
Debian has warned of a vulnerability in its cryptographic func.ons that could leave systems open to aTack. The use of a cryptographically flawed pseudo random number generator in Debian's implementa.on of OpenSSL meant that poten.ally predictable keys were generated… The Register – May 13th, 2008
MiFare Classic Crypto-‐1
Stream cipher used in about 200 million RFID chips worldwide. 16-‐bit random numbers generated by LFSR-‐based RNG. Internal state can be unshided, filter func.on can be inverted, limited size enables replay aTacks. BlackHat 2008 Cryptography is impossible without real
randomness
How is Randomness Represented? • A random variable X : S → R models measurements of some random
process • The informa=on of a random variable X is itself a random variable defined
as –log2(X) = log2(1/X) – The informa.on log2(1/X(s)) says how many bits are needed to
unambiguously represent state s – If the number of bits of X(s) exceeds log2(1/X(s)), then X contains redundant
informa.on • The entropy H(X) of a random variable X is the nega.ve of the expected
value of X’s informa.on: H(X) = EX(–log2(X)) = Σs∈S X(s)⋅log2 (1/X(s)) – The entropy measures the randomness or unpredictability of X in bits
• The min-‐entropy is H∞(X) = – mins∈S{log2 (X(s))} = – log2 (maxs∈S{X(s)}) = log2 (mins∈S{1/X(s)})
• H∞(X) ≤ H(X), with equality if and only if X(s) = 1/|S| for all s ∈ S – Every sample from X has at least bits H∞(X) bits of entropy
5 What is Randomness?
Example
6 What is Randomness?
s X(s) log2(1/X(s)) X(s)⋅log2(1/(X(s))
1 1/16 4 1/4
2 1/4 2 1/2
3 3/8 3 – log2(3) ≈ 1.415 3(3 – log2(3))/8 ≈ 0.531
4 1/4 2 1/2
5 1/16 4 1/4
H(X) = EX(log2(1/X)) = Σs∈S X(s)⋅log2 (1/X(s)) ≈ 1/4 + 1/2 + 0.531 + 1/2 + 1/4 = 2.031 H∞(X) = – mins∈S{log2 (X(s))} = log2(mins∈S{1/(X(s)}) = 3 – log2(3) ≈ 1.415 Every sample of X has at least H∞(X) = 1.415 bits of entropy
1 2 3 4 5
H ∞(X) = mins∈S{log2 (1/X(s))}
X
7
Intel’s 1999 RNG
Johnson Thermal Noise Source (resistor)
Noise amplifier
Voltage Controlled Oscillator
High Speed
Oscillator
Super Latch
• Thermal noise modulates the slower oscillator. • Oscillator triggers the super latch. • Drid between the two oscillators provides the source of the random bits. • 60:1 à 100:1 center frequency ra.os. • One bit generated for every 6 raw binary samples à about 75 Kbit/sec
Digital Corrector
~500 KHz
~400 MHz
Von Neumann bias correc.on
Intel’s First Genera.on RNG
Ivy Bridge RNG Conceptual Design
8
Entropy Source
Health Tests
Buffer Condi.oner
RdKey
RdRand Rate Matcher -‐-‐ DRBG
BIST
RNG
Get Status
Not implemented in Ivy Bridge
A New Design
The Privacy Amplifica.on Problem
9 A New Design: The Condi.oner
Alice and Bob share a 2000 bit secret key K to secure their
communica.on against their arch-‐nemesis Eve
Alice Bob
They learn that Eve has learned part of K, say 200 bits . . .
. . . but they don’t know which 200 bits
Is there some way they can sRll use K?
Alice and Bob know: H∞(K) = 2000 – 200 = 1800
Privacy Amplica.on Solu.on • The Le?over Hash Lemma of Impagliazzo, Levin and Luby (1989) solves
the privacy amplifica.on problem • Defini.on. A family H of func.ons h : S → {0,1}n is ε-‐universal if for all s, t
∈ S
Prh∈H[h(s) = h(t)] ≤ ε • Theorem (Ledover Hash Lemma). Assume H = {h : X → {0, 1}n} is a
(1+η)/2n-‐universal hash family. Then if h is selected uniformly over H then
Σs∈S |h(X(s)) – Un(X(s))| ≤ (η + 2n/2m)1/2/2 where H∞(X) ≥ m
– Un denotes the uniform distribu.on on {0,1}n
• Transla.on: universal hash families are efficient entropy extractors
10 A New Design: The Condi.oner
Central Idea • Ideal entropy sources are hard to find in nature • We may s.ll hope to find sources that produce significant
amounts of entropy, i.e., find X with H∞(X) ≥ m • If the entropy source X sa.sfies H∞(X) ≥ m for some m > 0,
then we can apply the Ledover Hash Lemma • Design problems
– Which universal hash family? – How many min-‐entropy bits m do we need? – How do we “uniformly” choose a member of the hash family?
• Isn’t it chea.ng to rely on a randomly selected func.on? – How do we get a source with a predictable min-‐entropy?
11 A New Design: The Condi.oner
The Hash Family and H∞ Value • Defini.on. CBC-‐MAC mode on b block strings for a block cipher E : {0,1}n
× {0,1}k → {0,1}n is defined as
M1 . . . Mb ← M, tag ← 0, do i = 1 . . b ⇒ tag ← E(Mi ⊕ tag, K) od output tag
• Theorem. (Dodis, Gennaro, Håstad, Krawczyk, Rabin; Crypto 2004) A block cipher E : {0,1}n × {0,1}k → {0,1}n in CBC-‐MAC mode on b block strings is a (1+η)/2n -‐universal hash family, where η = O(b3/22n)
• If the block cipher E is AES, and if the number of AES blocks b << 2128, then η = O(b3/2256) ≈ 0 and the Ledover Hash Lemma bound for AES in CBC-‐MAC mode is (η + 2128/2m)1/2/2 ≈ (2128 – m)1/2/2 = 264 – m/2/2 = 263 – m/2
• If m ≥ 382 then 263 – m/2 ≤ 263 – 382/2 = 263 – 191 = 2–128, and the 128 bit output will be indis=nguishable from ideal
12 A New Design: The Condi.oner
Choosing the hash family member
13 A New Design: The Condi.oner
Health Tests
Buffer Condi.oner Rate Matcher -‐-‐ DRBG
382 bits of min-‐entropy? Rekey the Condi.oner
Generate 128 bit AES
key
Min-‐entropy
Extracted entropy
The Entropy Source
14
Entropy Source
Health Tests
Buffer Condi.oner
RdKey
RdRand Rate Matcher -‐-‐ DRBG
BIST
RNG
Get Status
A New Design
Requirements • Can be faithfully modeled
– If we can faithfully model the source with a random variable X, we can compute the min-‐entropy of the source as log2(mins∈S{1/X(s)})
• All digital: no analog components – No I/O – No redesign and revalida.on for new process technologies
• Produce bits at a rate directly useful to applica.ons – e.g., at least 100 Mbps for argument’s sake, not 75 Kbps
• Pass the requirement to remove bias and correla.on to the Condi.oner
15 A New Design: The Entropy Source
Entropy Source
It is latch built from a pair of cross-‐coupled inverters — Circuit assumes two stable (0/1) and one unstable state (meta-‐stable) — Circuit powered on in the meta-‐stable state — Circuit held in meta-‐stable state un.l Johnson thermal noise resolves
circuit’s value to 0 or 1 — Ader the circuit resolves and outputs one bit value, power it off — Repeat at machine clock rate
16 A New Design: The Entropy Source
Entropy Source Models • Wanted: a faithful model that enables min-‐entropy computa.on
• Some early unhelpful but informa.ve models: – Binary Memoryless Source with probability p:
Pr[Xn = 1] = p, Pr[Xn = 0] = 1 – p, n = 1, 2, 3, . . . – Binary Sta.onary Source with probability p:
Pr[Xn = 1] = Pr[Xn = 0] = ½, Pr[Xn | Xn–1] = p o A Binary Sta.onary Source is a Markov process with one bit of memory
• Our last, most informa.ve and explanatory model is an Ornstein-‐Uhlenbeck process – A digital latch tends to resolve to its previous state, so our circuit slightly
biases the next output to be different from the previous – An Orenstein-‐Uhlenbeck process models this: it a mean rever.ng random walk – Model developed by Intel physicists Andrey Nikolaev and Dmitry Kabaev
• Transi.on probabili.es computed from circuit electrical parameters
17 A New Design: The Entropy Source
Min-‐Entropy • Assume our model X faithfully represents the entropy source
– Valida.on has not refuted this assump.on • We can configure the circuit’s electrical parameters and
temperature characteris.cs so that H∞(X) ≥ 0.97 for all supported voltages and temperatures – And disable hardware when voltage, temperature go out of spec
• Under the assump.on that H∞(X) ≥ 0.97, the Condi.oner needs ⎡382/0.97⎤ = 394 samples from the entropy source to produce a full entropy output – 394 – 128 = 266 bits is the tax for not knowing how (un)predictability
is distributed throughout the samples – Source buffer containing raw samples should be at least 512 bits, since
AES-‐CBC-‐MAC operates on a mul.ple of 128 bits (4 AES blocks)
18 A New Design: The Entropy Source
The Classifier and Samples Buffer
19
Entropy Source
Health Tests
Buffer Condi.oner
RdKey
RdRand Rate Matcher -‐-‐ DRBG
BIST
RNG
Get Status
A New Design
Health Tests • We need two types of tests
– Are samples distributed according to our model? • Can’t claim min-‐entropy unless samples are distributed to the model
– How much entropy do samples appear to have? • To sanity check the model
• The Heath Tests – Hypothesis tes.ng to evaluate samples faithfulness to the assumed
distribu.on and to es.mate the amount of entropy present – Add each sampled entropy source bit into the Buffer – Invoke the Condi.oner ader accumula.ng 382 bits of min-‐entropy (usually
394 samples) • Runs of samples are “healthy” only if “accepted” by all tests • Health Tests report an error if too many successive samples are unhealthy
– Hardware is assumed to have broken
20 A New Design: Health Tests and Buffer
Tes.ng Discussion • Many standard sta.s.cs assume independent and iden.cally distributed
(IID) data • Our entropy source does not meet the independence assump.on
– An Ornstein-‐Uhlenbeck process is sta.onary and Ergodic with finite memory • Dependent data can cause sta.s.cal tests based on the IID assump.on to
over-‐es.mate entropy and mis-‐classify samples • We have implemented a diverse baTery of tests to minimize the
probability the source’s entropy is over-‐es.mated or samples mis-‐classified
• Different entropy tests will inevitably yield different confidence levels, so we always use the most conserva.ve result
• We rely on intellectual property acquired from 3rd par.es for most tests
21 A New Design: Health Tests and Buffer
Example Test: Maurer’s Universal Sta.s.c
• Directly es.mates the entropy in X by measuring the amount of redundant informa.on
• This sta.s.c only assumes that X is sta.onary and Ergodic with finite memory – Does not assume samples from X are independent and iden.cally
distributed • Let X = {X1, . . ., Xt} denote outputs from an entropy source • Par..on X1, . . ., Xt into two groups
– X1, . . ., Xq cons.tute a “compression dic.onary” – Xq+1, . . ., Xq+k, where q+k = t
• For j > 0 define – A(Xj) = j if Xj ≠ Xi for all i < j and otherwise – A(Xj) = min{i : i ≥ 1, Xj = Xj–i}
• Maurer’s Universal sta=s=c is µX = (Σj=1..t A(Xj))/k
22 A New Design: Health Tests and Buffer
The Rate Matcher
23
Entropy Source
Health Tests
Buffer Condi.oner
RdKey
RdRand Rate Matcher -‐-‐ DRBG
BIST
RNG
Get Status
A New Design
Mo.va.on • RdRand meant as an instruc.on providing cryptographic entropy
• Instruc.ons need to have determinis.c execu.on .me and low latency
• Condi.oner can generate 128 bits of entropy every 394 cycles = 64 bits every 197 cycles
• Sodware can issue a burst of RdRand instruc.ons at a much faster rate
• We also need a random key for member the Condi.oner’s AES-‐CBC-‐MAC implementa.on
24 A New Design: The Rate Matcher
Rate Matcher
Key K Ctr c Ctr v
Rate Matcher = the SP 800-‐90 RBG
25
c ← c + 1, r ← AESK(c), c ← c + 1, x ← AESK(c), c ← c + 1, y ← AESK(c),
K ← K ⊕ x, c ← c ⊕ y,
v ← v+1
Generate K ← 0128, c ← 0128,
v ← 0
Init
c ← c + 1, x ← AESK(c), c ← c + 1, y ← AESK(c),
K ← K ⊕ x ⊕ s, c ← c ⊕ y ⊕ t,
v ← 0
Reseed(s,t)
s,t
r
A New Design: The Rate Matcher
RNG Interface
26
Entropy Source
Health Tests
Buffer Condi.oner
RdKey
RdRand Rate Matcher -‐-‐ DRBG
BIST
RNG
Get Status
A New Design
API func.ons • Goal: Provide a FIPS 140 cryptographic boundary around internal
state – Defined API the only means of crossing this boundary
• RdRand – provide 64 bits cryptographic entropy – Worst case: Rate Matcher reseeded every 512 RdRand instruc.ons
• The hardware declares itself broken if it doesn’t reseed sooner, i.e., V ≥ 512 – An adversary’s advantage against counter mode is no beTer than
AdvAES(q,t) + q2/2129, where • q = maximum number of reads • t = maximum .me adversary invests in the aTack
• RdKey – provide 64 bits of informa.on-‐theore.c entropy – Not yet implemented
• GetStatus – 1 bit register to indicate whether the RNG hardware is working properly
27 A New Design: The RNG Interface
Side Channels • Timing and power analysis aTacks
– The RNG crypto and classifier blocks can always be built to thwart .ming and power analysis
• Power glitching aTacks – RNG turns itself off when voltage or temperature goes out of spec
– The RNG reini.alizes itself when power and voltage return to spec
• EMI aTacks – S.ll needs more work to understand the EMI characteris.cs of the design
28 A New Design: The RNG Interface
Built-‐in Self-‐Tests
29
Entropy Source
Health Tests
Buffer Condi.oner
RdKey
RdRand Rate Matcher -‐-‐ DRBG
BIST
RNG
Get Status
A New Design
Why Built-‐In Self Tests? • To support debug most modern hardware provides access to all
internal registers using scan chains • Examining register values through scan chains is becoming a
rou.ne aTack vector • The RNG has numerous internal registers
– Condi.oner key – Rate matcher’s parameters K, c, v – Registers for Condi.oner output – Registers for the health tests sta.s.cs – Classified samples buffer
• Strategy: Use built-‐in self-‐tests to evaluate whether the blocks implemen.ng the RNG are opera.ng correctly – No scan-‐chains through the RNG
• RNG status register the only way to determine circuit’s state
30 A New Design: BIST
Summary • Cryptography is impossible without randomness • Theory is an indispensible and prac.cal design tool
– The theory of universal hash families tells us how many samples to collect to get a full-‐entropy output
– It also gives requirements for the entropy source – Stochas.c processes for modeling entropy source – Finding the right sta.s.cal tests – Building a DRBG that resists aTack
• The chain of evidence presented suggests the Ivy Bridge RNG delivers cryptographic entropy at over 1 Gbps
31
32
Feedback?
BACKUP
33
34
How do ATacks Work?
Func.onal Block
Output Input
Func.onal block communicates with its environment through interfaces
Adversary monitors informa.on exchanged via interfaces to learn
something it shouldn’t
Or adversary injects informa.on and control through the interface to make algorithm act outside its specifica.on
Security must treat the environment itself as the adversary
H∞(X) ≤ H(X) • Assume E(X) = 1
– Not essen.al; just simplifies the reasoning • The Renyi entropy is Hren(X) = –log2(Σs∈S X(s)2) • Σs∈S X(s)2 ≤ Σs∈S X(s)⋅max{X(s) : s ∈ S} = max{X(s) : s ∈
S} • Therefore
– log2(Σs∈S X(s)2) ≤ log2(max{X(s) : s ∈ S}) and – H∞(X) = –log2(max{X(s) : s ∈ S}) ≤ –log2(Σs∈S X(s)2) = Hren(X)
• Since log2(⋅) is convex, Jensen’s inequality implies log2(Σs∈S X(s)2) ≥ Σs∈S X(s)⋅log2(X(s)), so
• H∞(X) ≤ Hren(X) = –log2(Σs∈S X(s)2) ≤ –Σs∈S X(s)⋅log2(X(s)) = H(X)
35
Ornstein-‐Uhlenbeck Processes • The only process which is sta.onary, Markov and Gaussian • Over .me the process tends to drid toward its long-‐term mean • Represented as a stochas.c differen.al equa.on
dXt = θ(µ – Xt)dt + σdWt – µ = long term mean – var(Xt) = σ2/2θ is bounded – Wt is a Wiener process (Brownian mo.on)
• Scaling Limit of a discrete process – An urn contains red and green balls – At each step a ball is drawn randomly and replaced by a ball with the
opposite color – If Xn = number of red balls at step n, then (Xnt – n/2)/√n converges to
an Ornstein-‐Uhlenbeck process
36
37
DRBG ATacks • Direct cryptanaly.c aTack • Input aTacks • Backtracking aTack • Permanent compromise • Itera.ve guessing aTack • Meet-‐in-‐the-‐Middle aTack