Dan Boneh Block ciphers The data encryption standard (DES) Online Cryptography Course Dan Boneh.
Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan...
-
Upload
antoine-maggard -
Category
Documents
-
view
217 -
download
0
Transcript of Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan...
![Page 1: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/1.jpg)
Ensuring High-Quality Randomness in Cryptographic Key Generation
Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford
Bryan Ford - Yale
20th ACM Conference on Computer and Communications Security6 November 2013
![Page 2: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/2.jpg)
Image courtesy NASA Johnson Space Center
n = pq
![Page 3: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/3.jpg)
n = pq n’ = pq’
![Page 4: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/4.jpg)
n = pq n’ = pq’
![Page 5: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/5.jpg)
n = pq n = pq’
[Heninger et al. USENIX Sec ’12][Lenstra et al. CRYPTO ’12]
If keys are the same Can read neighbor’s traffic
If keys share a factor Anyone can factor RSA
modulus
gcd(n, n’) = gcd(pq, pq’) = p
100,000s of vulnerable keys
![Page 6: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/6.jpg)
Common Failure Modes
1) App never reads strong random valuesbytes = Hash(time(), get_pid(), pwd);
[CVE-2001-0950, CVE-2001-1467, CVE-2005-3087, CVE-2006-1378, CVE-2008-0141, CVE-2008-2108, CVE-2009-3278]
2) App misuses random valuesbytes = read_block(‘/dev/random’);// ...bytes = Hash(time());
[CVE-2001-1141, CVE-2003-1376, CVE-2008-0166, CVE-2011-3599]
![Page 7: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/7.jpg)
State of the art
Does this key incorporate strong
randomness?
![Page 8: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/8.jpg)
State of the art
?!?!?!
![Page 9: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/9.jpg)
State of the art
CA
?!?!?!
![Page 10: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/10.jpg)
Goal
Does this key incorporate strong
randomness?
CA
![Page 11: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/11.jpg)
Random values
DeviceEntropy
Authority (EA)
bytes = read_from_EA();// ...// ...bytes = Hash(time());
![Page 12: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/12.jpg)
Incorporate local and remote randomness into secrets
Check proof,Sign pk
Random values
, proof
DeviceEntropy
Authority (EA)
Proof does not reveal the device’s secrets
EA
![Page 13: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/13.jpg)
Goal
CA vouches for identityEA vouches for randomness
EA
EA’s signature
![Page 14: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/14.jpg)
1) Output public key is as “random” as possible
key_entropy = max(device_entropy,
ea_entropy);
2) If device uses strong randomness source, it is no worse off by running the protocol
– Does not leak secrets to EA
System Goals
![Page 15: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/15.jpg)
Outline
• Motivation• Threat Model• Protocol• Evaluation
![Page 16: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/16.jpg)
Outline
• Motivation• Threat Model• Protocol• Evaluation
![Page 17: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/17.jpg)
Threat model
Adversary: can eavesdrop on everything except for a one-time “set-up phase”
Device: tries to generate correctly formed key drawn from distribution with low min-entropy
– Device is correct otherwise
Captures many real-worldrandomness threats
![Page 18: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/18.jpg)
Preliminaries
• Homomorphic commitments [Pedersen, Crypto ‘91]
– Commitment to x: C(x) = gxhr
– Given C(x) and C(y), can compute C(x+y)
• ZK proof of knowledge for multiplication– Given C(x), C(y), z, prove in zero knowledge
that z = xy mod Q– bool Verify(π, C(x), C(y), z)
![Page 19: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/19.jpg)
Outline
• Motivation• Threat Model• Protocol• Evaluation
![Page 20: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/20.jpg)
C(x), C(y)
x’, y’
n, δx, δy, π
Find δs to makep = x+x’+δx
q = y+y’+δy
RSA primes.π = Prove(n=pq). Check δs are small
Verify(π, C(p), C(q), n),sign public key
Prevents device from setting x = –x’
σ(n)
C(p) = C(x)gx’+δx
Prevents device from setting δx = –x’
![Page 21: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/21.jpg)
Security Properties
• If the device uses strong randomness EA learns no useful info about the secrets
• If the device uses strong randomness OR the EA is correct: Device ends up with a strong key
Even if the EA is untrustworthy, device is better off running the protocol
![Page 22: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/22.jpg)
C(x), C(y)
x’, y’
n, δx, δy, π
Zero-knowledge proof leaks no info
δs are O(log p), so they don’t leak “much”
Claim 1: If device uses strong randomness, EA learns no useful info
Randomized commitments leak
no info
![Page 23: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/23.jpg)
C(x), C(y)
x’, y’
n, δx, δy, π
Claim 2: Correct EA will never sign a key sampled from a distribution with low min-entropy
Given x, x’, y, y’, there are only a few valid keys
![Page 24: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/24.jpg)
C(x), C(y)
x’, y’
n, δx, δy, π
Claim 2: Correct EA will never sign a key sampled from a distribution with low min-entropy
A faulty device’s only option is to pick
a “tricky” x and y
We prove that no such “tricky” values exist
![Page 25: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/25.jpg)
Multiple Entropy Authorities
![Page 26: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/26.jpg)
Outline
• Motivation• Threat Model• Protocol• Evaluation
![Page 27: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/27.jpg)
Key Generation Time
No proto Proto Proto+net Slowdown
RSA 2048 59.16 96.93 101.57 1.7x
EC-DSA224 0.45 0.84 1.61 3.6x
• Wall-clock time (in seconds) to generate a key on a Linksys E2500-NP home router.
• EA is modern Linux server 5000 km away (80ms RTT)Less than 2x
slowdown for RSALess than 2 seconds for EC-DSA
![Page 28: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/28.jpg)
Computational Overhead
Overhead diminishes for RSA keys
Slowdown tends to 4x for EC-DSA keys
![Page 29: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/29.jpg)
Computational Bottlenecks
RSA-2048 key on Linksys E2500-NP home router
Protocol cost
![Page 30: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/30.jpg)
Related Work
• Hedged PKC [Bellare et al., ASIACRYPT ’09]
• Better random values– Hardware RNG– Entropics [Mowery et al. Oakland ’13]
• Juels-Guajardo Protocol [PKC ‘02]– Defends against kleptography– Requires heavier primitives
(24x more big exponentiations)
![Page 31: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/31.jpg)
Today
?!?!?!?!
![Page 32: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/32.jpg)
With our protocol
EA
![Page 33: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/33.jpg)
Conclusion
• Using “entropy authorities” is a practical way to prevent weak cryptographic keys
• Other parts of the stack need help too– Signing nonces, ASLR, DNS source ports, …
• Interested in running an entropy authority? Let’s talk!
![Page 34: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/34.jpg)
Questions?
Henry Corrigan-Gibbs
http://github.com/henrycg/earand
Thanks to David Wolinsky, Ewa Syta, Phil Levis, Suman Jana,
and Zooko Wilcox-O’Hearn.
![Page 35: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/35.jpg)
![Page 36: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/36.jpg)
p
q
Q
Q
Warning:Simplification
ahead!
![Page 37: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/37.jpg)
p
q
Q
Q
x
y
x+2k
y+2k
x’ and y’ are k-bit values, so box has area
22k
Picked by device
Max EA value
Order of group
2k
2k
![Page 38: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/38.jpg)
p
q
Q
Q
x
y
x+2k
y+2k
x’
y’
EA’s random choice of x’ and y’ determines n (+/- δs)
![Page 39: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/39.jpg)
p
q
Q
Q
x
y
x+2k
y+2k
x’
y’
![Page 40: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/40.jpg)
p
q
Q
Q
x
y
x+2k
y+2k
x’
y’
We prove: for every valid n, the chance that EA
“lands on” n is negligible
![Page 41: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/41.jpg)
p
q
Q
Q
x
y
x+2k
y+2k
x’
y’
![Page 42: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/42.jpg)
p
q
Q
Q
x
y
x+2k
y+2k
x’
y’
![Page 43: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/43.jpg)
p
q
Q
Q
x
y
y+2k
x’
y’
![Page 44: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/44.jpg)
p
q
Q
Q
x
y
x+2k
y+2k
x’
y’
Proof holds no matter how the device picks x, y
![Page 45: Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20 th ACM Conference.](https://reader035.fdocuments.us/reader035/viewer/2022062511/5518bf37550346a61f8b54cb/html5/thumbnails/45.jpg)
Our Goal
Device
Entropy Authority
Strong randomness
Weak randomness
Strong randomness
Weak randomness /
Malicious Reveals device’s secrets to EA only