Enhancing Cryptographic Key Generation with High-Quality Randomness

Slide Note
Embed
Share

This presentation discusses the critical aspect of ensuring high-quality randomness in cryptographic key generation processes. It explores key vulnerabilities and common failure modes, emphasizing the importance of incorporating strong randomness. The content delves into various methods and issues related to randomness in cryptographic key generation, with insights from research studies and industry practices.

zyan
zyan Follow

Uploaded on Sep 17, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Ensuring High-Quality Randomness in Cryptographic Key Generation Henry Corrigan-Gibbs, Wendy Mu, Dan Boneh - Stanford Bryan Ford - Yale 20th ACM Conference on Computer and Communications Security 6 November 2013

  2. n = pq Image courtesy NASA Johnson Space Center

  3. n = pq n = pq

  4. n = pq n = pq

  5. [Heninger et al. USENIX Sec 12] [Lenstra et al. CRYPTO 12] If keys are the same Can read neighbor s traffic If keys share a factor Anyone can factor RSA modulus n = pq gcd(n, n ) = gcd(pq, pq ) = p n = pq 100,000s of vulnerable keys

  6. Common Failure Modes 1) App never reads strong random values bytes = Hash(time(), get_pid(), pwd); [CVE-2001-0950, CVE-2001-1467, CVE-2005-3087, CVE-2006- 1378, CVE-2008-0141, CVE-2008-2108, CVE-2009-3278] 2) App misuses random values bytes = read_block( /dev/random ); // ... bytes = Hash(time()); [CVE-2001-1141, CVE-2003-1376, CVE-2008-0166, CVE-2011- 3599]

  7. State of the art Does this key incorporate strong randomness?

  8. State of the art ?!?!?!

  9. State of the art ?!?!?! CA

  10. Goal Does this key incorporate strong randomness? CA

  11. Entropy Authority (EA) Device Random values bytes = read_from_EA(); // ... // ... bytes = Hash(time());

  12. Entropy Authority (EA) Device Random values Proof does not reveal the device s secrets Incorporate local and remote randomness into secrets , proof Check proof, Sign pk EA

  13. Goal EA s signature EA CA vouches for identity EA vouches for randomness

  14. System Goals 1) Output public key is as random as possible key_entropy = max(device_entropy, ea_entropy); 2) If device uses strong randomness source, it is no worse off by running the protocol Does not leak secrets to EA

  15. Outline Motivation Threat Model Protocol Evaluation

  16. Outline Motivation Threat Model Protocol Evaluation

  17. Threat model Adversary: can eavesdrop on everything except for a one-time set-up phase Device: tries to generate correctly formed key drawn from distribution with low min-entropy Device is correct otherwise Captures many real-world randomness threats

  18. Preliminaries Homomorphic commitments [Pedersen, Crypto 91] Commitment to x: C(x) = gxhr Given C(x) and C(y), can compute C(x+y) ZK proof of knowledge for multiplication Given C(x), C(y), z, prove in zero knowledge that z = xy mod Q bool Verify( , C(x), C(y), z)

  19. Outline Motivation Threat Model Protocol Evaluation

  20. Prevents device from setting x = x C(x), C(y) x , y C(p) = C(x)gx + x Prevents device from setting x = x Find s to make p = x+x + x q = y+y + y RSA primes. = Prove(n=pq). n, x, y, Check s are small Verify( , C(p), C(q), n), sign public key (n)

  21. Security Properties If the device uses strong randomness EA learns no useful info about the secrets If the device uses strong randomness OR the EA is correct: Device ends up with a strong key Even if the EA is untrustworthy, device is better off running the protocol

  22. Claim 1: If device uses strong randomness, EA learns no useful info Randomized commitments leak no info C(x), C(y) x , y Zero-knowledge proof leaks no info s are O(log p), so they don t leak much n, x, y,

  23. Claim 2: Correct EA will never sign a key sampled from a distribution with low min-entropy C(x), C(y) Given x, x , y, y , there are only a few valid keys x , y n, x, y,

  24. Claim 2: Correct EA will never sign a key sampled from a distribution with low min-entropy C(x), C(y) x , y A faulty device s only option is to pick a tricky x and y We prove that no such tricky values exist n, x, y,

  25. Multiple Entropy Authorities

  26. Outline Motivation Threat Model Protocol Evaluation

  27. Key Generation Time Wall-clock time (in seconds) to generate a key on a Linksys E2500-NP home router. EA is modern Linux server 5000 km away (80ms RTT) Less than 2x slowdown for RSA Less than 2 seconds for EC-DSA No proto Proto Proto+net Slowdown 59.16 96.93 101.57 1.7x RSA 2048 EC-DSA 224 0.45 0.84 1.61 3.6x

  28. Computational Overhead Slowdown tends to 4x Overhead diminishes for RSA keys for EC-DSA keys

  29. Computational Bottlenecks Protocol cost RSA-2048 key on Linksys E2500-NP home router

  30. Related Work Hedged PKC [Bellare et al., ASIACRYPT 09] Better random values Hardware RNG Entropics [Mowery et al. Oakland 13] Juels-Guajardo Protocol [PKC 02] Defends against kleptography Requires heavier primitives (24x more big exponentiations)

  31. Today ?!?!?!?!

  32. With our protocol EA

  33. Conclusion Using entropy authorities is a practical way to prevent weak cryptographic keys Other parts of the stack need help too Signing nonces, ASLR, DNS source ports, Interested in running an entropy authority? Let s talk!

  34. Questions? Henry Corrigan-Gibbs henrycg@stanford.edu http://github.com/henrycg/earand Thanks to David Wolinsky, Ewa Syta, Phil Levis, Suman Jana, and Zooko Wilcox-O Hearn.

  35. q Q Warning: Simplification ahead! p Q

  36. q x and y are k-bit values, so box has area 22k Q y+2k 2k y 2k x x+2k Max EA value p Q Order of group Picked by device

  37. q EA s random choice of x and y determines n (+/- s) Q y+2k y y x x x+2k p Q

  38. q Q y+2k y y x x+2k x p Q

  39. q We prove: for every valid n, the chance that EA lands on n is negligible Q y+2k y y x x x+2k p Q

  40. q Q y+2k y y x x x+2k p Q

  41. q Q y+2k y y x x x+2k p Q

  42. q Q y+2k y y x x p Q

  43. q Q y+2k y y Proof holds no matter how the device picks x, y x+2k x p x Q

  44. Our Goal Device Entropy Authority Strong randomness Weak randomness Strong randomness Weak randomness / Malicious Reveals device s secrets to EA only

Related


Exploring Limited Randomness in Repeated Games

Exploring Limited Randomness in Repeated Games

riendeau_s
Cryptographic Reductions and Learning in Computational Complexity

Cryptographic Reductions and Learning in Computational Complexity

mali
Understanding Cryptographic Data Integrity Algorithms

Understanding Cryptographic Data Integrity Algorithms

nataniel
Understanding Probability and Randomness

Understanding Probability and Randomness

wolfgang
Understanding Probability and Randomness

Understanding Probability and Randomness

saga
Exploring the Impact of Randomness on Planted 3-Coloring Models

Exploring the Impact of Randomness on Planted 3-Coloring Models

westberg_j
High-Throughput True Random Number Generation Using QUAC-TRNG

High-Throughput True Random Number Generation Using QUAC-TRNG

vishnu
Understanding Security Goals and Cryptographic Algorithms

Understanding Security Goals and Cryptographic Algorithms

owain
Cryptographic Hash Functions in Data Security: Mustansiriyah University Course Overview

Cryptographic Hash Functions in Data Security: Mustansiriyah University Course Overview

arley
The Power of Randomness in Computation

The Power of Randomness in Computation

lel_mi
Wholesale Storage Load Metering of Losses in Distributed Generation Battery Facility

Wholesale Storage Load Metering of Losses in Distributed Generation Battery Facility

lampkins_f
Introduction to Public Key Cryptography

Introduction to Public Key Cryptography

kenna
Enhancing Information Retrieval with Augmented Generation Models

Enhancing Information Retrieval with Augmented Generation Models

pranav
Quantum Key Agreements and Random Oracles

Quantum Key Agreements and Random Oracles

fperi
Strategic Priorities for Sustainable Electricity Generation in Sierra Leone

Strategic Priorities for Sustainable Electricity Generation in Sierra Leone

elke
Development of Attosecond Theory for Nobel Prize through Verilog Programming

Development of Attosecond Theory for Nobel Prize through Verilog Programming

inia775
Key Management and Distribution Techniques in Cryptography

Key Management and Distribution Techniques in Cryptography

sena
Comparison of 2nd vs 3rd Generation Fire Suppression Systems

Comparison of 2nd vs 3rd Generation Fire Suppression Systems

damaris
Comprehensive Overview of Sewage Treatment Plant Processes and Energy Generation

Comprehensive Overview of Sewage Treatment Plant Processes and Energy Generation

bkal
McGill First Generation Orientation Event

McGill First Generation Orientation Event

ade_oli
IAEA series of lectures on Quality Management in Medical Radiological Practices

IAEA series of lectures on Quality Management in Medical Radiological Practices

vance
Understanding Quality of Life and Its Impact on Society

Understanding Quality of Life and Its Impact on Society

sjak
Leakage-Resilient Key Exchange and Seed Extractors in Cryptography

Leakage-Resilient Key Exchange and Seed Extractors in Cryptography

nataly
Understanding Pseudo-Noise Sequences and Applications

Understanding Pseudo-Noise Sequences and Applications

kaisen

More Related Content

Post-Quantum Cryptography in IEEE 802.11 - Current State and Future Concerns
Post-Quantum Cryptography in IEEE 802.11 - Current State and Future Concerns
Enhancing Introductory Statistics Instruction with GAISE Recommendations
Enhancing Introductory Statistics Instruction with GAISE Recommendations
Data Quality Reporting in Distribution Chain
Data Quality Reporting in Distribution Chain
Overview of Power Systems and Energy Generation
Overview of Power Systems and Energy Generation
High-Tech Survey Methods for Continuous Cadastral Map Generation
High-Tech Survey Methods for Continuous Cadastral Map Generation
Overcoming the UX Challenges Faced by FIDO Credentials in the Faced by FIDO Credentials in the Consumer Space
Overcoming the UX Challenges Faced by FIDO Credentials in the Faced by FIDO Credentials in the Consumer Space
Understanding Transport Layer Security (TLS)
Understanding Transport Layer Security (TLS)
Rainbow Signatures Overview and New Attacks
Rainbow Signatures Overview and New Attacks
Cryptography Concepts and Encryption Methods Overview
Cryptography Concepts and Encryption Methods Overview
Basic Concepts in Number Theory and Finite Fields for Cryptography
Basic Concepts in Number Theory and Finite Fields for Cryptography
Securing Protocols with Fully Encrypted Protocols (FEPs)
Securing Protocols with Fully Encrypted Protocols (FEPs)
Exploring the Computer Science Behind Bitcoin
Exploring the Computer Science Behind Bitcoin
Great Coxwell Community Energy Project Feasibility Study
Great Coxwell Community Energy Project Feasibility Study
Next Generation Updates and Initiatives for 2022
Next Generation Updates and Initiatives for 2022
Lead Generation Strategies for SMB Success
Lead Generation Strategies for SMB Success
Understanding Software Quality and Testing in Modern Development
Understanding Software Quality and Testing in Modern Development
Comprehensive Overview of Quality Control in Blood Bank and Quality Assurance
Comprehensive Overview of Quality Control in Blood Bank and Quality Assurance
The Importance of a Chief Quality Officer in Healthcare Trusts
The Importance of a Chief Quality Officer in Healthcare Trusts
Understanding E-commerce Data Collection and Legal Frameworks
Understanding E-commerce Data Collection and Legal Frameworks
Challenges in Standard QUIC Protocol Implementation
Challenges in Standard QUIC Protocol Implementation
Overview of Cryptography Techniques and Algorithms
Overview of Cryptography Techniques and Algorithms
Understanding Diffie-Hellman Problems in Cryptography
Understanding Diffie-Hellman Problems in Cryptography
Understanding Blockchain Technology and Its Applications
Understanding Blockchain Technology and Its Applications
Understanding the Importance of Web Cryptography API and Its Application
Understanding the Importance of Web Cryptography API and Its Application