PKCS #14 Pseudo Random Number Generation
Download
Report
Transcript PKCS #14 Pseudo Random Number Generation
PKCS #14
Status of Work
Pseudo Random Number Generation
Jan-Ove Larsson
RSA Laboratories Europe
[email protected]
PKCS Workshop ’99
Sep 29 - Oct 1
Stockholm, Sweden
Outline
• Motivation for PRNG Standard
• Design Criteria
• Building Blocks
• Set of Operations for PRNG
• Model for PRNG
• Basic Security Properties
• Attacks on PRNG:s
• Algo Proposals
Motivation for PRNG Standard
• Increases Security
• Complements Other Standards
• Support to Developers
- strength, correctness via testvectors
• Legal Aspects
- liability in cases of fraud
• Public Trust
- home-banking
- e-commerce
- other services
Design Criteria
• Build On
- proven security properties if possible
- well-studied algorithms and primitives
• Be Conservative
• Promote Simplicity
- better performance, easier to analyse
Building Blocks
In Accordance With Our Design Criteria We Build
the PRNG Using Well-Studied Algorithms and Primitives.
There Are Several Possibilities Including:
• Block Ciphers
- CBCMAC:s
• Stream Ciphers
• Modular Exponentiation Based
• Cryptographic Hash Functions
- HMAC:s
- NMAC:s
Set of Operations for PRNG
• State Update from New Seed
• State Advance after Output Generation
• Output Generation
• Save / Restore State
• Self-Test
?
Model for PRNG
I
X[ ]
H
F
S
G
Y[ ]
Variables:
I, Input to Seed Array
X[ ], Array of Blocks of Seed Bytes
Y[ ], Array of Output Bytes
S, Internal State
Functions:
H, State Update From Seed
F, State Advance After Output
G, Generation of Output Bytes
Basic Security Properties
• Use Large Seed Blocks
• Knowledge of Part of Seed Shall Be of
No Help For an Adversary
• Good Seed Usage: Make the State Depend
on All Previous Seed
• Large, Unbiased Internal State
• Output Shall Pass Randomness Tests
• Output Shall Be Unpredictable
Attacks on PRNG:s
1
• Guessing of Seed
- Entropy of X[i] Need to Be Large to Prevent
an Exhaustive Search Attack.
• Chosen Seed Input / State Cycle Shortening
X[ i ]
Old State
H
New State
Attacks on PRNG:s
• Timing Attacks on State Advance Function
- Ensure That the Advance Function Takes
Constant Time.
- If That Is Not Possible, Random Delays?
Gives Worse Performance!
2
Attacks on PRNG:s
• Direct Cryptanalytic Attacks on Output Generation
Function
- Strong Cipher or Preimage Resistant Hash
- Truncate Output From Output Generation
Function
3
Attacks on PRNG:s
Attacks After a Compromise of State
• Backward Tracking Attack: After a Compromise of
State, Try to Determine Previous Outputs.
• Forward Tracking
4
Algo Proposals (due to Bob Baldwin)
Cipher Based Single Width Algorithm
S = Counter Value, C = Counter Incr., K = Encr. Key
State Update From Seed:
K’ = Hash ( K || X[ i ] ) , K = ” ” at Initialization
S = C = Odd( Enc( K’ , 0 )), (K’ determines State)
State Advance after Output:
S’ = S + C ( mod 2 ** |S| )
Output Generation:
Y[ j ] = Enc( K , S)
1
Algo Proposals
Digest Based Single Width Algorithm
S = Counter Value, C = Counter Incr., K = Secret State
State Update From Seed:
K’ = Hash ( K || X[ i ] ) , K = ” ” at Initialization
S = C = Odd( Hash( K’ , 0 )), (K’ determines State)
State Advance after Output:
S’ = S + C ( mod 2 ** |S| )
Output Generation:
Y[ j ] = Hash( K || S)
2
Algo Proposals
Cipher Based Double Width Algorithm
KL = Cipher Key Length, BL = Cipher Block Length
”0x20” = Block of BL bytes equal to 0x20
Dmac(K1, K2, S) = Enc(K1, CbcMac(K2, S))
H2(x) = Dmac(”0x20”, ”0x20”, x) || Dmac(”0x21”, ”0x21”, x)
3
Algo Proposals
4
Cipher Based Double Width Algorithm Cont’d
State Update From Seed:
Secret State is(K1, K2)
K1 || K2 = H2 (K1 || K2 || X[ i ] ) , K1 = K2 = ” ” at Init
C1 = DMac(K1, K2, 2BL-zeros) ; S = C1 || BL-zeros
C2 = DMac(K1, K2, S) ; C = S = C1 || C2 ; C = Odd(C)
State Advance after Output: S’ = S + C ( mod 2 ** BL )
Output Generation: Y[ j ] = DMac( K1, K2, S)
Algo Proposals
Digest Based Double Width Algorithm
BL = Output Block Length For Digest
ML = Input Block Length For the Digest Compression Fcn
H(x) = Digest of x
Ext(x) = ML-byte value, x padded to the right with 0-bytes
NMac(K1, K2, S) = H(Ext(K1) || H(Ext(K2) || S))
H2(K1, K2, x) = Nmac(K1, K2, x) || Nmac(K2, K1, x)
5
Algo Proposals
6
Digest Based Double Width Algorithm Cont’d
State Update From Seed:
Secret State is(K1, K2)
K1 || K2 = H2 (K1 || K2 || X[ i ] ) , K1 = K2 = ” ” at Init
C1 = NMac(K1, K2, 2BL-zeros) ; S = C1 || BL-zeros
C2 = NMac(K1, K2, S) ; C = S = C1 || C2 ; C = Odd(C)
State Advance after Output: S’ = S + C ( mod 2 ** BL )
Output Generation: Y[ j ] = NMac( K1, K2, S)