Practical state recovery attacks against legacy RNG implementations
نویسندگان
چکیده
The ANSI X9.17/X9.31 random number generator is a pseudorandom number generator design based on a block cipher and updated using the current time. First standardized in 1985, variants of this PRNG design were incorporated into numerous cryptographic standards over the next three decades. It remained on the list of FIPS 140-1 and 140-2 approved random number generation algorithms until January 2016. The design uses a static key with the specified block cipher to produce pseudo-random output. It has been known since at least 1998 that the key must remain secret in order for the random number generator to be secure. However, neither the FIPS 140-2 standardization process in 2001 or NIST’s update of the algorithm in 2005 appear to have specified any process for key generation. We performed a systematic study of publicly available FIPS 140-2 certifications for hundreds of products that implemented the ANSI X9.31 random number generator, and found twelve whose certification documents use of static hard-coded keys in source code, leaving them vulnerable to an attacker who can learn this key from the source code or binary. In order to demonstrate the practicality of this attack, we develop a full passive decryption attack against FortiGate VPN gateway products using FortiOS version 4. Private key recovery requires a few seconds of computation. We measured the prevalence of this vulnerability on the visible Internet using active scans and find that we are able to recover the random number generator state for 21% of HTTPS hosts serving a default Fortinet product certificate, and 97% of hosts with metadata identifying FortiOSv4. We successfully demonstrate full private key recovery in the wild against a subset of these hosts that accept IPsec connections.
منابع مشابه
Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS
Despite recent high-profile attacks on the RC4 algorithm in TLS, its usage is still running at about 30% of all TLS traffic. This is attributable to the lack of practicality of the existing attacks, the desire to support legacy implementations, and resistance to change. We provide new attacks against RC4 in TLS that are focussed on recovering user passwords, still the pre-eminent means of user ...
متن کاملThreshold Implementation as a Countermeasure against Power Analysis Attacks
One of the usual ways to find sensitive data or secret parameters of cryptographic devices is to use their physical leakages. Power analysis is one of the attacks which lay in such a model. In comparison with other types of side-channels, power analysis is so efficient and has a high success rate. So it is important to provide a countermeasure against it. Different types of countermeasures use ...
متن کاملCombined Attacks on the AES Key Schedule
We present new combined attacks on the AES key schedule based on the work of Roche et al. [16]. The main drawbacks of the original attack are: the need for high repeatability of the fault, a very particular fault model and a very high complexity of the key recovery algorithm. We consider more practical fault models, we obtain improved key recovery algorithms and we present more attack paths for...
متن کاملBleichenbacher's Attack Strikes again: Breaking PKCS#1 v1.5 in XML Encryption
We describe several attacks against the PKCS#1 v1.5 key transport mechanism of XML Encryption. Our attacks allow to recover the secret key used to encrypt transmitted payload data within a few minutes or several hours, depending on the considered scenario. The attacks exploit differences in error messages and in the timing behavior of XML frameworks. We show how to attack seemingly invulnerable...
متن کاملState-Recovery Analysis of Spritz
RC4 suffered from a range of plaintext-recovery attacks using statistical biases, which use substantial, albeit close-to-practical, amounts of known keystream in applications such as TLS or WEP/WPA. Spritz was recently proposed at the rump session of CRYPTO 2014 as a slower redesign of RC4 by Rivest and Schuldt, aiming at reducing the statistical biases that lead to these attacks on RC4. Even m...
متن کامل