An Analysis of OpenSSL's Random Number Generator

نویسنده

  • Falko Strenzke
چکیده

In this work we demonstrate various weaknesses of the random number generator (RNG) in the OpenSSL cryptographic library. We show how OpenSSL’s RNG, knowingly in a low entropy state, potentially leaks low entropy secrets in its output, which were never intentionally fed to the RNG by client code, thus posing vulnerabilities even when in the given usage scenario the low entropy state is respected by the client application. Turning to the core cryptographic functionality of the RNG, we show how OpenSSL’s functionality for adding entropy to the RNG state fails to be effectively a mixing function. If an initial low entropy state of the RNG was falsely presumed to have 256 bits of entropy based on wrong entropy estimations, this causes attempts to recover from this state to succeed only in long term but to fail in short term. As a result, the entropy level of generated cryptographic keys can be limited to 80 bits, even though thousands of bits of entropy might have been fed to the RNG state previously. In the same scenario, we demonstrate an attack recovering the RNG state from later output with an off-line effort between 2 and 2 hash evaluations, for seeds with an entropy level n above 160 bits. We also show that seed data with an entropy of 160 bits, fed into the RNG, under certain circumstances, might be recovered from its output with an effort of 2 hash evaluations. These results are highly relevant for embedded systems that fail to provide sufficient entropy through their operating system RNG at boot time and rely on subsequent reseeding of the OpenSSL RNG. Furthermore, we identify a design flaw that limits the entropy of the RNG’s output to 240 bits in the general case even for an initially correctly seeded RNG, despite the fact that a security level of 256 bits is intended.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

True Random Number Generation for Cryptography, on the Cheap

This paper describes an open system for building a True Random Number Generator and using it for cryptographic purposes. The main components of this system are an Arduino Uno and OpenSSL. Introduction: Random number generation is an important part of cryptography, because flaws in random number generation can be used by attackers to compromise encryption systems that are algorithmically secure....

متن کامل

Design of low power random number generators for quantum-dot cellular automata

Quantum-dot cellular automata (QCA) are a promising nanotechnology to implement digital circuits at the nanoscale. Devices based on QCA have the advantages of faster speed, lower power consumption, and greatly reduced sizes. In this paper, we are presented the circuits, which generate random numbers in QCA.  Random numbers have many uses in science, art, statistics, cryptography, gaming, gambli...

متن کامل

Design of low power random number generators for quantum-dot cellular automata

Quantum-dot cellular automata (QCA) are a promising nanotechnology to implement digital circuits at the nanoscale. Devices based on QCA have the advantages of faster speed, lower power consumption, and greatly reduced sizes. In this paper, we are presented the circuits, which generate random numbers in QCA.  Random numbers have many uses in science, art, statistics, cryptography, gaming, gambli...

متن کامل

Sensitivity Analysis and Stray Capacitance of Helical Flux Compression Generator with Multi Layer Filamentary Conductor in Rectangular Cross-Section

This paper presents an approach to calculate the equivalent stray capacitance (SC) of n-turn of the helical flux compression generator (HFCG) coil with multi layer conductor wire filaments (MLCWF) in the form of rectangular cross-section. This approach is based on vespiary regular hexagonal (VRH) model. In this method, wire filaments of the generator coil are separated into many very small simi...

متن کامل

CPU Time Jitter Based Non-Physical True Random Number Generator

Today’s operating systems provide non-physical true random number generators which are based on hardware events. With the advent of virtualization and the ever growing need of more high-quality entropy, these random number generators reach their limits. Additional sources of entropy must be opened up. This document introduces an entropy source based on CPU execution time jitter. The design and ...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:
  • IACR Cryptology ePrint Archive

دوره 2016  شماره 

صفحات  -

تاریخ انتشار 2016