21.03.2013 Views

Problem - Kevin Tafuro

Problem - Kevin Tafuro

Problem - Kevin Tafuro

SHOW MORE
SHOW LESS

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

attacks are a realistic threat, you will usually have far bigger threats, and mitigating<br />

those threats will help mitigate this one as well.<br />

There is a lot that can go wrong when using a pseudo-random number generator.<br />

Coming up with a good construct turns out to be the easy part. Here are some things<br />

you should closely consider:<br />

• Pseudo-random number generators need to be seeded with an adequate amount<br />

of entropy; otherwise, they are still potentially predictable. We recommend at<br />

least 80 bits. See the various recipes elsewhere in this chapter for information on<br />

collecting entropy.<br />

• Be careful to pay attention to the maximum number of outputs a generator can<br />

produce before it will need to be reseeded with new entropy. At some point, generators<br />

start to leak information and will generally fall into a cycle. Note,<br />

though, that for the configurations we present, you will probably never need to<br />

worry about the limit in practice. For example, the generator based on AES-128<br />

leaks a bit of information after 264 16-byte blocks of output, and cycles after 2128 such blocks.<br />

• When adding entropy to a system, it is best to collect a lot of entropy and seed<br />

all at once, instead of seeding a little bit at a time. We will illustrate why by<br />

example. Suppose that you seed a generator with one bit of entropy. An attacker<br />

has only one bit to guess, which can be done accurately after two outputs. If the<br />

attacker completely compromises the state after two outputs, and we then add<br />

another bit of entropy, he can once again guess the state easily. If we add one bit<br />

128 times, there is still very little security overall if the generator state is compromised.<br />

However, if you add 128 bits of entropy to the generator all at once, an<br />

attack should essentially be infeasible.<br />

• If an attacker can somehow compromise the internal state of a pseudo-random<br />

number generator, then it might be possible to launch a backtracking attack,<br />

where old generator outputs can be recovered. Such attacks are easy to thwart;<br />

see Recipe 11.6.<br />

In the following three subsections, we will look at three different techniques for<br />

pseudo-random number generators: using a block cipher such as AES, using a stream<br />

cipher directly, and using a cryptographic hash function such as SHA1.<br />

Using generators based on block ciphers<br />

If you are in an environment where you have use of a good block cipher such as AES,<br />

you have the makings of a cryptographically strong pseudo-random number generator.<br />

Many of the encryption modes for turning a block cipher into a stream cipher are<br />

useful for this task, but CTR mode has the nicest properties. Essentially, you create<br />

random outputs one block at a time by encrypting a counter that is incremented after<br />

every encryption operation.<br />

Using an Application-Level Generator | 583<br />

This is the Title of the Book, eMatter Edition<br />

Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!