21.03.2013 Views

Problem - Kevin Tafuro

Problem - Kevin Tafuro

Problem - Kevin Tafuro

SHOW MORE
SHOW LESS

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

attacks are a realistic threat, you will usually have far bigger threats, and mitigating<br />

those threats will help mitigate this one as well.<br />

There is a lot that can go wrong when using a pseudo-random number generator.<br />

Coming up with a good construct turns out to be the easy part. Here are some things<br />

you should closely consider:<br />

• Pseudo-random number generators need to be seeded with an adequate amount<br />

of entropy; otherwise, they are still potentially predictable. We recommend at<br />

least 80 bits. See the various recipes elsewhere in this chapter for information on<br />

collecting entropy.<br />

• Be careful to pay attention to the maximum number of outputs a generator can<br />

produce before it will need to be reseeded with new entropy. At some point, generators<br />

start to leak information and will generally fall into a cycle. Note,<br />

though, that for the configurations we present, you will probably never need to<br />

worry about the limit in practice. For example, the generator based on AES-128<br />

leaks a bit of information after 264 16-byte blocks of output, and cycles after 2128 such blocks.<br />

• When adding entropy to a system, it is best to collect a lot of entropy and seed<br />

all at once, instead of seeding a little bit at a time. We will illustrate why by<br />

example. Suppose that you seed a generator with one bit of entropy. An attacker<br />

has only one bit to guess, which can be done accurately after two outputs. If the<br />

attacker completely compromises the state after two outputs, and we then add<br />

another bit of entropy, he can once again guess the state easily. If we add one bit<br />

128 times, there is still very little security overall if the generator state is compromised.<br />

However, if you add 128 bits of entropy to the generator all at once, an<br />

attack should essentially be infeasible.<br />

• If an attacker can somehow compromise the internal state of a pseudo-random<br />

number generator, then it might be possible to launch a backtracking attack,<br />

where old generator outputs can be recovered. Such attacks are easy to thwart;<br />

see Recipe 11.6.<br />

In the following three subsections, we will look at three different techniques for<br />

pseudo-random number generators: using a block cipher such as AES, using a stream<br />

cipher directly, and using a cryptographic hash function such as SHA1.<br />

Using generators based on block ciphers<br />

If you are in an environment where you have use of a good block cipher such as AES,<br />

you have the makings of a cryptographically strong pseudo-random number generator.<br />

Many of the encryption modes for turning a block cipher into a stream cipher are<br />

useful for this task, but CTR mode has the nicest properties. Essentially, you create<br />

random outputs one block at a time by encrypting a counter that is incremented after<br />

every encryption operation.<br />

Using an Application-Level Generator | 583<br />

This is the Title of the Book, eMatter Edition<br />

Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!