sullivan randomness-infiltrate 2014

Exploiting Randomness Some fun exploits you can do with a compromised random number generator Nick Sullivan @grittygrease May 16, 2014

Upload: cloudflare

Post on 15-Jan-2015




0 download


Many information security systems rely on cryptographic schemes that need truly random numbers be secure. In recent months there have been several high profile news stories about weaknesses or potential compromises in both software and hardware random number generators. A compromised random number generator is difficult to catch because it can output random looking data that is predictable to an attacker only. In this talk I describe how to go from knowledge of a weakness in a random number generator to a full security compromise. We will look at examples including how to fully decrypt a TLS stream, how to compromise a bitcoin wallet by looking at the ECDSA signatures on the public block chain, how to factor improperly generated RSA keys, and more. There will be live demos and discussions of interesting ways to pull off these attacks.


Page 1: Sullivan randomness-infiltrate 2014

Exploiting RandomnessSome fun exploits you can do with a compromised random number generator

Nick Sullivan @grittygrease May 16, 2014

Page 2: Sullivan randomness-infiltrate 2014

Who Am I?• Cryptography Engineer, Security Researcher

• Lead the CloudFlare Security Engineering Team

• Work with Cryptography at scale

• Builder and Breaker


Page 3: Sullivan randomness-infiltrate 2014



Page 4: Sullivan randomness-infiltrate 2014

Randomness• What is randomness?

• Why is randomness important?

• How bad randomness can destroy a computer security system


Page 5: Sullivan randomness-infiltrate 2014

Randomness• Broken random number generator is very problematic


• This talk demos attacks on:

• Bitcoin



Page 6: Sullivan randomness-infiltrate 2014

Randomness• Random number generators can be compromised in multiple ways


• Explicit subversion

• Algorithmic weakness

• Poor seeding


• All three are exploitable


Page 7: Sullivan randomness-infiltrate 2014

The Internet is broken


Page 8: Sullivan randomness-infiltrate 2014

The Internet is broken• A failure of trust at scale

• Slow adoption by community of new standards


• Perfect Forward Secrecy

• Fundamental parts of it are broken

• Revocation — as shown by Heartbleed vulnerability


Page 9: Sullivan randomness-infiltrate 2014

A trying year• Events since June 2013 exposed fragility

• Threats moved from theoretical to concrete

• Opinions of the “paranoid” are now mainstream


Page 10: Sullivan randomness-infiltrate 2014

Leaked documents• Purported attempts to subvert public standards and open source projects

• Subversion of random number generation

• I can talk about this since I was never involved


Page 11: Sullivan randomness-infiltrate 2014



Page 12: Sullivan randomness-infiltrate 2014

Dual_EC_DRBG• It was reported that RSA took 10 million to make

Dual_EC_DRBG default in BSAFE in 2004

• Removed as default in 2013


Page 13: Sullivan randomness-infiltrate 2014

Dual_EC_DRBG• Clumsy, slow random number generator based on elliptic curves

• Came with two “random” starting points

• Missed opportunity(?) if they are random

• Starting points can be chosen such that creator has a back door

• Patented by Vanstone and Brown (2005)

• 32 bytes of data reveal entire stream


Page 14: Sullivan randomness-infiltrate 2014

Dual_EC_DRBG• Internal state is entirely dependent on the seed


Page 15: Sullivan randomness-infiltrate 2014

Dual_EC_DRBG• TLS client hello only reveals 28 bytes of random

• RSA implemented non-standard “extended random” TLS extension

• Reveals the full 32 bytes of consecutive data required


Page 16: Sullivan randomness-infiltrate 2014

Dual_EC_DRBG• “On the Practical Exploitability of Dual EC in TLS Implementations” - 2014

• Lange, Bernstein, Green, et al.

• Looked into OpenSSL-FIPS, SChannel, BSAFE, used trojaned points


• Findings

• TLS for each are fingerprintable

• TLS session key in seconds to hours of computation — passively


Page 17: Sullivan randomness-infiltrate 2014

Dual_EC_DRBG - Takeaways• Many protocols include random values (nonces, IVs, session ids, etc.)

• Internal state can be recovered with this data

• All future random can be derived from internal state


Page 18: Sullivan randomness-infiltrate 2014



Page 19: Sullivan randomness-infiltrate 2014

Intel RDRAND• IvyBridge and later random number generator — in hardware

• Designed to be fast

• Has an AES-based “whitening” step at the end


Page 20: Sullivan randomness-infiltrate 2014



Page 21: Sullivan randomness-infiltrate 2014

Intel RDRAND• Exploitability: it’s a hardware instruction

• Virtualized environments - override from hypervisor

• Microcode updates


• Verifiability

• Designers have not looked at production chips in Haswell

• Is there a backdoor in silicon? Hard to tell.


Page 22: Sullivan randomness-infiltrate 2014

Intel RDRAND• FreeBSD and Linux patched to make RDRAND sole source of entropy

• Eventually patches were blocked or reverted

• Linux now mixes RDRAND into /dev/random


• What motivated these patches?


Page 23: Sullivan randomness-infiltrate 2014

Intel RDRAND - takeaways• Randomness can come from hardware

• Should be mixed with other sources

• Looking at randomness does not reveal backdoors


Page 24: Sullivan randomness-infiltrate 2014

A bit about entropy


Page 25: Sullivan randomness-infiltrate 2014

A bit about entropy• Why is RDRAND dangerous on its own, but ok to mix?


• Statistical randomness is not enough

• Cryptographic randomness needs

• To be unpredictable

• To have high entropy


Page 26: Sullivan randomness-infiltrate 2014

A bit about entropy• Entropy is the amount of information contained in a sequence of numbers

• If you know the sequence, it is predictable


• The digits of pi are statistically random, but are predictable

• The entropy is equivalent to the definition: “ratio of circumference to diameter of a circle”

• This sentence only needs a few bytes to express


Page 27: Sullivan randomness-infiltrate 2014

A bit about entropy• Entropy is in the eyes of the beholder

• Known information takes away from the entropy

• Digits of pi have high entropy to someone who doesn’t know math


• The NIST random beacon is not cryptographic randomness

• Generated with high entropy process, but disclosed to the world


Page 28: Sullivan randomness-infiltrate 2014

A bit about entropy• Encrypted the digits of pi with a 128 bit AES key

• Tell the world that’s what it is


• The entropy to you is low

• The entropy to the world is 128 bit


Page 29: Sullivan randomness-infiltrate 2014

A bit about entropy• Same with Dual_EC_DRBG

• Say P = nQ

• The relationship between P & Q can be computed by solving ECDLP

• That takes ~2^128 computations

• The entropy to the world is 128 bits

• The entropy to whoever knows n (the creator) is almost zero given 32 consecutive bytes


Page 30: Sullivan randomness-infiltrate 2014

A bit about entropy• Independent entropy is additive

• RDRAND is ok to mix in, it can only increase randomness


Page 31: Sullivan randomness-infiltrate 2014

The Digital Signature Algorithm (DSA)


Page 32: Sullivan randomness-infiltrate 2014

The Digital Signature Algorithm (DSA)• Public Key cryptography primitive proposed in 1991

• Allows the owner of a private key to sign hash of a message

• The public key is used to verify the signature


Page 33: Sullivan randomness-infiltrate 2014

The Digital Signature Algorithm (DSA)• Where is it used? Everywhere.

• What kind of key is your ssh key?

• ECDSA: elliptic curve variant used in TLS, bitcoin


Page 34: Sullivan randomness-infiltrate 2014

The Digital Signature Algorithm (DSA)• Core complaint: DSA and ECDSA require cryptographic randomness

• Repeated signature with same random value reveal the private key


Page 35: Sullivan randomness-infiltrate 2014

The Digital Signature Algorithm (DSA)• Signature

• Pick a random k

• Convolute k with private key and hash of message

• Publish R, S


• Solve DLP on R -> k


Page 36: Sullivan randomness-infiltrate 2014

The Digital Signature Algorithm (DSA)• Any known k

• Extract private key

• Any repeated k with same private key

• Extract k


Page 37: Sullivan randomness-infiltrate 2014

The Digital Signature Algorithm (DSA)• The Math


Page 38: Sullivan randomness-infiltrate 2014

The Digital Signature Algorithm (DSA)• The Math


Page 39: Sullivan randomness-infiltrate 2014

The Digital Signature Algorithm (DSA)• Breaking DSA


Page 40: Sullivan randomness-infiltrate 2014



Page 41: Sullivan randomness-infiltrate 2014

Bitcoin• Fundamental security based on ECDSA

• Public key hash is your Bitcoin address

• Private key allows you to spend

• ECDSA signature proves transaction


Page 42: Sullivan randomness-infiltrate 2014


• Verify that a payment was made


Page 43: Sullivan randomness-infiltrate 2014

Bitcoin• Two transactions by same Bitcoin address with same random value k


• Signature includes S, R

• R = kG, where G is base point

• If R1 = R1, most likely the same k was used


Page 44: Sullivan randomness-infiltrate 2014

Bitcoin• Demo

• /fun -hash1="270666214c4a9654e2b0c40cbe6e57331ab2d8034f8c648944d5d3c7550b46dc" -sig1="4830450221009ac20335eb38768d2052be1dbbc3c8f6178407458e51e6b4ad22f1d91758895b02201b0d10a717ffccbfe5483bb7aa1cdcdc2a4e8775c706aaeddbcbfd55df190dd5012103ffffc29d98bf4eec11e6948387bdf5928848dca7b83bfde8e0e627e66c706576" -hash2="9bc17698be66f12460b7d7f87e47e1bbc03203194d0cf539ca9b862b23742b0a" -sig2="4830450221009ac20335eb38768d2052be1dbbc3c8f6178407458e51e6b4ad22f1d91758895b0220507b798addf5097c11fb4ed40518b2c3e468feb3d09a1fea837cf9d16ae25ef6012103ffffc29d98bf4eec11e6948387bdf5928848dca7b83bfde8e0e627e66c706576"


Page 45: Sullivan randomness-infiltrate 2014

Other DSA risks• VPN signatures

• IPSec uses DSA, ECDSA

• OpenVPN

• SSH keys

• Secure boot chain

• low entropy boot environments

• Codesigning keys


Page 46: Sullivan randomness-infiltrate 2014

Symptoms of DSA break• Look at the R value

• Repeating R means your key is compromised


Page 47: Sullivan randomness-infiltrate 2014



Page 48: Sullivan randomness-infiltrate 2014

RSA• Public Key Cryptosystem

• Basis of the Public Key Infrastructure

• Security is based on strength of factoring large numbers


• RSA modulus N has two factors P & Q

• RSA key pairs created by randomly generating P & Q


Page 49: Sullivan randomness-infiltrate 2014

RSA• Taiwanese government id: each person has a unique RSA key


Page 50: Sullivan randomness-infiltrate 2014

RSA• Factoring P*Q is hard

• Factoring P*Q and P*R is easy: Chinese remainder theorem

• You can also find the GCD of a large number of numbers


• Factoring RSA keys from certified smart cards: Coppersmith in the wild - 2013

• This is exactly what Bernstein, Heninger, Lange did


Page 51: Sullivan randomness-infiltrate 2014

RSA• They found that some even had recognizable patterns


Page 52: Sullivan randomness-infiltrate 2014

RSA• Result of bad entropy initialization, bad RNG

• No Demo, covers it


Page 53: Sullivan randomness-infiltrate 2014

RSA• Need to attack before keys are created

• Bootloading, early execution vulnerable to weak PRNG

• TrueCrypt? GnuPG? Probably.

• Rely on system to generate RSA keys

• Routers and embedded devices - ephemeral RSA keys


Page 54: Sullivan randomness-infiltrate 2014

RSA• What are the symptoms?

• No symptoms, totally passive

• Where can you harvest public keys?

• Scan the internet

• PGP lists -


Page 55: Sullivan randomness-infiltrate 2014



Page 56: Sullivan randomness-infiltrate 2014

TLS• The crown jewel of Internet encryption is SSL/TLS

• Breaking this removes privacy on the internet

• I will demonstrate one attack and point out two others


Page 57: Sullivan randomness-infiltrate 2014

Handshake• Breakdown of RSA handshake


• Random from client

• Decryption from server


Page 58: Sullivan randomness-infiltrate 2014

Handshake• Breakdown of DHE handshake


• Random from Client

• Random from Server


Page 59: Sullivan randomness-infiltrate 2014

DH on the wire• Client sends aG

• Server sends bG

• Pre-master secret is abG


Page 60: Sullivan randomness-infiltrate 2014

Perfect Secrecy• RSA is vulnerable to client randomness bugs — session key leak

• ECDSA is vulnerable to server randomness bugs — private key leak

• DH is vulnerable to both client and server randomness bugs


Page 61: Sullivan randomness-infiltrate 2014

TLS• Demo

• node.js server with a modified OpenSSL binding for the RNG

• Do a handshake

• Measure it, steal DH private key, decrypt stream


Page 62: Sullivan randomness-infiltrate 2014

Vectors of attack


Page 63: Sullivan randomness-infiltrate 2014

Vectors of attack




Kernel timing


Hypervisor RDRAND



Page 64: Sullivan randomness-infiltrate 2014

How to exploit more generally• Override RDRAND in hypervisor

• Other protocols: OpenVPN, IPSec

• Where to find randomness for context: nonces, IVs

• Trojan the OS image — /dev/random or system openssl

• Extracting RNG state through remote memory disclosure: heartbleed


Page 65: Sullivan randomness-infiltrate 2014

More examples from history• RSA

• Debian RNG


• Sony Playstation 2

• Android Wallet

• Examples: iOS 7.0 bootloader RNG — change BIOS


Page 66: Sullivan randomness-infiltrate 2014

More targets• Other things that depend on good RNG


• Session cookies

• Kaminsky’s DNS poisoning attack mitigation

• Suite B - ECDSA Certificate Authorities


Page 67: Sullivan randomness-infiltrate 2014

Conclusion• Randomness is important

• Subverting PRNG

• Can be done in different layers

• Very hard to detect

• Exploit bugs in PRNG

• Repeated random breaks DSA


Page 68: Sullivan randomness-infiltrate 2014

Exploiting RandomnessSome fun exploits you can do with a compromised random number generator

Nick Sullivan @grittygrease May 16, 2014