Yongjin Yeom

Generating Random Numbers for Cryptographic Modules Using Race Conditions in GPU

In modern cryptography, random numbers are widely used for generating encryption keys and establishing secure channels. Cryptographic modules generate pseudo random numbers using the initial value called ‘seed’. Accordingly, the security of random numbers depends highly upon that of seed. Usually, seeds are obtained from physical or logical noises generated by mouse, keyboard, and thermal noise. In this paper, it will be shown that random numbers can be generated on GPUs. In fact, race conditions caused by simutaneous memory accesses enable GPUs to generate Gaussian noises which can be used as entropy sources for random number generator in cryptographic modules. After distillation processes, cryptographic random numbers can be extracted.

Recoverable Random Numbers in an Internet of Things Operating System

Over the past decade, several security issues with Linux Random Number Generator (LRNG) on PCs and Androids have emerged. The main problem involves the process of entropy harvesting, particularly at boot time. An entropy source in the input pool of LRNG is not transferred into the non-blocking output pool if the entropy counter of the input pool is less than 192 bits out of 4098 bits. Because the entropy estimation of LRNG is highly conservative, the process may require more than one minute for starting the transfer. Furthermore, the design principle of the estimation algorithm is not only heuristic but also unclear. Recently, Google released an Internet of Things (IoT) operating system called Brillo based on the Linux kernel. We analyze the behavior of the random number generator in Brillo, which inherits that of LRNG. In the results, we identify two features that enable recovery of random numbers. With these features, we demonstrate that random numbers of 700 bytes at boot time can be recovered with the success probability of 90% by using time complexity for 5.20 × 2 40 trials. Therefore, the entropy of random numbers of 700 bytes is merely about 43 bits. Since the initial random numbers are supposed to be used for sensitive security parameters, such as stack canary and key derivation, our observation can be applied to practical attacks against cryptosystem.

Analysis of random noise generated by graphic processing units

Random number generators are essential in modern cryptography. The security of a cryptographic scheme can be achieved under the assumption that the system uses ideal random numbers to produce sensitive security parameters such as encryption keys and initial vectors. The weakness of the random number generator makes the entire cryptographic system insecure. In particular, the lack of entropy sources leads to predictable output random bits so that secret information can be guessed by malicious attackers. Therefore, it is important to collect sufficient entropy from physical noise sources. In this paper, we consider graphics processing units (GPUs) as an entropy source. From the race conditions in the parallel computations on a GPU, we can harvest sufficient entropy for cryptography. Using the entropy estimations in NIST SP 800-90B, the amount of entropy is estimated and compared with other physical sources.

Probabilistic Analysis for the Relationship Between Min-Entropy and Guessing Attack

Recently NIST has published the second draft document of recommendation for the entropy sources used for random bit generation. In this document NIST has provided a practical and detailed description about the fact that the min-entropy is closely related to the optimum guessing attack cost. However the argument lacks the mathematical rigour. In this paper we provide an elaborate probabilistic analysis for the relationship between the min-entropy and cost of optimum guessing attack. Moreover we also provide some simulation results in order to investigate the practicality of optimum guessing attack.

The OpenWRT’s Random Number Generator Designed Like /dev/urandom and Its Vulnerability

OpenWRT is an open source router firmware based on embedded Linux that uses a dedicated random number generator for the WPA/WPA2 authentication protocol. Its main purpose is to generate a nonce that can be used in a WPA/WPA2 handshake. If the output of the random number generator can be predicted by an attacker, the relevant protocol will not be able to authenticate securely. According to previous studies on Linux, it is well known that a random number generator implemented in an embedded Linux environment does not collect sufficient entropy from noise sources. The lack of entropy increases the potential vulnerability for the random number generator and the Linux protocol. Therefore, we analyzed the WPA/WPA2 authentication protocol and its random number generator. In our results, we point out some potential cryptographic weaknesses and vulnerabilities of the OpenWRT random number generator.

Probability distributions for the Linux entropy estimator

Abstract We propose a mathematical model of the entropy estimator in the Linux random number generator. First, we construct a probability model for random event times in entropy sources, and then precisely derive probability distributions for the first, second, and third time differences. Second, we obtain the probability distribution for the minimum of absolute values of these differences, which is used for the estimated entropy in the Linux system. Moreover, we provide several simulations that display the accuracy of our results for various parameters.