TU Darmstadt / ULB / TUbiblio

An Analysis of OpenSSL's Random Number Generator

Strenzke, Falko (2016):
An Analysis of OpenSSL's Random Number Generator.
In: Advances in Cryptology – EUROCRYPT 2016. 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Springer, Vienna, Austria, In: Lecture Notes in Computer Science 9665, ISBN 978-3-662-49889-7,
DOI: 10.1007/978-3-662-49890-3 25,
[Conference or Workshop Item]

Abstract

In this work we demonstrate various weaknesses of the random number generator (RNG) in the OpenSSL cryptographic library. We show how OpenSSL’s RNG, knowingly in a low entropy state, potentially leaks low entropy secrets in its output, which were never intentionally fed to the RNG by client code, thus posing vulnerabilities even when in the given usage scenario the low entropy state is respected by the client application. Turning to the core cryptographic functionality of the RNG, we show how OpenSSL’s functionality for adding entropy to the RNG state fails to be effectively a mixing function. If an initial low entropy state of the RNG was falsely presumed to have 256 bits of entropy based on wrong entropy estimations, this causes attempts to recover from this state to succeed only in long term but to fail in short term. As a result, the entropy level of generated cryptographic keys can be limited to 80 bits, even though thousands of bits of entropy might have been fed to the RNG state previously. In the same scenario, we demonstrate an attack recovering the RNG state from later output with an off-line effort between 282 and 284 hash evaluations, for seeds with an entropy level n above 160 bits. We also show that seed data with an entropy of 160 bits, fed into the RNG, under certain circumstances, might be recovered from its output with an effort of 282 hash evaluations. These results are highly relevant for embedded systems that fail to provide sufficient entropy through their operating system RNG at boot time and rely on subsequent reseeding of the OpenSSL RNG. Furthermore, we identify a design flaw that limits the entropy of the RNG’s output to 240 bits in the general case even for an initially correctly seeded RNG, despite the fact that a security level of 256 bits is intended.

Item Type: Conference or Workshop Item
Erschienen: 2016
Creators: Strenzke, Falko
Title: An Analysis of OpenSSL's Random Number Generator
Language: German
Abstract:

In this work we demonstrate various weaknesses of the random number generator (RNG) in the OpenSSL cryptographic library. We show how OpenSSL’s RNG, knowingly in a low entropy state, potentially leaks low entropy secrets in its output, which were never intentionally fed to the RNG by client code, thus posing vulnerabilities even when in the given usage scenario the low entropy state is respected by the client application. Turning to the core cryptographic functionality of the RNG, we show how OpenSSL’s functionality for adding entropy to the RNG state fails to be effectively a mixing function. If an initial low entropy state of the RNG was falsely presumed to have 256 bits of entropy based on wrong entropy estimations, this causes attempts to recover from this state to succeed only in long term but to fail in short term. As a result, the entropy level of generated cryptographic keys can be limited to 80 bits, even though thousands of bits of entropy might have been fed to the RNG state previously. In the same scenario, we demonstrate an attack recovering the RNG state from later output with an off-line effort between 282 and 284 hash evaluations, for seeds with an entropy level n above 160 bits. We also show that seed data with an entropy of 160 bits, fed into the RNG, under certain circumstances, might be recovered from its output with an effort of 282 hash evaluations. These results are highly relevant for embedded systems that fail to provide sufficient entropy through their operating system RNG at boot time and rely on subsequent reseeding of the OpenSSL RNG. Furthermore, we identify a design flaw that limits the entropy of the RNG’s output to 240 bits in the general case even for an initially correctly seeded RNG, despite the fact that a security level of 256 bits is intended.

Title of Book: Advances in Cryptology – EUROCRYPT 2016. 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques
Series Name: Lecture Notes in Computer Science 9665
Number: 35
Publisher: Springer
ISBN: 978-3-662-49889-7
Divisions: Profile Areas
Profile Areas > Cybersecurity (CYSEC)
Event Location: Vienna, Austria
Date Deposited: 14 Aug 2017 13:54
DOI: 10.1007/978-3-662-49890-3 25
Identification Number: TUD-CS-2016-14779
Export:
Suche nach Titel in: TUfind oder in Google

Optionen (nur für Redakteure)

View Item View Item