SESSION ID: ACB-W01 Entropy as a Service: A Framework for Delivering High-quality Entropy Ravi Jagannathan David Ott Security Architect VMware Sr. Staff Researcher and Academic Program Director VMware #RSAC The Problem of Weak Entropy N. Heninger, Z. Durumeric, et al. “Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices”. USENIX Security 2012. #RSAC #RSAC The Problem of Weak Entropy [09] CVE-2000-0357 : ORBit and esound in Red Hat Linux do not use sufficiently random numbers, December 1999. [10] CVE-2001-0950: ValiCert Enterprise Validation Authority uses insufficiently random data, January 2001. [11] CVE-2001-1141: PRNG in SSLeay and OpenSSL could be used by attackers to predict future pseudorandom numbers, July 2001. [12] CVE-2001-1467: mkpasswd, as used by Red Hat Linux, seeds its random number generator with its process ID, April 2001. [13] CVE-2003-1376: WinZip uses weak random number generation for password protected ZIP files, December 2003. [14] CVE-2005-3087: SecureW2 TLS implementation uses weak random number generators during generation of the pre-master secret, September 2005. [15] CVE-2006-1378: PasswordSafe uses a weak random number generator, March 2006. [16] CVE-2006-1833: Intel RNG Driver in NetBSD may always generate the same random number, April 2006. [17] CVE-2007-2453: Random number feature in Linux kernel does not properly seed pools when there is no entropy, June 2007. [18] CVE-2008-0141: WebPortal CMS generates predictable passwords containing only the time of day, January 2008. [19] CVE-2008-0166: OpenSSL on Debian-based operating systems uses a random number generator that generates predictable numbers, January 2008. [20] CVE-2008-2108: GENERATE SEED macro in php produces 24 bits of entropy and simplifies brute force attacks against the rand and mt rand functions, May 2008. [21] CVE-2008-5162: The arc4random function in FreeBSD does not have a proper entropy source for a short time period immediately after boot, November 2008. [22] CVE-2009-0255: TYPO3 creates the encryption key with an insufficiently random seed, January 2009. [23] CVE-2009-3238: Linux kernel produces insufficiently random numbers, September 2009. [24] CVE-2009-3278: QNAP uses rand library function to generate a certain recovery key, September 2009. [25] CVE-2011-3599: Crypt::DSA for Perl, when /dev/random is absent, uses the data::random module, October 2011. [26] CVE-2013-1445: The crypto.random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it, October 2013. [27] CVE-2013-4442: Password generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, December 2013. [28] CVE-2013-5180: The srandomdev function in Libc in Apple Mac OS X before 10.9, when the kernel random-number generator is unavailable, produces predictable values instead of the intended random values, October 2013. [29] CVE-2013-7373: Android before 4.4 does not properly arrange for seeding of the OpenSSL PRNG, April 2013. [30] CVE-2014-0016: tunnel before 5.00, when using fork threading, does not properly update the state of the OpenSSL pseudo-random number generator, March 2014. [31] CVE-2014-0017: The rand bytes function in libssh before 0.6.3, when forking is enabled, does not properly reset the state of the OpenSSL pseudorandom number generator, March 2014. [32] CVE-2014-4422: The kernel in Apple iOS before 8 and Apple TV before 7 uses a predictable random number generator during the early portion of the boot process, October 2014. H. Corrigan-Gibbs and S. Jana. “Recommendation for Randomness in the Operating System, or, How to Keep Evil Children Out of Your Pool and Other Random Facts”. HotOS 2015. #RSAC What is entropy? Entropy: def • a measure of randomness, unpredictability • more entropy => harder for adversary to guess More precisely: Number of information bits not known to an adversary • k bits of entropy • 2k guesses needed to find a value (assuming uniform distribution) Example: k = 8 bits 256 guesses needed to find value Example: k = 32 bits 4,294,967,296 guesses needed to find value Example: k = 64 bits 18,446,744,073,709,551,616 guesses needed to find value #RSAC Entropy Sources Entropy Source: • a noise source • sampling and quantization • minimal conditioning (e.g., unbiasing) Key questions: • Does the entropy show statistical bias? • Is it unpred