This preview shows pages 1–3. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: CS 161 Computer Security Fall 2005 Joseph/Tygar/Vazirani/Wagner Notes 21 Anyone who uses software to produce random numbers is in a state of sin. John von Neumann The generation of random numbers is too important to be left to chance. Robert R. Coveyou Random Number Generation Many cryptographic protocols require the parties to generate random numbers. For instance, cryptographic keys have to be generated in a way that makes them unpredictable to anyone other than the authorized creator of the key. How should we generate these random numbers? In this lecture, you will learn two things: how to generate truly random bits; and cryptographic methods to stretch a little bit of true randomness into a large stream of pseudorandom values that are indistinguishable from true random bits. 1 What Can Go Wrong It turns out that random number generation is very easy to get wrong. For instance, what is wrong with the following code? unsigned char key[16]; srand(time(NULL)); for (i=0; i<16; i++) key[i] = rand() & 0xFF; There all sorts of problems with this code. Can you spot any of them? In case you are not familiar with the rand() function, here is a quick refresher. Here are their function prototypes: int rand(void); void srand(unsigned int seed); time_t time(time_t *t); Each call to rand() returns a pseudorandom value in the range to RAND MAX , calculated as a deter ministic function of the seed. Also, srand(s) sets the seed to s . For instance, here is one possible implementation of rand() and srand() : CS 161, Fall 2005, Notes 21 1 static unsigned int next = 0; void srand(unsigned int seed) { next = seed; } /* RAND_MAX assumed to be 32767 */ int rand(void) { next = next * 1103515245 + 12345; return next % 32768; } Finally, time(NULL) returns the current time, as measured by the number of seconds since Jan 1, 1970. With that background, here are two of the security holes in the code snippet listed previously: It is easy to guess the value of the key. The seed is highly predictable, and anyone who can guess the seed can calculate the value of the cryptographic key. The algorithm that rand() uses for computing its outputs as a function of the seed is publicly known. Consequently, anyone who guess the time at which the key was generated can apply the very same algorithm to infer each of the bytes of the key. For instance, if Alice generates a new session key at the start of each session using this code, then anyone who eavesdrops on a session will probably be able to determine the time of day on Alices machine at the start of the session (and hence the seed passed to srand() ) and then decrypt everything that is encrypted using this session key....
View
Full
Document
 Fall '05
 Joseph
 Computer Security

Click to edit the document details