C3Subtitles: 33c3: How do we know our PRNGs work properly?
back

How do we know our PRNGs work properly?

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:58:35
Language
English
Abstract
Pseudo-random number generators (PRNGs) are critical pieces of security
infrastructure. Yet, PRNGs are surprisingly difficult to design,
implement, and debug. The PRNG vulnerability that we recently found in
GnuPG/Libgcrypt (CVE-2016-6313) survived 18 years of service and several
expert audits. In this presentation, we not only describe the details of
the flaw but, based on our research, explain why the current state of
PRNG implementation and quality assurance downright provokes incidents.
We also present a PRNG analysis method that we developed and give
specific recommendations to implementors of software producing or
consuming pseudo-random numbers to ensure correctness.

<P>Bugs in PRNGs often go unnoticed for years, as witnessed previously by
the Debian OpenSSL disaster (2006-2008; see presentation at 25C3) or the
Android PRNG vulnerability (2005-2013), which was responsible for a
series of bitcoin thefts. This longevity has good reasons, as currently
almost no effective technical safeguards against the PRNG flaws are in
place. In public forums, questions about quality assurance for PRNGs are
typically met with fatalistic shrugging, links to web comics, or links
to statistical test suites. None of these approaches is effective in
solving the problem.

<P>In the past two years, we carried out research into correctness of
cryptographic PRNGs, studying the effectiveness of various measures, and
developing new ones. We analyzed numerous PRNGs that are currently in
deployment. With this presentation we aim to convey insights into:

<UL>
<LI> the current state of PRNG implementations
<LI> why quality assurance of PRNGs is difficult and
<LI> why hardly any technical safeguards against flaws in PRNGs are currently in place
<LI> the details of the GnuPG flaw that we uncovered
<LI> the hidden technical similarities behind many PRNG flaws (such as the three mentioned above)
<LI> which safeguards are effective and which are not
<LI> how to improve the situation
</UL>

Talk ID
8099
Event:
33c3
Day
3
Room
Saal G
Start
11:30 a.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
Vladimir Klebanov
Felix Dörre