Abstract
Many in the cryptographic community scoff at the mistakes made in implementing RNGs. Many cryptographers and members of the IETF resist the call to make TLS more resilient to this class of failures. This article discusses the history, current state, and fragility of the TLS protocol, and it closes with an example of how to improve the protocol. The goal is not to suggest a solution but to start a dialog to make TLS more resilient by proving that the security of TLS without the assumption of perfect random numbers is possible.
- Althouse, J. 2019. TLS fingerprinting with JA3 and JA3S. Salesforce Engineering; https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967.Google Scholar
- Barker, E.B., Kelsey, J.M., et al. 2007. Recommendation for random number generation using deterministic random bit generators (revised). U.S. Department of Commerce, National Institute of Standards and Technology; https://www.nist.gov/publications/recommendation-random-number-generation-using-deterministic-random-bit-generators-2.Google Scholar
- Bernstein, D.J., Lange, T., Niederhagen, R. 2016. Dual EC: a standardized back door. In Lecture Notes in Computer Science Essays, The New Codebreakers, volume 9100, ed. P.Y.A. Ryan, D. Naccache, and J.-J. Quisquater, 256?281. Springer-Verlag; https://dl.acm.org/doi/abs/10.1007/978-3-662-49301-4_17.Google Scholar
- Böck, H., Zauner, A., Devlin, S., Somorovsky, J., Jovanovic, P. 2016. Nonce-disrespecting adversaries: practical forgery attacks on GCM in TLS. In 10th Usenix Workshop on Offensive Technologies; https://www.usenix.org/conference/woot16/workshop-program/presentation/bock.Google Scholar
- Breitner, J., Heninger, N. 2019. Biased nonce sense: lattice attacks against weak ECDSA signatures in cryptocurrencies. In 23rd International Conference on Financial Cryptography and Data Security, ed. I. Godberg and T. Moore, 3-20. Springer International; https://www.springerprofessional.de/en/biased-nonce-sense-lattice-attacks-against-weak-ecdsa-signatures/17265526.Google Scholar
Digital Library
- Brooks Jr., F.P. 1995. The Mythical Man-month: Essays on Software Engineering. Addison-Wesley Professional.Google Scholar
Digital Library
- Courtois, N.T., Hulme, D., Hussain, K., Gawinecki, J.A., Grajek, M. 2013. On bad randomness and cloning of contactless payment and building smart cards. In Proceedings of the IEEE Security and Privacy Workshops. IEEE, 105?110; https://dl.acm.org/doi/10.1109/SPW.2013.29.Google Scholar
Digital Library
- Diffie, W., Hellman, M. 1976. New directions in cryptography. IEEE Transactions on Information Theory 22(6), 644?654; https://ee.stanford.edu/~hellman/publications/24.pdf.Google Scholar
Digital Library
- Diffie, W., Van Oorschot, P.C. Wiener, M.J. 1992. Authentication and authenticated key exchanges. Designs, Codes and Cryptography 2(2), 107?125; https://dl.acm.org/doi/10.1007/BF00124891.Google Scholar
- Flajolet, P., Odlyzko, A.M. 1989. Random mapping statistics. In Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques, 329?354. Springer; https://dl.acm.org/doi/10.5555/111563.111596.Google Scholar
- Garske, D. 2021. Deprecate CyaSSL library #151. GitHub; https://github.com/cyassl/cyassl/pull/151.Google Scholar
- Hastings, M., Fried, J., Heninger, N. 2016. Weak keys remain widespread in network devices. In Proceedings of the Internet Measurement Conference, 49?63; https://dl.acm.org/doi/10.1145/2987443.2987486.Google Scholar
Digital Library
- Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A. 2012. Mining your Ps and Qs: detection of widespread weak keys in network devices. In Proceedings of the 21st Usenix Security Symposium, 35; https://dl.acm.org/doi/10.5555/2362793.2362828.Google Scholar
- Hughes, J.P. 2021. BadRandom: the effect and mitigations for low entropy random numbers in TLS. Ph.D. dissertation. UC Santa Cruz; https://escholarship.org/uc/item/9528885m.Google Scholar
- Kilgallin, J., Vasko, R. 2019. Factoring RSA keys in the IoT era. In First IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA), 184?189. IEEE; https://ieeexplore.ieee.org/document/9014350.Google Scholar
Cross Ref
- LaMacchia, B., Lauter, K., Mityagin, A. 2007. Stronger security of authenticated key exchange. In International Conference on Provable Security, 1-16. Springer; https://link.springer.com/chapter/10.1007/978-3-540-75670-5_1.Google Scholar
Cross Ref
- Lenstra, A.K., Hughes, J.P., Augier, M., Bos, J.W., Kleinjung, T., Wachter, C. 2012. Public keys. In Proceedings of the 32nd Annual Conference on Advances in Cryptology, 626?642. Springer; https://dl.acm.org/doi/10.1007/978-3-642-32009-5_37.Google Scholar
Digital Library
- Markoff, J. 2012. Flaw found in an online encryption method. New York Times (January 14); https://www.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-online-encryption-method.html.Google Scholar
- Paul, J.D. 2021. The scandalous history of the last rotor cipher machine. IEEE Spectrum; https://spectrum.ieee.org/the-scandalous-history-of-the-last-rotor-cipher-machine.Google Scholar
- Turan, M.S., Barker, E., Kelsey, J., McKay, K.A., Baish, M.L., Boyle, M., et al. 2018. Recommendation for the entropy sources used for random bit generation. NIST Special Publication 800-90B. U.S. Department of Commerce, National Institute of Standards and Technology; https://csrc.nist.gov/publications/detail/sp/800-90b/final.Google Scholar
Index Terms
(auto-classified)The Challenges of IoT, TLS, and Random Number Generators in the Real World: Bad random numbers are still with us and are proliferating in modern systems.
Recommendations
Bit-Wise Behavior of Random Number Generators
In 1985, G. Marsaglia proposed the m-tuple test, a runs test on bits, as a test of nonrandomness of a sequence of pseudorandom integers. We try this test on the outputs from a large set of pseudorandom number generators and discuss the behavior of the ...
On the construction of a random number generator and random function generators
Lecture Notes in Computer Science on Advances in Cryptology-EUROCRYPT'88Blum, Micali (1982), Yao (1982). Goldreich, Goldwassar and Micali (1984). and Luby, Rackoff (1986) have constructed random number generators, random function generators and random permutation generators that are perfect if certain complexity assumptions ...
Resolution-stationary random number generators
Besides speed and period length, the quality of uniform random number generators (RNGs) is usually assessed by measuring the uniformity of their point sets, formed by taking vectors of successive output values over their entire period length. For F"2-...






Comments