AI helps you reading Science

AI generates interpretation videos

AI extracts and analyses the key points of the paper to generate videos automatically


pub
Go Generating

AI Traceability

AI parses the academic lineage of this thesis


Master Reading Tree
Generate MRT

AI Insight

AI extracts a summary of this paper


Weibo:
We investigated the security of random number generation on a broad scale by performing and analyzing the most comprehensive Internet-wide scans of TLS certificates and SSH host keys to date

Mining your Ps and Qs: detection of widespread weak keys in network devices

USENIX Security Symposium, pp.35-35, (2012)

Cited: 509|Views341
EI
Full Text
Bibtex
Weibo

Abstract

RSA and DSA can fail catastrophically when used with malfunctioning random number generators, but the extent to which these problems arise in practice has never been comprehensively studied at Internet scale. We perform the largest ever network survey of TLS and SSH servers and present evidence that vulnerable keys are surprisingly widesp...More

Code:

Data:

0
Introduction
  • Introduction and Roadmap

    Randomness is essential for modern cryptography, where security often depends on keys being chosen uniformly at random.
  • By scanning the public IPv4 address space, the authors collected 5.8 million unique TLS certificates from 12.8 million hosts and 6.2 million unique SSH host keys from 10.2 million hosts.
  • This is 67% more TLS hosts than the latest released EFF SSL Observatory dataset [20].
  • The attacker can compute both private keys as explained above
Highlights
  • Introduction and Roadmap

    Randomness is essential for modern cryptography, where security often depends on keys being chosen uniformly at random
  • We describe how we efficiently computed the pairwise greatest common divisor of all distinct RSA moduli in our multimillionkey dataset
  • In all but a small number of cases, the TLS certificates and SSH host keys divisible by a common factor all belonged to a particular manufacturer, which we were able to identify in most cases using the techniques described in Section 3.2
  • We investigated the security of random number generation on a broad scale by performing and analyzing the most comprehensive Internet-wide scans of TLS certificates and SSH host keys to date
  • Using the global view provided by our data, we discovered that insecure random number generator are in widespread use, leading to a significant number of vulnerable RSA and DSA keys
  • Our scan data contains approximately 67% more IP addresses and 45% more certificates than the latest publicly available SSL Observatory scan
  • Previous examples of random number generation flaws were found by painstakingly reverse engineering individual devices or implementations, or through luck when a collision was observed by a single user
Methods
  • The authors explain how the authors performed the Internetwide survey of public keys, how the authors attributed vulnerable keys to devices, and how the authors efficiently factored poorly generated RSA keys.

    3.1 Internet-wide scanning The authors performed the data collection in three phases: discovering IP addresses accepting connections on TCP port 443 (HTTPS) or 22 (SSH); performing a TLS or SSH handshake and storing the presented certificate chain or host key; and parsing the collected certificates and host keys into a relational database.
  • The authors used the Nmap 5 network exploration tool [39] to perform a SYN scan1, which involves sending a TCP SYN packet to each candidate host and detecting whether the host responds with a SYN-ACK packet.
  • The authors chose this scanning method based on its low bandwidth requirements; for the vast majority of hosts, at most two packets need to be exchanged.
Results
  • By scanning the public IPv4 address space, the authors collected 5.8 million unique TLS certificates from 12.8 million hosts and 6.2 million unique SSH host keys from 10.2 million hosts.
  • This is 67% more TLS hosts than the latest released EFF SSL Observatory dataset [20].
  • The authors' scan data contains approximately 67% more IP addresses and 45% more certificates than the latest publicly available SSL Observatory scan
Conclusion
  • 6.1 RSA vs. DSA in the face of low entropy Any cryptosystem that relies on a secret key for security will be compromised if an adversary can determine that key.
  • This might happen if an implementation leaks side-channel information about the key, or if the adversary can enumerate a reduced key space generated by low-entropy inputs.
  • The results are a reminder to all that vulnerabilities can sometimes be hiding in plain sight
Tables
  • Table1: Internet-wide scan results — We exhaustively scanned the public IPv4 address space for TLS and SSH servers listening on ports 443 and 22, respectively. Our results constitute the largest such network survey reported to date. For comparison, we also show statistics for the EFF SSL Observatory’s most recent public dataset [<a class="ref-link" id="c20" href="#r20">20</a>]
  • Table2: Summary of vulnerabilities — We analyzed our TLS and SSH scan results to measure the population of hosts exhibiting several entropy-related vulnerabilities. These include use of repeated keys, use of RSA keys that were factorable due to repeated primes, and use of DSA keys that were compromised by repeated signature randomness. Under the theory that vulnerable repeated keys were generated by embedded or headless devices with defective designs, we also report the number of hosts that we identified as these device models. Many of these hosts may be at risk even though we did not specifically observe repeats of their keys
Download tables as Excel
Related work
  • HTTPS surveys The HTTPS public-key infrastructure has been a focus of attention in recent years, and researchers have performed several large-scale scans to measure TLS usage and CA behavior. In contrast, our study addresses problems that are mostly separate from the CA ecosystem.

    Ristic published an SSL survey in July 2010 [44] examining hosts serving the Alexa top 1 million domain names and 119 million other domain registrations. The study found 900,000 hosts serving HTTPS and 600,000 valid certificates. The same year, the Electronic Frontier Foundation (EFF) and iSEC Partners debuted the SSL Observatory project [20] and released the largest public repository of TLS certificates. They scanned approximately 87% of the IPv4 address space on port 443 and downloaded the resulting X.509 certificates over a three-month period. They released two datasets, the larger of which (from December 2010) recorded 4.0 million certificates from 7.7 million HTTPS hosts. The authors used their data to analyze the CA infrastructure and noted several vulnerabilities. We owe the inspiration for our work to their fascinating dataset, in which we first identified several of the entropy problems we describe; however, we ultimately performed our own scans to have more up-to-date and complete data. Our scan data contains approximately 67% more IP addresses and 45% more certificates than the latest publicly available SSL Observatory scan.
Funding
  • We also thank Jake Appelbaum, Michael Bailey, Kevin Borders, Keith Brautigam, Ransom Briggs, Jesse Burns, Aleksander Durumeric, Prabal Dutta, Peter Eckersley, Andy Isaacson, James Kasten, Ben Laurie, Stephen Schultze, Ron Rivest, and David Robinson. This material is based upon work supported by the National Science Foundation under Award No DMS1103803, the MURI program under AFOSR Grant No FA9550-08-1-0352, and a National Science Foundation Graduate Research Fellowship
Reference
  • random(4) Linux manual page. http://www.kernel.org/doc/manpages/online/pages/man4/random.4.html.
    Findings
  • BAUER, M., AND LAURIE, B. Factoring silly keys from the keyservers. In The Shoestring Foundation Weblog (July 2004). http://shoestringfoundation.org/cgi-bin/blosxom.cgi/2004/07/01#non-pgp-key.
    Locate open access versionFindings
  • BEAZLEY, D. SWIG: An easy to use tool for integrating scripting languages with C and C++. In Proc. 4th USENIX Tcl/Tk Workshop (1996), pp. 129–139.
    Google ScholarLocate open access versionFindings
  • BELLARE, M., BRAKERSKI, Z., NAOR, M., RISTENPART, T., SEGEV, G., SHACHAM, H., AND YILEK, S. Hedged public-key encryption: How to protect against bad randomness. In Proc. Asiacrypt 2009 (Dec. 2009), M. Matsui, Ed., pp. 232–249.
    Google ScholarLocate open access versionFindings
  • BELLARE, M., GOLDWASSER, S., AND MICCIANCIO, D. “Pseudo-random” generators within cryptographic applications: the DSS case. In Advances in Cryptology—CRYPTO ’97 (Aug. 1997), B. S. Kaliski Jr., Ed., pp. 277–291.
    Google ScholarLocate open access versionFindings
  • BELLO, L. DSA-1571-1 OpenSSL—Predictable random number generator, 2008. Debian Security Advisory. http://www.debian.org/security/2008/dsa-1571.
    Locate open access versionFindings
  • BERNSTEIN, D. J. How to find the smooth parts of integers. http://cr.yp.to/papers.html#smoothparts.
    Findings
  • BERNSTEIN, D. J. Fast multiplication and its applications. Algorithmic Number Theory (May 2008), 325–384.
    Google ScholarFindings
  • BLUM, M., AND MICALI, S. How to generate cryptographically strong sequences of pseudo-random bits. SIAM J. Comput. 13, 4 (1984), 850–864.
    Google ScholarLocate open access versionFindings
  • BONEH, D. Twenty years of attacks on the RSA cryptosystem. Notices of the AMS 46, 2 (1999), 203–213.
    Google ScholarLocate open access versionFindings
  • BRIER, E., CLAVIER, C., CORON, J., AND NACCACHE, D. Cryptanalysis of RSA signatures with fixed-pattern padding. In Advances in Cryptology—Crypto 2001, pp. 433–439.
    Google ScholarLocate open access versionFindings
  • BROWN, D. R. L. Standards for efficient cryptography 1: Elliptic curve cryptography, 2009. http://www.secg.org/download/aid780/sec1-v2.pdf.
    Findings
  • BUSHING, MARCAN, SEGHER, AND SVEN. Console hacking 2010: PS3 epic fail. Talk at 27th Chaos Communication Congress (2010). http://events.ccc.de/congress/2010/Fahrplan/attachments/1780_27c3_console_hacking_2010.pdf.
    Findings
  • CHOR, B., AND GOLDREICH, O. Unbiased bits from sources of weak randomness and probabilistic communication complexity. In Proc. 26th IEEE Symposium on Foundations of Computer Science (1985), pp. 429–442.
    Google ScholarLocate open access versionFindings
  • COPPERSMITH, D. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. Journal of Cryptology 10, 4 (1997), 233–260.
    Google ScholarLocate open access versionFindings
  • COX, M., ENGELSCHALL, R., HENSON, S., LAURIE, B., ET AL. The OpenSSL project. http://www.openssl.org.
    Findings
  • DAVIS, D., IHAKA, R., AND FENSTERMACHER, P. Cryptographic randomness from air turbulence in disk drives. In Advances in Cryptology—CRYPTO ’94 (1994), pp. 114–120.
    Google ScholarLocate open access versionFindings
  • DIERKS, T., AND RESCORLA, E. The Transport Layer Security (TLS) Protocol, Version 1.2. RFC 5246.
    Google ScholarFindings
  • DORRENDORF, L., GUTTERMAN, Z., AND PINKAS, B. Cryptanalysis of the Windows random number generator. In Proc. 14th ACM Conference on Computer and Communications Security (2007), CCS ’07, pp. 476–485.
    Google ScholarLocate open access versionFindings
  • ECKERSLEY, P., AND BURNS, J. An observatory for the SSLiverse. Talk at Defcon 18 (2010). https://www.eff.org/files/ DefconSSLiverse.pdf.
    Findings
  • GETZ, R. IRQF_SAMPLE_RANDOM question... Linux Kernel Mailing List post. https://lkml.org/lkml/2009/4/6/283.
    Findings
  • GOLDBERG, I., AND WAGNER, D. Randomness and the Netscape browser. Dr. Dobb’s Journal 21, 1 (1996), 66–70.
    Google ScholarLocate open access versionFindings
  • GRANLUND, T., ET AL. The GNU multiple precision arithmetic library. http://gmplib.org/.
    Findings
  • GUTMANN, P. Software generation of random numbers for cryptographic purposes. In Proc. 7th USENIX Security Symposium (1998), pp. 243–257.
    Google ScholarLocate open access versionFindings
  • GUTMANN, P. Lessons learned in implementing and deploying crypto software. In Proc. 11th USENIX Security Symposium (2002), pp. 315–325.
    Google ScholarLocate open access versionFindings
  • GUTTERMAN, Z., PINKAS, B., AND REINMAN, T. Analysis of the Linux random number generator. In Proc. 2006 IEEE Symposium on Security and Privacy (May 2006), pp. 371–385.
    Google ScholarLocate open access versionFindings
  • HALDERMAN, J. A., SCHOEN, S., HENINGER, N., CLARKSON, W., PAUL, W., CALANDRINO, J., FELDMAN, A., APPELBAUM, J., AND FELTEN, E. Lest we remember: Cold boot attacks on encryption keys. In Proc. 17th USENIX Security Symposium (July 2008), pp. 45–60.
    Google ScholarLocate open access versionFindings
  • HEFFNER, C., ET AL. LittleBlackBox: Database of private SSL/SSH keys for embedded devices. http://code.google.com/p/littleblackbox/.
    Findings
  • HENINGER, N., ET AL. There’s no need to panic over factorable keys–just mind your Ps and Qs. Freedom to Tinker weblog (2012). https://freedom-to-tinker.com/blog/nadiah/new-research-theresno-need-panic-over-factorable-keys-just-mind-your-ps-and-qs.
    Findings
  • HOLZ, R., BRAUN, L., KAMMENHUBER, N., AND CARLE, G. The SSL landscape—A thorough analysis of the X. 509 PKI using active and passive measurements. In Proc. 2011 ACM SIGCOMM Internet Measurement Conference (2011), pp. 427–444.
    Google ScholarLocate open access versionFindings
  • HOWGRAVE-GRAHAM, N., AND SMART, N. Lattice attacks on digital signature schemes. Designs, Codes and Cryptography 23, 3 (2001), 283–290.
    Google ScholarFindings
  • IANA. IPv4 address space registry. http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml.
    Findings
  • KINDER, K. Event-driven programming with Twisted and Python. Linux Journal 2005, 131 (2005), 6.
    Google ScholarLocate open access versionFindings
  • KLEINJUNG, T., AOKI, K., FRANKE, J., LENSTRA, A., THOMÉ, E., BOS, J., GAUDRY, P., KRUPPA, A., MONTGOMERY, P., OSVIK, D., TE RIELE, H., TIMOFEEV, A., AND ZIMMERMANN, P. Factorization of a 768-bit RSA modulus. In Advances in Cryptology—CRYPTO 2010 (2010), T. Rabin, Ed., pp. 333–350.
    Google ScholarLocate open access versionFindings
  • LAWSON, N. DSA requirements for random k value, 2010. http://rdist.root.org/2010/11/19/dsa-requirements-forrandom-k-value/.
    Findings
  • LENSTRA, A., LENSTRA, H., MANASSE, M., AND POLLARD, J. The number field sieve. In The development of the number field sieve, A. Lenstra and H. Lenstra, Eds., vol. 1554 of Lecture Notes in Mathematics. 1993, pp. 11–42.
    Google ScholarLocate open access versionFindings
  • LENSTRA, A. K., HUGHES, J. P., AUGIER, M., BOS, J. W., KLEINJUNG, T., AND WACHTER, C. Ron was wrong, Whit is right. Cryptology ePrint Archive, Report 2012/064, 2012. http://eprint.iacr.org/2012/064.pdf.
    Locate open access versionFindings
  • LOCKE, G., AND GALLAGHER, P. FIPS PUB 186-3: Digital Signature Standard (DSS). Federal Information Processing Standards Publication (2009).
    Google ScholarLocate open access versionFindings
  • LYON, G. F. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure, USA, 2009.
    Google ScholarFindings
  • MATHEWSON, N., AND PROVOS, N. libevent—An event notification library. http://libevent.org.
    Findings
  • MAY, A., AND RITZENHOFEN, M. Implicit factoring: On polynomial time factoring given only an implicit hint. In Public Key Cryptography—PKC 2009, pp. 1–14.
    Google ScholarLocate open access versionFindings
  • MIRONOV, I. Factoring RSA moduli. Part II, 2012. http://windowsontheory.org/2012/05/17/factoring-rsa-moduli-part-ii/.
    Findings
  • RISTENPART, T., AND YILEK, S. When good randomness goes bad: Virtual machine reset vulnerabilities and hedging deployed cryptography. In Proc. ISOC Network and Distributed Security Symposium (2010).
    Google ScholarLocate open access versionFindings
  • RISTIC, I. Internet SSL survey 2010. Talk at BlackHat 2010. http://media.blackhat.com/bh-ad-10/Ristic/BlackHat-AD-2010Ristic-Qualys-SSL-Survey-HTTP-Rating-Guide-slides.pdf.
    Findings
  • RIVEST, R. L., SHAMIR, A., AND ADLEMAN, L. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21 (Feb. 1978), 120–126.
    Google ScholarLocate open access versionFindings
  • SIONG, N., AND TOIVONEN, H. M2Crypto Python interface to OpenSSL. http://sandbox.rulemaker.net/ngps/m2/.
    Findings
  • TAYLOR, G., AND COX, G. Behind Intel’s new random-number generator. IEEE Spectrum (Sept. 2011).
    Google ScholarLocate open access versionFindings
  • TOKUNAGA, C., BLAAUW, D., AND MUDGE, T. True random number generator with a metastability-based quality control. IEEE Journal of Solid-State Circuits 43, 1 (Jan. 2008), 78–85.
    Google ScholarLocate open access versionFindings
  • VINCENT, M. TI-83 Plus OS signing key cracked. In ticalc.org weblog (July 2009). http://www.ticalc.org/archives/news/articles/14/145/145154.html.
    Locate open access versionFindings
  • WOOLLEY, R., MURRAY, M., DOUNIN, M., AND ERMILOV, R. FreeBSD security advisory FreeBSD-SA08:11.arc4random, 2008. http://lists.freebsd.org/pipermail/freebsd-security-notifications/2008-November/000117.html.
    Locate open access versionFindings
  • YILEK, S., RESCORLA, E., SHACHAM, H., ENRIGHT, B., AND SAVAGE, S. When private keys are public: Results from the 2008 Debian OpenSSL vulnerability. In Proc. 2009 ACM SIGCOMM Internet Measurement Conference, pp. 15–27.
    Google ScholarLocate open access versionFindings
  • YLONEN, T. SSH—secure login connections over the internet. In Proc. 6th USENIX Security Symposium (1996), pp. 37–42.
    Google ScholarLocate open access versionFindings
  • YLÖNEN, T., AND LONVICK, C. The secure shell (SSH) protocol architecture. http://merlot.tools.ietf.org/html/rfc4251.
    Findings
0
Your rating :

No Ratings

Tags
Comments
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn