Analysis of the Linux random number generator

Linux is the most popular open source project. The Linux random number generator is part of the kernel of all Linux distributions and is based on generating randomness from entropy of operating system events. The output of this generator is used for almost every security protocol, including TLS/SSL key generation, choosing TCP sequence numbers, and file system and email encryption. Although the generator is part of an open source project, its source code (about 2500 lines of code) is poorly documented, and patched with hundreds of code patches. We used dynamic and static reverse engineering to learn the operation of this generator. This paper presents a description of the underlying algorithms and exposes several security vulnerabilities. In particular, we show an attack on the forward security of the generator which enables an adversary who exposes the state of the generator to compute previous states and outputs. In addition we present a few cryptographic flaws in the design of the generator, as well as measurements of the actual entropy collected by it, and a critical analysis of the use of the generator in Linux distributions on diskless devices

[1]  Christopher C. White,et al.  Focus on Durability, PATH Research at the National Institute of Standards and Technology | NIST , 2001 .

[2]  Makoto Matsumoto,et al.  Twisted GFSR generators II , 1994, TOMC.

[3]  Shai Halevi,et al.  A model and architecture for pseudo-random generation with applications to /dev/random , 2005, CCS '05.

[4]  Dahlia Malkhi,et al.  Hold Your Sessions: An Attack on Java Session-Id Generation , 2005, CT-RSA.

[5]  Shai Halevi,et al.  An Architecture for Robust Pseudo-Random Generation and Applications to /dev/random , 2005, CCS 2005.

[6]  Bruce Schneier,et al.  Yarrow-160: Notes on the Design and Analysis of the Yarrow Cryptographic Pseudorandom Number Generator , 1999, Selected Areas in Cryptography.

[7]  Donald E. Eastlake,et al.  US Secure Hash Algorithm 1 (SHA1) , 2001, RFC.

[8]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[9]  Peter Gutmann,et al.  Testing Issues with OS-based Entropy Sources , 2004 .

[10]  Russ Bubley,et al.  Randomized algorithms , 1995, CSUR.

[11]  Peter Gutmann,et al.  Software Generation of Practically Strong Random Numbers , 1998, USENIX Security Symposium.

[12]  Ian Goldberg,et al.  Randomness and the Netscape browser , 1996 .

[13]  Mark R. V. Murray An Implementation of the Yarrow PRNG for FreeBSD , 2002, BSDCon.

[14]  Bruce Schneier,et al.  Practical cryptography , 2003 .

[15]  Phong Q. Nguyen Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard v1.2.3 , 2004, EUROCRYPT.

[16]  Angelos D. Keromytis,et al.  Cryptography in OpenBSD: An Overview , 1999, USENIX Annual Technical Conference, FREENIX Track.

[17]  Borislav H. Simov,et al.  Extracting Randomness from External Interrupts , 2003 .

[18]  Makoto Matsumoto,et al.  Twisted GFSR generators , 1992, TOMC.

[19]  Bruce Schneier,et al.  Cryptanalytic Attacks on Pseudorandom Number Generators , 1998, FSE.