Recoverable Random Numbers in an Internet of Things Operating System

Over the past decade, several security issues with Linux Random Number Generator (LRNG) on PCs and Androids have emerged. The main problem involves the process of entropy harvesting, particularly at boot time. An entropy source in the input pool of LRNG is not transferred into the non-blocking output pool if the entropy counter of the input pool is less than 192 bits out of 4098 bits. Because the entropy estimation of LRNG is highly conservative, the process may require more than one minute for starting the transfer. Furthermore, the design principle of the estimation algorithm is not only heuristic but also unclear. Recently, Google released an Internet of Things (IoT) operating system called Brillo based on the Linux kernel. We analyze the behavior of the random number generator in Brillo, which inherits that of LRNG. In the results, we identify two features that enable recovery of random numbers. With these features, we demonstrate that random numbers of 700 bytes at boot time can be recovered with the success probability of 90% by using time complexity for 5.20 × 2 40 trials. Therefore, the entropy of random numbers of 700 bytes is merely about 43 bits. Since the initial random numbers are supposed to be used for sensitive security parameters, such as stack canary and key derivation, our observation can be applied to practical attacks against cryptosystem.

[1]  Ali Esmaili,et al.  Probability and Random Processes , 2005, Technometrics.

[2]  Hovav Shacham,et al.  Welcome to the Entropics: Boot-Time Entropy in Embedded Devices , 2013, 2013 IEEE Symposium on Security and Privacy.

[3]  Tanja Lange,et al.  Factoring RSA keys from certified smart cards: Coppersmith in the wild , 2013, IACR Cryptol. ePrint Arch..

[4]  David Kaplan,et al.  Attacking the Linux PRNG On Android: Weaknesses in Seeding of Entropic Pools and Low Boot-Time Entropy , 2014, WOOT.

[5]  Tanja Lange,et al.  Dual EC: A Standardized Back Door , 2015, The New Codebreakers.

[6]  Jörg Schwenk,et al.  Randomly Failed! The State of Randomness in Current Java Implementations , 2013, CT-RSA.

[7]  Patrick Lacharme,et al.  The Linux Pseudorandom Number Generator Revisited , 2012, IACR Cryptol. ePrint Arch..

[8]  Dong Hoon Lee,et al.  Predictability of Android OpenSSL's pseudo random number generator , 2013, CCS.

[9]  Chao Zhang,et al.  Android low entropy demystified , 2014, 2014 IEEE International Conference on Communications (ICC).

[10]  Ian Goldberg,et al.  Randomness and the Netscape browser , 1996 .

[11]  Benny Pinkas,et al.  Analysis of the Linux random number generator , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[12]  Hovav Shacham,et al.  When private keys are public: results from the 2008 Debian OpenSSL vulnerability , 2009, IMC '09.

[13]  R. A. Doney,et al.  4. Probability and Random Processes , 1993 .

[14]  Tanja Lange,et al.  On the Practical Exploitability of Dual EC in TLS Implementations , 2014, USENIX Security Symposium.

[15]  Eric Wustrow,et al.  Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices , 2012, USENIX Security Symposium.