Information and network security 30 random numbers
- 1. Information and Network Security:30 Random Numbers Prof Neeraj Bhargava Vaibhav Khanna Department of Computer Science School of Engineering and Systems Sciences Maharshi Dayanand Saraswati University Ajmer
- 2. Random Numbers âą many uses of random numbers in cryptography âą nonces in authentication protocols to prevent replay âą session keys âą public key generation âą keystream for a one-time pad âą in all cases its critical that these values be âą statistically random, uniform distribution, independent âą unpredictability of future values from previous values âą true random numbers provide this âą care needed with generated random numbers
- 3. âą Random numbers play an important role in the use of encryption for various network security applications. âą In this presentation, we provide a brief overview of the use of random numbers in cryptography and network security and then focus on the principles of pseudorandom number generation. âą Getting good random numbers is important, but difficult. âą You don't want someone guessing the key you're using to protect your communications because your "random numbers" weren't (as happened in an early release of Netscape SSL). âą Traditionally, the concern in the generation of a sequence of allegedly random numbers has been that the sequence of numbers be random in some well-defined statistical sense (with uniform distribution & independent).
- 4. âą In applications such as reciprocal authentication, session key generation, and stream ciphers, the requirement is not just that the sequence of numbers be statistically random but that the successive members of the sequence are unpredictable âą (so that it is not possible to predict future values having observed previous values). âą With "true" random sequences, each number is statistically independent of other numbers in the sequence and therefore unpredictable. âą However, as is discussed shortly, true random numbers are seldom used; rather, sequences of numbers that appear to be random are generated by some algorithm.
- 5. Pseudorandom Number Generators (PRNGs) âą often use deterministic algorithmic techniques to create ârandom numbersâ âą although are not truly random âą can pass many tests of ârandomnessâ âą known as âpseudorandom numbersâ âą created by âPseudorandom Number Generators (PRNGs)â
- 6. âą Cryptographic applications typically make use of deterministic algorithmic techniques for random number generation, producing sequences of numbers that are not statistically random, but if the algorithm is good, the resulting sequences will pass many reasonable tests of randomness. âą Such numbers are referred to as pseudorandom numbers, created by âPseudorandom Number Generators (PRNGs)â.
- 7. Random & Pseudorandom Number Generators
- 8. âą Stallings Figure above contrasts a true random number generator (TRNG) with two forms of pseudorandom number generators. âą A TRNG takes as input a source that is effectively random; the source is often referred to as an entropy source. âą In contrast, a PRNG takes as input a fixed value, called the seed, and produces a sequence of output bits using a deterministic algorithm. âą Typically, as shown, there is some feedback path by which some of the results of the algorithm are fed back as input as additional output bits are produced. âą The important thing to note is that the output bit stream is determined solely by the input value or values, so that an adversary who knows the algorithm and the seed can reproduce the entire bit stream.
- 9. âą Figure above shows two different forms of PRNGs, based on application; âą âą Pseudorandom number generator: An algorithm that is used to produce an open-ended sequence of bits is referred to as a PRNG. âą A common application for an open-ended sequence of bits is as input to a symmetric stream cipher âą âą Pseudorandom function (PRF): A PRF is used to produced a pseudorandom string of bits of some fixed length. âą Examples are the symmetric encryption keys and nonces. âą Typically, the PRF takes as input a seed plus some context specific values, such as a user ID or an application ID.
- 10. PRNG Requirements âą randomness âą uniformity, scalability, consistency âą unpredictability âą forward & backward unpredictability âą use same tests to check âą characteristics of the seed âą secure âą if known adversary can determine output âą so must be random or pseudorandom number
- 11. PRNG Requirements âą When a PRNG or PRF is used for a cryptographic application, then the basic requirement is that an adversary who does not know the seed is unable to determine the pseudorandom string. âą This general requirement for secrecy of the output of a PRNG or PRF leads to specific requirements in the areas of randomness, unpredictability, and the characteristics of the seed. âą In terms of randomness, the requirement for a PRNG is that the generated bit stream appear random even though it is deterministic. âą NIST SP 800-22 (A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications) specifies that the tests should seek to establish the following three characteristics: uniformity, scalability, consistency. SP 800-22 lists 15 separate tests of randomness. âą
- 12. PRNG Requirements âą A stream of pseudorandom numbers should exhibit two forms of unpredictability: forward unpredictability, backward unpredictability. The same set of tests for randomness also provide a test of unpredictability. If the generated bit stream appears random, then it is not possible to predict some bit or bit sequence from knowledge of any previous bits. Similarly, if the bit sequence appears random, then there is no feasible way to deduce the seed based on the bit sequence. That is, a random sequence will have no correlation with a fixed value (the seed). âą For cryptographic applications, the seed that serves as input to the PRNG must be secure. Because the PRNG is a deterministic algorithm, if the adversary can deduce the seed, then the output can also be determined. Therefore, the seed must be unpredictable. In fact, the seed itself must be a random or pseudorandom number.
- 13. Assignment âą Explain the working of Pseudorandom Number Generators.