SlideShare une entreprise Scribd logo

Erlang random numbers and security

Kenji Rikitake
Kenji Rikitake

Random number generation is difficult to do properly. The document discusses pseudo-random number generation and sources of true randomness. It summarizes different random number generators like Mersenne Twister and recommends using cryptographically secure random number generators like those in the Erlang crypto module rather than inventing your own. Parallel execution of random number generators requires techniques like using independent polynomials to ensure randomness.

TechnologieActualités & Politique
1  sur  40
Télécharger pour lire hors ligne
Erlang, random numbers, and the security 1 Kenji Rikitake 10-SEP-2013 for London Erlang User Group meetup 1Sunday, September 8, 13
Executive summary 2 Random number generation is very diffcult to do properly; so don’t try to invent yours! 2Sunday, September 8, 13
Dilbert’s definition of randomness (NOT) 3 http://dilbert.com/strips/comic/2001-10-25/ http://insanity-works.blogspot.jp/2008/05/debianubuntu-serious-opensslssh.html 3Sunday, September 8, 13
What does randomness mean? (Wikipedia) 4 •Commonly, it means lack of pattern or predictability in events •Non-order or non-coherence in a sequence, no intelligible pattern or combination •Statistically, random processes still follow a probabilistic distribution 4Sunday, September 8, 13
“Pseudo” randomness? • The results of deterministic computations can be predicted; there is no real randomness from those algorithms • A predictive sequence generator with a very long period (e.g., (2^19937)-1 times of computations) can be used as a list of pseudo random number generator (PRNG) • Each generation needs a seed for to determine the starting point (aka Initialization Vector) 5 5Sunday, September 8, 13
Then what is “real” randomness? • Mostly depending on the physical events which is very unlikely to be predictable by the consumer of the randomness itself • You can’t really avoid the interference of the exterior environment • But at least statistically whether a sequence is random or not can be measured 6 6Sunday, September 8, 13
Entropy pool and the level of randomness • Entropy is the unit of randomness • If 32-bit word of complete random number exists, it has 32 bits of entropy • If the 32-bit word takes only four different values and each value has a 25% chance of occurring, the word has 2 bits of entropy • The Dilbert’s case has ZERO bit of entropy 7 Source: Neils Ferguson, Bruce Schneier, and Tadayoshi Kohno: Cryptography Engineering, Chapter 9 (Generating Randomness), p. 137, John Wiley and Sons, 2010, ISBN-13: 9780470474242 7Sunday, September 8, 13
Sources of “real” high- entropy sources • Thermal noise (of resistors) • Avalanche noise of Zener diodes • Optical noise (e.g., LavaCan) • Radio noise (static) (random.org) • Rolling the dice (Dice-O-Matic) • Very expensive (= low entropy bit rate) • Practical for seeding purpose only • Not necessarily statistically uniform or gaussian 8 8Sunday, September 8, 13
Avalanche diode noise generator example 9 Source: http://www.erlang-factory.com/conference/SFBay2011/speakers/kenjirikitake 9Sunday, September 8, 13
Arduino Duemilanove and the noise generator 10 Source: http://www.erlang-factory.com/conference/SFBay2011/speakers/kenjirikitake 10Sunday, September 8, 13
Can OS gather entropy from various events in a computer? • Possible events: hard disk access duration, mouse/keyboard timing, ethernet packet arrival timing, wall-clock values, etc. • Note: those events can only happen after when the system is booted; at the boot time the entropy pool is virtually empty • Solutions: use an external entropy source to gather sufficient entropy, or wait for the enough entropy to be gathered and filled into the pool 11 Source: Nadia Heninger, Zakir Durumeric, Eric Wustrow, J.Alex Halderman: Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices, Proceedings of the 21st USENIX Security Symposium,August 2012, https://factorable.net/paper.html 11Sunday, September 8, 13
So what are good PRNGs? • Output distribution • uniform distribution: equally covering the all possible values in the same probability • Gaussian/normal distribution: representing the sum of many independent random values • The generation period length should be very large (especially when sharing the same algorithm between multiple processes) 12 12Sunday, September 8, 13
Gaussian/normal distribution 13 Source: http://en.wikipedia.org/wiki/File:Standard_deviation_diagram.svg 13Sunday, September 8, 13
Uniformity is hard to achieve in the real world 14 http://nakedsecurity.sophos.com/2013/07/09/anatomy-of-a-pseudorandom-number-generator-visualising-cryptocats-buggy-prng/ An example: Cryptocat's buggy PRNG written in JavaScript 14Sunday, September 8, 13
Another example: PHP5 rand(0,1) on Windows: see the pattern? 15 http://boallen.com/random-numbers.html 15Sunday, September 8, 13
Android Bitcoin Wallets had PRNG vulnerability to let 55 BTC stolen 16 • Java’s SecureRandom class (wasn’t secure enough on Android actually) • “In order to remain secure the random numbers used to generate private keys must be nondeterministic, meaning that the output of the generator cannot be predicted” • “Android phones/tablets are weak and some signatures have been observed to have colliding R values” http://thegenesisblock.com/security-vulnerability-in-all-android-bitcoin-wallets/ 16Sunday, September 8, 13
Executive summary (again) 17 Random number generation is very diffcult to do properly; so don’t try to invent yours! http://imgs.xkcd.com/comics/random_number.png 17Sunday, September 8, 13
So how Erlang/OTP does on PRNGs? 18 • random module: non-secure PRNG (Wichmann- Hill AS183, in 1982) • crypto module: cryptographically secure PRNG, OpenSSL API in NIFs • For generating passwords and keys, always use the crypto module • There was a bug in SSH module using random function instead of crypto (CVE-2011-0766, discovered by Geoff Cant, fixed on R14B03) 18Sunday, September 8, 13
Erlang’s AS183 512x512 bitmap: at least visually well-randomized 19 http://www.erlang-factory.com/ conference/SFBay2011/speakers/ kenjirikitake 19Sunday, September 8, 13
20 %% Code of AS183 PRNG %% from Erlang/OTP R16B01 lib/stdlib/src/random.erl %% This hasn’t been really changed at least since R14B02 -define(PRIME1, 30269). -define(PRIME2, 30307). -define(PRIME3, 30323). uniform() -> {A1,A2,A3} = case get(random_seed) of undefined -> seed0(); Tuple -> Tuple end, B1 = (A1*171) rem ?PRIME1, B2 = (A2*172) rem ?PRIME2, B3 = (A3*170) rem ?PRIME3, put(random_seed, {B1,B2,B3}), R = B1/?PRIME1 + B2/?PRIME2 + B3/?PRIME3, R - trunc(R). 20Sunday, September 8, 13
Issues on random module, aka AS183 21 • The period length is short (~ 2^43) • Very old design (in 1980s) • Not designed for parallelism • Only three 16-bit integers as the seed • Not designed for speed (float division) • Good thing: it’s pure Erlang code 21Sunday, September 8, 13
Goals for solving issues on random module • Larger period length PRNG needed • New or modern design PRNGs preferred • Addressing parallelism requirements • Non-overlapping = orthogonal sequences • Larger state length for seeding • Availability on both with and without NIFs 22 22Sunday, September 8, 13
Required/suggested features on parallelism • Each PRNG has to manage its own state • Independent = orthogonal sequences from the same algorithm • Splitting the internal state • Using orthogonal polynomials • Seed jumping: fast calculation for advancing the internal state 23 23Sunday, September 8, 13
Alternatives I implented for the random module • sfmt-erlang • tinymt-erlang • Both available at GitHub • Details available as ACM Erlang Workshop papers, as well as from my own web site • These are non-secure PRNGs 24 24Sunday, September 8, 13
Mersenne Twister • BSD licensed • By Matsumoto and Nishimura, 1996 • Very long period ((2^19937) -1) • Uniformly distributed in 623-dimension hypercube, mathematically proven • Widely used on many open-source languages: R, Python, mruby, etc. 25 25Sunday, September 8, 13
SIMD-oriented Fast Mersenne Twister (SFMT) • Improved MT by Saito and Matsumoto (2006) • SIMD-oriented, optimized for x86(_64) • Various period length supported • ((2^607)-1) ~ ((2^216091)-1) • Faster recovery from 0-excess initial state 26 26Sunday, September 8, 13
sfmt-erlang • A straight-forward implementation of SFMT in both pure Erlang and with NIFs • Suggested period length: (2^19937-1) • with NIFS: >x3 faster than random module • A choice on PropEr Erlang test tool 27 27Sunday, September 8, 13
Porting tips of SFMT code from C to Erlang • Make it reentrant: removed all static arrays for the internal state table (no mutable data structure) • SFMT itself can be written as a recursion a[X] = r(a[X-N], a[X-(N-POS1)], a[X-1], a[X-2]) • An Erlang way: adding elements to the heads and do the lists:reverse/1 made the code 50% faster than using the ++ operator! 28 28Sunday, September 8, 13
Speed difference between C and Erlang • On sfmt-erlang • Pure Erlang code: x300 slower than C • Erlang NIF code: still x10 slower than C • Some dilemma: speed optimization is important, but ErlangVM can hardly beat the native C code 29 29Sunday, September 8, 13
TinyMT • MT for smaller memory footprint (and where shorter period length is OK) • Saito and Matsumoto, 2011 • Period: ((2^127)-1), still much > 2^43 • Seed: seven 32-bit unsigned integers • Parallel execution oriented features: ~2^56 independent generation polynomials 30 30Sunday, September 8, 13
tinymt-erlang • A straight-forward implementation of TinyMT in both pure Erlang and with NIFs • Some of sfmt-erlang code are equally applicable (e.g., seed initialization) • x86_64 HiPE optimization: x3 speed • Wall-clock speed: roughly the same as random module • In fprof: x2~x6 slower than random module 31 31Sunday, September 8, 13
Observations on tinymt-erlang code • 32-bit integer ops are on BIGNUMs • Small integer on 32bit Erlang: max 28 bits • Overhead of calling functions and BEAM memory allocation might have taken a significant portion of exec time • sfmt-erlang batch exec is still x3~4 faster than tinymt-erlang batch exec 32 32Sunday, September 8, 13
NIF scheduling issue • NIF blocks the Erlang scheduler • How long can a CPU spend time in a NIF? • Rule of thumb: <1msec per exec • Target for sfmt/tinymt-erlang: < 0.1msec • On Riak this has been a serious issue • Scott Fritchie has an MD5 example code • A preference for the pure Erlang code 33 33Sunday, September 8, 13
TinyMT precomputed polynomial parameters • On 2011, I decided to pre-compute the polynomial parameters at Kyoto University’s super-computer (x86_64) cluster (I could only use two 16-core nodes (32 cores)) • 2^28 (~256M) parameter sets are available for both 32- and 64-bit implementations • Took ~32 days of continuous execution • 18~19 sets/sec for each core 34 34Sunday, September 8, 13
“Secure” PRNGs • One-way function: guessing input or internal state from the output should be kept practically impossible • A PRNG is less secure when: • generation period is shorter • easy function exists to guess the internal state from the output • the output sequence is predictable from the past output sequence data (= a simple PRNG is unsecure) 35 35Sunday, September 8, 13
For building more secure PRNGs • Reducing predictability: always incorporate necessary external extropy • Cryptographic strength: use well-proven algorithms, e.g.,AES, to “encrypt” the PRNG output • Rule of thumb: use crypto:strong_rand_bytes/1 to guarantee sufficient entropy is consumed 36 36Sunday, September 8, 13
Tips for parallel execution of PRNGs • Use completely orthogonal sequences • e.g.,TinyMT independent polynomials • If the seeding space is large, it is unlikely that PRNG sequences from the seeds generated from another PRNGs will collide with each other (but this is not mathematically proven) • Beware of execution sequence change when predictability is important 37 37Sunday, September 8, 13
Tips on secure PRNGs • Don’t invent yours unless you hire a well-experienced cryptographers (i.e., stick to proven functions) • Ensure the system has enough entropy to guarantee the unpredictability • An external hardware RNG is suggested • And don’t let NSA cripple the algorithms! 38 38Sunday, September 8, 13
Executive summary again 39 Random number generation is very diffcult to do properly; so don’t try to invent yours! http://imgs.xkcd.com/comics/security_holes.png 39Sunday, September 8, 13
Thanks Questions? 40 40Sunday, September 8, 13

Recommandé

Hardware Hacking Primer
Hardware Hacking PrimerHardware Hacking Primer
Hardware Hacking PrimerYashin Mehaboobe
 
Random
RandomRandom
Randomivoelenchev
 
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbelleurobsdcon
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devicesYashin Mehaboobe
 
Nidsbench - Network Intrusion Detection Test Suite
Nidsbench - Network Intrusion Detection Test SuiteNidsbench - Network Intrusion Detection Test Suite
Nidsbench - Network Intrusion Detection Test SuiteDug Song
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devicessrkedmi
 
Tools for FPGA Development
Tools for FPGA DevelopmentTools for FPGA Development
Tools for FPGA DevelopmentBrahim HAMADICHAREF
 

Recommandé

Hardware Hacking Primer
Hardware Hacking PrimerHardware Hacking Primer
Hardware Hacking PrimerYashin Mehaboobe
 
Random
RandomRandom
Randomivoelenchev
 
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbelleurobsdcon
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devicesYashin Mehaboobe
 
Nidsbench - Network Intrusion Detection Test Suite
Nidsbench - Network Intrusion Detection Test SuiteNidsbench - Network Intrusion Detection Test Suite
Nidsbench - Network Intrusion Detection Test SuiteDug Song
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devicessrkedmi
 
Tools for FPGA Development
Tools for FPGA DevelopmentTools for FPGA Development
Tools for FPGA DevelopmentBrahim HAMADICHAREF
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jarsPacSecJP
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...RootedCON
 
OWASP Much ado about randomness
OWASP Much ado about randomnessOWASP Much ado about randomness
OWASP Much ado about randomnessAleksandr Yampolskiy
 
Quest for a low powered home hub 120522
Quest for a low powered home hub 120522Quest for a low powered home hub 120522
Quest for a low powered home hub 120522Paul Tanner
 
Dark Silicon, Mobile Devices, and Possible Open-Source Solutions
Dark Silicon, Mobile Devices, and Possible Open-Source SolutionsDark Silicon, Mobile Devices, and Possible Open-Source Solutions
Dark Silicon, Mobile Devices, and Possible Open-Source SolutionsKoan-Sin Tan
 
Three things that rowhammer taught me by Halvar Flake
Three things that rowhammer taught me by Halvar FlakeThree things that rowhammer taught me by Halvar Flake
Three things that rowhammer taught me by Halvar Flaken|u - The Open Security Community
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming LanguageJaeju Kim
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTWSO2
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
BarCamp Melbourne 2012: Internet of Things
BarCamp Melbourne 2012: Internet of ThingsBarCamp Melbourne 2012: Internet of Things
BarCamp Melbourne 2012: Internet of ThingsAndy Gelme
 
Optimising code using Span<T>
Optimising code using Span<T>Optimising code using Span<T>
Optimising code using Span<T>Mirco Vanini
 
Random thoughts on IoT
Random thoughts on IoTRandom thoughts on IoT
Random thoughts on IoTMark Carney
 
Hardware for JavaScript Developers
Hardware for JavaScript DevelopersHardware for JavaScript Developers
Hardware for JavaScript DevelopersTarik Kelestemur
 
Introduction to ethereum_public
Introduction to ethereum_publicIntroduction to ethereum_public
Introduction to ethereum_publicantitree
 
Your Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of ThingsYour Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of ThingsWSO2
 
Linux Locking Mechanisms
Linux Locking MechanismsLinux Locking Mechanisms
Linux Locking MechanismsKernel TLV
 
Intel Random Number Generator
Intel Random Number GeneratorIntel Random Number Generator
Intel Random Number GeneratorXequeMateShannon
 
Fault tolerance - look, it's simple!
Fault tolerance - look, it's simple!Fault tolerance - look, it's simple!
Fault tolerance - look, it's simple!Izzet Mustafaiev
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...PROIDEA
 
Intro africahackpart2
Intro africahackpart2Intro africahackpart2
Intro africahackpart2Vanessa Lošić
 

Contenu connexe

Tendances

Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jarsPacSecJP
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnieZoltan Balazs
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...RootedCON
 
Quest for a low powered home hub 120522
Quest for a low powered home hub 120522Quest for a low powered home hub 120522
Quest for a low powered home hub 120522Paul Tanner
 

Tendances (6)

Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jars
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keys
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie
 
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...
 
OWASP Much ado about randomness
OWASP Much ado about randomnessOWASP Much ado about randomness
OWASP Much ado about randomness
 
Quest for a low powered home hub 120522
Quest for a low powered home hub 120522Quest for a low powered home hub 120522
Quest for a low powered home hub 120522
 

Similaire à Erlang random numbers and security

Dark Silicon, Mobile Devices, and Possible Open-Source Solutions
Dark Silicon, Mobile Devices, and Possible Open-Source SolutionsDark Silicon, Mobile Devices, and Possible Open-Source Solutions
Dark Silicon, Mobile Devices, and Possible Open-Source SolutionsKoan-Sin Tan
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming LanguageJaeju Kim
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTWSO2
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
BarCamp Melbourne 2012: Internet of Things
BarCamp Melbourne 2012: Internet of ThingsBarCamp Melbourne 2012: Internet of Things
BarCamp Melbourne 2012: Internet of ThingsAndy Gelme
 
Optimising code using Span<T>
Optimising code using Span<T>Optimising code using Span<T>
Optimising code using Span<T>Mirco Vanini
 
Random thoughts on IoT
Random thoughts on IoTRandom thoughts on IoT
Random thoughts on IoTMark Carney
 
Hardware for JavaScript Developers
Hardware for JavaScript DevelopersHardware for JavaScript Developers
Hardware for JavaScript DevelopersTarik Kelestemur
 
Introduction to ethereum_public
Introduction to ethereum_publicIntroduction to ethereum_public
Introduction to ethereum_publicantitree
 
Your Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of ThingsYour Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of ThingsWSO2
 
Linux Locking Mechanisms
Linux Locking MechanismsLinux Locking Mechanisms
Linux Locking MechanismsKernel TLV
 
Intel Random Number Generator
Intel Random Number GeneratorIntel Random Number Generator
Intel Random Number GeneratorXequeMateShannon
 
Fault tolerance - look, it's simple!
Fault tolerance - look, it's simple!Fault tolerance - look, it's simple!
Fault tolerance - look, it's simple!Izzet Mustafaiev
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...PROIDEA
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootYashin Mehaboobe
 
Introduction to cryptography for software developers
Introduction to cryptography for software developersIntroduction to cryptography for software developers
Introduction to cryptography for software developersIntopalo Digital Oy
 
inside-linux-kernel-rng-presentation-sept-13-2022.pdf
inside-linux-kernel-rng-presentation-sept-13-2022.pdfinside-linux-kernel-rng-presentation-sept-13-2022.pdf
inside-linux-kernel-rng-presentation-sept-13-2022.pdfxiso
 

Similaire à Erlang random numbers and security (20)

Dark Silicon, Mobile Devices, and Possible Open-Source Solutions
Dark Silicon, Mobile Devices, and Possible Open-Source SolutionsDark Silicon, Mobile Devices, and Possible Open-Source Solutions
Dark Silicon, Mobile Devices, and Possible Open-Source Solutions
 
Three things that rowhammer taught me by Halvar Flake
Three things that rowhammer taught me by Halvar FlakeThree things that rowhammer taught me by Halvar Flake
Three things that rowhammer taught me by Halvar Flake
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming Language
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoT
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
BarCamp Melbourne 2012: Internet of Things
BarCamp Melbourne 2012: Internet of ThingsBarCamp Melbourne 2012: Internet of Things
BarCamp Melbourne 2012: Internet of Things
 
Optimising code using Span<T>
Optimising code using Span<T>Optimising code using Span<T>
Optimising code using Span<T>
 
Random thoughts on IoT
Random thoughts on IoTRandom thoughts on IoT
Random thoughts on IoT
 
Hardware for JavaScript Developers
Hardware for JavaScript DevelopersHardware for JavaScript Developers
Hardware for JavaScript Developers
 
Introduction to ethereum_public
Introduction to ethereum_publicIntroduction to ethereum_public
Introduction to ethereum_public
 
Your Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of ThingsYour Thing is pwnd - Security Challenges for the Internet of Things
Your Thing is pwnd - Security Challenges for the Internet of Things
 
Linux Locking Mechanisms
Linux Locking MechanismsLinux Locking Mechanisms
Linux Locking Mechanisms
 
Intel Random Number Generator
Intel Random Number GeneratorIntel Random Number Generator
Intel Random Number Generator
 
Fault tolerance - look, it's simple!
Fault tolerance - look, it's simple!Fault tolerance - look, it's simple!
Fault tolerance - look, it's simple!
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
 
Intro africahackpart2
Intro africahackpart2Intro africahackpart2
Intro africahackpart2
 
503
503503
503
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to Root
 
Introduction to cryptography for software developers
Introduction to cryptography for software developersIntroduction to cryptography for software developers
Introduction to cryptography for software developers
 
inside-linux-kernel-rng-presentation-sept-13-2022.pdf
inside-linux-kernel-rng-presentation-sept-13-2022.pdfinside-linux-kernel-rng-presentation-sept-13-2022.pdf
inside-linux-kernel-rng-presentation-sept-13-2022.pdf
 

Dernier

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Dernier (20)

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

Erlang random numbers and security

  • 1. Erlang, random numbers, and the security 1 Kenji Rikitake 10-SEP-2013 for London Erlang User Group meetup 1Sunday, September 8, 13
  • 2. Executive summary 2 Random number generation is very diffcult to do properly; so don’t try to invent yours! 2Sunday, September 8, 13
  • 3. Dilbert’s definition of randomness (NOT) 3 http://dilbert.com/strips/comic/2001-10-25/ http://insanity-works.blogspot.jp/2008/05/debianubuntu-serious-opensslssh.html 3Sunday, September 8, 13
  • 4. What does randomness mean? (Wikipedia) 4 •Commonly, it means lack of pattern or predictability in events •Non-order or non-coherence in a sequence, no intelligible pattern or combination •Statistically, random processes still follow a probabilistic distribution 4Sunday, September 8, 13
  • 5. “Pseudo” randomness? • The results of deterministic computations can be predicted; there is no real randomness from those algorithms • A predictive sequence generator with a very long period (e.g., (2^19937)-1 times of computations) can be used as a list of pseudo random number generator (PRNG) • Each generation needs a seed for to determine the starting point (aka Initialization Vector) 5 5Sunday, September 8, 13
  • 6. Then what is “real” randomness? • Mostly depending on the physical events which is very unlikely to be predictable by the consumer of the randomness itself • You can’t really avoid the interference of the exterior environment • But at least statistically whether a sequence is random or not can be measured 6 6Sunday, September 8, 13
  • 7. Entropy pool and the level of randomness • Entropy is the unit of randomness • If 32-bit word of complete random number exists, it has 32 bits of entropy • If the 32-bit word takes only four different values and each value has a 25% chance of occurring, the word has 2 bits of entropy • The Dilbert’s case has ZERO bit of entropy 7 Source: Neils Ferguson, Bruce Schneier, and Tadayoshi Kohno: Cryptography Engineering, Chapter 9 (Generating Randomness), p. 137, John Wiley and Sons, 2010, ISBN-13: 9780470474242 7Sunday, September 8, 13
  • 8. Sources of “real” high- entropy sources • Thermal noise (of resistors) • Avalanche noise of Zener diodes • Optical noise (e.g., LavaCan) • Radio noise (static) (random.org) • Rolling the dice (Dice-O-Matic) • Very expensive (= low entropy bit rate) • Practical for seeding purpose only • Not necessarily statistically uniform or gaussian 8 8Sunday, September 8, 13
  • 9. Avalanche diode noise generator example 9 Source: http://www.erlang-factory.com/conference/SFBay2011/speakers/kenjirikitake 9Sunday, September 8, 13
  • 10. Arduino Duemilanove and the noise generator 10 Source: http://www.erlang-factory.com/conference/SFBay2011/speakers/kenjirikitake 10Sunday, September 8, 13
  • 11. Can OS gather entropy from various events in a computer? • Possible events: hard disk access duration, mouse/keyboard timing, ethernet packet arrival timing, wall-clock values, etc. • Note: those events can only happen after when the system is booted; at the boot time the entropy pool is virtually empty • Solutions: use an external entropy source to gather sufficient entropy, or wait for the enough entropy to be gathered and filled into the pool 11 Source: Nadia Heninger, Zakir Durumeric, Eric Wustrow, J.Alex Halderman: Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices, Proceedings of the 21st USENIX Security Symposium,August 2012, https://factorable.net/paper.html 11Sunday, September 8, 13
  • 12. So what are good PRNGs? • Output distribution • uniform distribution: equally covering the all possible values in the same probability • Gaussian/normal distribution: representing the sum of many independent random values • The generation period length should be very large (especially when sharing the same algorithm between multiple processes) 12 12Sunday, September 8, 13
  • 14. Uniformity is hard to achieve in the real world 14 http://nakedsecurity.sophos.com/2013/07/09/anatomy-of-a-pseudorandom-number-generator-visualising-cryptocats-buggy-prng/ An example: Cryptocat's buggy PRNG written in JavaScript 14Sunday, September 8, 13
  • 15. Another example: PHP5 rand(0,1) on Windows: see the pattern? 15 http://boallen.com/random-numbers.html 15Sunday, September 8, 13
  • 16. Android Bitcoin Wallets had PRNG vulnerability to let 55 BTC stolen 16 • Java’s SecureRandom class (wasn’t secure enough on Android actually) • “In order to remain secure the random numbers used to generate private keys must be nondeterministic, meaning that the output of the generator cannot be predicted” • “Android phones/tablets are weak and some signatures have been observed to have colliding R values” http://thegenesisblock.com/security-vulnerability-in-all-android-bitcoin-wallets/ 16Sunday, September 8, 13
  • 17. Executive summary (again) 17 Random number generation is very diffcult to do properly; so don’t try to invent yours! http://imgs.xkcd.com/comics/random_number.png 17Sunday, September 8, 13
  • 18. So how Erlang/OTP does on PRNGs? 18 • random module: non-secure PRNG (Wichmann- Hill AS183, in 1982) • crypto module: cryptographically secure PRNG, OpenSSL API in NIFs • For generating passwords and keys, always use the crypto module • There was a bug in SSH module using random function instead of crypto (CVE-2011-0766, discovered by Geoff Cant, fixed on R14B03) 18Sunday, September 8, 13
  • 19. Erlang’s AS183 512x512 bitmap: at least visually well-randomized 19 http://www.erlang-factory.com/ conference/SFBay2011/speakers/ kenjirikitake 19Sunday, September 8, 13
  • 20. 20 %% Code of AS183 PRNG %% from Erlang/OTP R16B01 lib/stdlib/src/random.erl %% This hasn’t been really changed at least since R14B02 -define(PRIME1, 30269). -define(PRIME2, 30307). -define(PRIME3, 30323). uniform() -> {A1,A2,A3} = case get(random_seed) of undefined -> seed0(); Tuple -> Tuple end, B1 = (A1*171) rem ?PRIME1, B2 = (A2*172) rem ?PRIME2, B3 = (A3*170) rem ?PRIME3, put(random_seed, {B1,B2,B3}), R = B1/?PRIME1 + B2/?PRIME2 + B3/?PRIME3, R - trunc(R). 20Sunday, September 8, 13
  • 21. Issues on random module, aka AS183 21 • The period length is short (~ 2^43) • Very old design (in 1980s) • Not designed for parallelism • Only three 16-bit integers as the seed • Not designed for speed (float division) • Good thing: it’s pure Erlang code 21Sunday, September 8, 13
  • 22. Goals for solving issues on random module • Larger period length PRNG needed • New or modern design PRNGs preferred • Addressing parallelism requirements • Non-overlapping = orthogonal sequences • Larger state length for seeding • Availability on both with and without NIFs 22 22Sunday, September 8, 13
  • 23. Required/suggested features on parallelism • Each PRNG has to manage its own state • Independent = orthogonal sequences from the same algorithm • Splitting the internal state • Using orthogonal polynomials • Seed jumping: fast calculation for advancing the internal state 23 23Sunday, September 8, 13
  • 24. Alternatives I implented for the random module • sfmt-erlang • tinymt-erlang • Both available at GitHub • Details available as ACM Erlang Workshop papers, as well as from my own web site • These are non-secure PRNGs 24 24Sunday, September 8, 13
  • 25. Mersenne Twister • BSD licensed • By Matsumoto and Nishimura, 1996 • Very long period ((2^19937) -1) • Uniformly distributed in 623-dimension hypercube, mathematically proven • Widely used on many open-source languages: R, Python, mruby, etc. 25 25Sunday, September 8, 13
  • 26. SIMD-oriented Fast Mersenne Twister (SFMT) • Improved MT by Saito and Matsumoto (2006) • SIMD-oriented, optimized for x86(_64) • Various period length supported • ((2^607)-1) ~ ((2^216091)-1) • Faster recovery from 0-excess initial state 26 26Sunday, September 8, 13
  • 27. sfmt-erlang • A straight-forward implementation of SFMT in both pure Erlang and with NIFs • Suggested period length: (2^19937-1) • with NIFS: >x3 faster than random module • A choice on PropEr Erlang test tool 27 27Sunday, September 8, 13
  • 28. Porting tips of SFMT code from C to Erlang • Make it reentrant: removed all static arrays for the internal state table (no mutable data structure) • SFMT itself can be written as a recursion a[X] = r(a[X-N], a[X-(N-POS1)], a[X-1], a[X-2]) • An Erlang way: adding elements to the heads and do the lists:reverse/1 made the code 50% faster than using the ++ operator! 28 28Sunday, September 8, 13
  • 29. Speed difference between C and Erlang • On sfmt-erlang • Pure Erlang code: x300 slower than C • Erlang NIF code: still x10 slower than C • Some dilemma: speed optimization is important, but ErlangVM can hardly beat the native C code 29 29Sunday, September 8, 13
  • 30. TinyMT • MT for smaller memory footprint (and where shorter period length is OK) • Saito and Matsumoto, 2011 • Period: ((2^127)-1), still much > 2^43 • Seed: seven 32-bit unsigned integers • Parallel execution oriented features: ~2^56 independent generation polynomials 30 30Sunday, September 8, 13
  • 31. tinymt-erlang • A straight-forward implementation of TinyMT in both pure Erlang and with NIFs • Some of sfmt-erlang code are equally applicable (e.g., seed initialization) • x86_64 HiPE optimization: x3 speed • Wall-clock speed: roughly the same as random module • In fprof: x2~x6 slower than random module 31 31Sunday, September 8, 13
  • 32. Observations on tinymt-erlang code • 32-bit integer ops are on BIGNUMs • Small integer on 32bit Erlang: max 28 bits • Overhead of calling functions and BEAM memory allocation might have taken a significant portion of exec time • sfmt-erlang batch exec is still x3~4 faster than tinymt-erlang batch exec 32 32Sunday, September 8, 13
  • 33. NIF scheduling issue • NIF blocks the Erlang scheduler • How long can a CPU spend time in a NIF? • Rule of thumb: <1msec per exec • Target for sfmt/tinymt-erlang: < 0.1msec • On Riak this has been a serious issue • Scott Fritchie has an MD5 example code • A preference for the pure Erlang code 33 33Sunday, September 8, 13
  • 34. TinyMT precomputed polynomial parameters • On 2011, I decided to pre-compute the polynomial parameters at Kyoto University’s super-computer (x86_64) cluster (I could only use two 16-core nodes (32 cores)) • 2^28 (~256M) parameter sets are available for both 32- and 64-bit implementations • Took ~32 days of continuous execution • 18~19 sets/sec for each core 34 34Sunday, September 8, 13
  • 35. “Secure” PRNGs • One-way function: guessing input or internal state from the output should be kept practically impossible • A PRNG is less secure when: • generation period is shorter • easy function exists to guess the internal state from the output • the output sequence is predictable from the past output sequence data (= a simple PRNG is unsecure) 35 35Sunday, September 8, 13
  • 36. For building more secure PRNGs • Reducing predictability: always incorporate necessary external extropy • Cryptographic strength: use well-proven algorithms, e.g.,AES, to “encrypt” the PRNG output • Rule of thumb: use crypto:strong_rand_bytes/1 to guarantee sufficient entropy is consumed 36 36Sunday, September 8, 13
  • 37. Tips for parallel execution of PRNGs • Use completely orthogonal sequences • e.g.,TinyMT independent polynomials • If the seeding space is large, it is unlikely that PRNG sequences from the seeds generated from another PRNGs will collide with each other (but this is not mathematically proven) • Beware of execution sequence change when predictability is important 37 37Sunday, September 8, 13
  • 38. Tips on secure PRNGs • Don’t invent yours unless you hire a well-experienced cryptographers (i.e., stick to proven functions) • Ensure the system has enough entropy to guarantee the unpredictability • An external hardware RNG is suggested • And don’t let NSA cripple the algorithms! 38 38Sunday, September 8, 13
  • 39. Executive summary again 39 Random number generation is very diffcult to do properly; so don’t try to invent yours! http://imgs.xkcd.com/comics/security_holes.png 39Sunday, September 8, 13