CRYPTO RANDOM NUMBERS AND CSPRNG USING HMAC ALGORITHM

ELEM014: SECURITY AND AUTHENTICATION Muhammad Ali Malik ID: 110591629

mam30@eecs.qmul.ac.uk

INTRODUCTION
In old times, simple systems were inferred for encrypting data. With advance of time, complex algorithms kept developing for cryptosystems. Such cryptographic algorithms were after logically developed, so attackers used counter logics to predict properties of these systems, based on certain frequency tests, or on other mathematical factors. Random numbers were then fused in cryptographic algorithms to maximally void the guessing factor in cryptanalysis. Crypto-random numbers, or more clearly cryptographically secure random numbers are the backbone of many cryptographic and security applications. Crypto random numbers are numbers with high level of unbiased randomness in them. Even the strongest of cryptosystem using random numbers at any stage can go down if, if randomness in them fails. [1] Not every stream of random numbers is cryptographically secure nor true randomness can be achieved efficiently and economically for every cryptographic application. Pseudo random numbers is a term used for random number sequences that approximate properties of true randomness among stream elements.

RANDOMNESS LEVELS AND SOURCES

Random numbers are generated either by algorithmic techniques purely for random numbers, present cryptographic algorithms, or are obtained by some physical processes inputs. Those generated by physical processes inputs are called true random numbers; whereas for the former cases, these algorithmic generated random numbers are known as pseudo-random numbers.
1

TRNG true random number generators use one or more physical process inputs, and through transducers covert/sample them to digital form. Most physical processes are completely random and unpredictable. Thermal noise, free running oscillators, radioactive decay times, piezoelectric currents, capacitor currents and leakage currents can be used as sources for random sequences. On-chip computer resources could also be utilized to generate random bits. For example, from covered camera lens; light from real world source strike the capacitive CMOS chips that sense number of photons striking on each pixel, as well as their energies. With a covered lens, this only present thermal noise could be amplified and digitalized for true randomness. [2] A pseudo-random number generator PRNG is a deterministic algorithm that produces streams of random bits. Similar to PRNG, Pseudo Random Function PRF has the same job but outputs bits of fixed length. PRNGs are mentioned later in this essay in detail, as PRNGs are widely used in cryptographic applications. Unlike the key that cannot, seed input to CSPRNG can itself be random. This defies overall predictability of the random sequence.

APPLICATIONS OF CRYPTO-SECURE RANDOM NUMBERS

Every cryptographic technique is based on an algorithm; we make shifts, do permutations, and repeat cyclic processes for encryption. Including randomness in it could increase chances that a cryptosystem will stand more to, especially brute force attacks, and can increase computational security of a cryptographic encryption. Inclusion of randomness also eliminates effects of sequenced algorithms making
2

hackers not to think sequentially on certain technical grounds, thus adds confusion for cryptanalysis. Practical applications such random numbers are: Bit stream for one time pads, process also known as symmetric stream encryption. In key exchange processes like Diffie Hellman key exchange, and in public key cryptosystems like in ElGamal For session keys generated from key distribution center KDC As nonce in authentication protocols to sign encrypted communication, to void replay attacks and reciprocal authentication. [7] For quantum key distribution QKD. [4] For random keys of large random prime numbers, for RSA public key encryption algorithm. o For brute force attacks for guessing factors of primes in RSA. The stronger its needed to have good primes for RSA keys; equally important is to have quality random primes factors to guess the bigger prime number. Point-to-point secures wireless communication, by using similar seed for key generation on both devices.[5] Key generating for wireless LAN communication.[6] For obtaining watermark signal or the m-bit signature, in digital watermarking.

BEING RANDOM
For secure-cryptography, numbers streams should be random as well as unpredictable. So what level of randomness is worthy of being used for cryptography? Criterions are available to statistically assess randomness in a given number stream as: Uniform distribution: the occurrence of zeros and ones in the stream is equally probable i.e. the stream itself has maximum probabilistic entropy. Independence: inferring successive or non-successive entries in the sequence should not be possible. To determine uniform distribution, many mathematical tests are available as Pearsons chi squared test
[8]

which can testify uniformity of bits in a random

string. In contrast, no statistics could be applied to ensure indefinite independence of random bits. Because there are infinite ways the bits of sequence can be interdependent, neither infinite tests can be conceived nor they can be applied for completeness, counter tactics are applied to have strong indication that the sequence bits are not dependent. [3] As only a true random stream is always unpredictable, streams shaped through algorithms have levels of predictability in them (software algorithms are presented later in the essay). Referring to predictability of such pseudo-random sequence, encrypted sessions and KDC keys could be exposed if sequence elements are successfully predicted.

RANDOM AND SECURE

Cryptographically secure random bits generators are shortened as CSPRNG. As mentioned above several tests are available to determine randomness in a sequence. But cryptographic security not only needs randomness but non-predictability too. This needs PRNGs to have: Scalability: any subsequence sampled from parent sequence should also be random and pass all randomness tests.

Consistency: every possible input seed must output equal randomness among all sequences.[3]

Pseudo-random numbers should never be predictable. Needless to say, a seed in creating a random sequence has same correspondence as the key in a cryptographic action. With seed value unknown, next output value must be unpredictable by cryptanalysis; and if two or more successive outputs are known, generating algorithm should be strong enough to void efforts to deduct seed value. Seed

Deterministic algorithm (PRNG)

Pseudorandom bit stream Figure 1: Simple PRNG[3]

As can be seen, these generators take certain input seed to start generating random bits. Quality of seed is an important factor to obtain crypto-secure streams. And in this case seed value must be kept secret at any cost. In case the hacker knows the initial seed or any intermediate feedback seed and the ongoing sequence number, whole sequence can be reproduced. Possible solution is to refresh or break PRNG continuing stream after some random number of iterations which will not expose all stream data but a part of it, in case of seed value breach. Feedback loop in PRNG can be used to increases more entropy to input seed.

CSRNG USING HMAC

Although for encryption purposes, TRNG best serve the purpose. In reality, mechanisms through which random numbers could be generated from these physical sources are not readily available, or they do not meet required generation bandwidth. In addition, stream of random numbers need to be stored for reference, like in one-time pads. TRNGs cannot help this purpose; therefore, we strong need algorithmic PRNG so that only the only seed and algorithmic design parameters may be stored resourcefully

What if we can get a seed with maximum entropy, and use the algorithm that itself has randomness properties in its sequential-algorithm? The possible solution is obtained by using cryptographic hash-MACs to generate CSPRNs. [3] Such a technique is under discussion in this essay because of two reasons: 1. To make use of already tested, and analyzed cryptographic algorithm for CSPRN generation. HMACs have also been tested from cryptanalysis point of view, and their strengths and weakness are well established. Therefore, there is no need to develop completely new CSPRNG algorithm.[3] 2. HMACs employ hashing twice within its algorithm, giving more randomness to generated numbers.

V (seed input) Padded Secure key Appended: Key and V Hash (Randomizing) Appended: Key and previous hash digest Hash (Randomizing)

CryptoSecure pseudo-random Numbers

Figure 2: PRNG using HMAC[9][3]

V is the seed input to the generator and K is the secure Key for HMAC in diagram above. Random number generation is as follow: Initially, HMAC inputs a key and a seed value, the seed V along with padded key is passed through a hash function, creating a level of randomness. A differently padded key is appended to previously hashed digest and all of this is again hashed generating another level of randomness. This dual hashed output is the required random number generated through HMAC process, and is fed back into the generator as a seed.
[3]

(Detailed parameters of MHAC are not illustrated to stick with structure only not to the technicalities).

SECURITY STRENGTHS AND FLEXIBILITY OF CSPRNGs USING HMAC

Such PRNG discussed above can generate cryptographically secure random numbers. If we look at the design of it, we can see that it has randomness that itself is securely encrypted through twice hashing. Discussing the hash function, like MD5 although it is not secure enough by itself against birthday attacks; its strength is doubled by twice hash implementation. MD5 could also be replaced by SHA-2 family of cryptographic hash functions with or hashes with larger digest size for increased security. It has been proved that hash function MD5 is not collision resistant for modern cryptanalysis. This might be a benefit here; because a random number can be repeated in generated stream so using MD5 or SHA1 family algorithms for HMAC PRNGs is not a problem. From a broader picture, imagine that the key being used in HMAC PRNG does not need to be exchanged between other parties. Here, our prospect is only to make available
8

crypto-secure random numbers. This makes our random generated numbers less vulnerable to cryptographic attacks as the key can be kept secure in one hand, Problem of enough entropy and security of initial seed is also covered. First random number generated depends primarily on our secret key, and is fed back to the generator as reseed for subsequent generations. Enough initial seed entropy can be obtained by letting the sequence run a number of times, and then start collecting random number sequence for use.[10] Size of obtained numbers can be controlled by appropriate hash algorithm. Due to their algorithmic structure, these HAMC based PRNGs can also be utilized to generate cypher text for stream cyphers and one-time pads.

CONCLUSION
PRNGs based on HMAC algorithms are more secure than compared to HMACs based on asymmetric cipher techniques. As stronger hashing algorithms would be developed, forward and backward predictability of random streams will continue to be less probable. In addition, modern hash functions are proven more to be collision resistant, so their inherited randomness can be exploited to generate random numbers that are more close to pure random numbers. It is suggestible for cryptosystems employing random numbers for their cryptographic strength, to use this built-in HMAC for their overall authentication too. Thus cryptographic security and authentication might get possible by a single algorithm.

References

[1] Kelsey J., Schneier B., Wagner D., and C. Hall, (1998). Cryptanalytic Attacks on Pseudorandom Number Generators. (pp .2). [Online] available at: http://www.schneier.com/paper-prngs.html [2] Schiller J., Crocker S. (2005). Randomness Requirements for Security (pp. 7). D. Eastlake, 3rd, Motorola laboratories. [3] Stallings, W. (2011). Cryptography and network security, principles and practice 5th ed. (pp. 244-248, 398-404, 413-416 ). New York. Prentice Hall

[4] Zbinden, H. (2008). "Random Numbers for Quantum Key Distribution," Symbolic and Numeric Algorithms for Scientific Computing SYNASC '08. 10th International Symposium on , (pp. 19)

[5]: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=01605863 Ramakrishnan, K., Balasubramanian, A., Mishra, S., Sridhar, R., (2005), "Wireless security protocol using a low cost pseudo random number generator," Military Communications Conference, 2005. MILCOM 2005. IEEE , (pp. 1, 5-6) [6] Salahuddin, Q. Farhan, A. (2005). Handbook of wireless local area network WLAN Security. Edited by Mohammad Ilyas, Syed Ahson, (pp.385-387), Publisher: Taylor and Francis Group [7] IBM. Nonce, a randomly generated token. [ONLINE] Available at:http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=%2Fcom.ibm.w ebsphere.express.doc%2Finfo%2Fexp%2Fae%2Fcwbs_noncev6.html. [Accessed 11 December 11]. [8] Stinson, D. (2006). Cryptography theory and practice. 3rd ed. (pp. 324) Boca Raton. Taylor and Francis group, LLC. [9] FIPS PUB 198 (2002). The Keyed-Hash Message Authentication Code (HMAC). [online] NIST computer security resource center. Available at: http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf [10] Elaine, B. John, K. (2007). Recommendation for Random Number Generation Using Deterministic Random Bit Generators (Revised). NIST special publication 800-90 (pp. 37-41)
10

Bibliography

Xiaoyun, W., Hongbo, U. (2006). How to Break MD5 and Other Hash Functions. [Online] Available at: http://merlot.usc.edu/csac-f06/papers/Wang05a.pdf [Accessed 11 December 2011]. Dominic, W. (2004). Codes and cryptography. Clarendon press, Oxford. Oxforf university press.

11