Re: [dsfjdssdfsd] software tools for testing entropy (was: Any plans for drafts or discussions on here?)
=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 24 January 2014 00:32 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: dsfjdssdfsd@ietfa.amsl.com
Delivered-To: dsfjdssdfsd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECCEC1A04A7 for <dsfjdssdfsd@ietfa.amsl.com>; Thu, 23 Jan 2014 16:32:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.102
X-Spam-Level:
X-Spam-Status: No, score=-0.102 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0UXEOrTtwz4G for <dsfjdssdfsd@ietfa.amsl.com>; Thu, 23 Jan 2014 16:32:30 -0800 (PST)
Received: from oproxy19-pub.mail.unifiedlayer.com (oproxy19-pub.mail.unifiedlayer.com [70.40.200.33]) by ietfa.amsl.com (Postfix) with SMTP id 0980E1A04A3 for <dsfjdssdfsd@ietf.org>; Thu, 23 Jan 2014 16:32:29 -0800 (PST)
Received: (qmail 7598 invoked by uid 0); 24 Jan 2014 00:32:29 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy19.mail.unifiedlayer.com with SMTP; 24 Jan 2014 00:32:29 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=lsgqF9GarTbi/b5jSCBlaAw/iREvBIBzmwfVbmhpQtA=; b=viBaX62rsNpw6/DfOevW0ZJmsQrqA9wUYcTgfpsWGPPNs9Fd6NGHKYGPl8+sUHOYhUXE9ezZYHzAJJQ1PYnJD0R76qooVmB073yeHU56Qe/uykV29L+wJHYMea2PXlN4;
Received: from [70.197.2.244] (port=9931 helo=[10.0.0.1]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.80) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1W6UhA-0005hQ-IU for dsfjdssdfsd@ietf.org; Thu, 23 Jan 2014 17:32:28 -0700
Message-ID: <52E1B499.8050404@KingsMountain.com>
Date: Thu, 23 Jan 2014 16:32:25 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130330 Thunderbird/17.0.5
MIME-Version: 1.0
To: IETF Pseudorandom Number Generator PRNG discussion list <dsfjdssdfsd@ietf.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 70.197.2.244 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [dsfjdssdfsd] software tools for testing entropy (was: Any plans for drafts or discussions on here?)
X-BeenThere: dsfjdssdfsd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The dsfjdssdfsd list provides a venue for discussion of randomness in IETF protocols, for example related to updating RFC 4086." <dsfjdssdfsd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dsfjdssdfsd/>
List-Post: <mailto:dsfjdssdfsd@ietf.org>
List-Help: <mailto:dsfjdssdfsd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2014 00:32:33 -0000
> are there good software tools for testing entropy, that could help > applications determine if the underlying system is giving them good > input? well, from.. [0] Akram, Raja Naeem, Konstantinos Markantonakis, and Keith Mayes. "Pseudorandom Number Generation in Smart Cards: An Implementation, Performance and Randomness Analysis." New Technologies, Mobility and Security (NTMS), 2012 5th International Conference on. IEEE, 2012. http://digirep.rhul.ac.uk/file/315c7a7e-4963-4a62-189f-4ad198a79f30/5/Paper.pdf ..there's the sections reproduced at [1] below which may (or may not) be helpful. also, NIST has these resources.. NIST SP 800-22: A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Application. http://csrc.nist.gov/publications/nistpubs/800-22-rev1a/SP800-22rev1a.pdf Random Number Generators (RNG) Testing Requirements: http://csrc.nist.gov/groups/STM/cavp/index.html#04 RNG Test Vectors http://csrc.nist.gov/groups/STM/cavp/documents/rng/rngtestvectors.zip One could also ask the authors of [0] if they might share their impl. hth, =JeffH [1] E. Experimental Proof To provide experimental proof, the NIST statistical test suite was applied. Each algorithm was provided with a common seed file, and generated sequences from it were saved in a binary file. This binary file was used as input to the statistical test. Point to note here is that seed files given to all algorithms were the same. The reason for doing so was to analyse differences in the quality of output while using the same entropy source. For statistical analysis, each algorithm was executed to generate 1,048,578 pseudorandom sequences of 128 bits. Concatenating the outputs into a binary file that was then used for NIST SP 800-22 statistical analysis. The results of each algorithm are listed in Appendix A. Taking into account the Common Criteria AIS 20 [18], our implementation fulfils the requirements for the K4 DRNG. Below is the discussion on how our implementation satisfies these requirements. 1) K1 DRNG: Its a simple requirement that states that if the generated values is of set C =f c1, c2, c3, .., cm g then all members of the set should be distinct regardless of the statistical properties. 2) K2 DRNG: Requires that the implementation should satisfy the statistical properties such as monobit test, poker test and tests on runs. Our implementations were subjected to the NIST SP 800-22 test suite. 3) K3 DRNG: This requires that the entropy of the PRNG is at least 80. All SHA based algorithms has 440 bits seed and block cipher based algorithms has 128 bits seed. All of the seed values were chosen from an external high entropy source that is carefully tested. 4) K4 DRNG: This level requires that the PRNG should be forward-secure. A PRNG is forward-secure if after n iteration of the PRNG, a malicious user is unable to guess the internal state of the generator. The implemented PRNG feed back to the internal seed that is changing in each of the iterations. Furthermore, block cipher based implementation of the PRNG use different key in each of the iterations. Even retrieving a cryptographic key would not help a malicious user to successfully know the entire state of the seed file. In our implementations we tested SHA and block cipher based algorithms for the PRNGs. In general block cipher based algorithms, only a single key is used for the entire lifetime of the generator. However, we have tested that a PRNG could be modified to use a new key on each execution of the generator. The internal key generation mechanism of the block cipher based PRNG implementations are light weight and they do not hamper the overall performance of the generator. Therefore, it could be argued that it provides a more secure block cipher based PRNG then an PRNG that only uses a single key for entire lifetime. Table IV details the percentage of passing sequences pro duced by individual algorithms. As it is evident from table III and IV, there is not a big difference between the implemented algorithms both in terms of performance and percentage of sequence passing the NIST statistical tests. Of particular note, if we take the accumulated average of the passing sequences percentage in the table IV an interesting result emerges. The SHA-1 performs comparative better than other algorithms and AES based PRNG has the least accumulated average of passing sequence as illustrated in figure 4. This measure represents the randomness of the generated sequences - not the security of the algorithm. If we also account for the performance, SHA based algorithms perform better than the encryption based algorithms (e.g. DES and AES). V. CONCLUSION AND FUTURE RESEARCH DIRECTIONS ... Our research into the possibility of using a test suite like NIST SP 800-SP to check pseudorandom number generators in smart cards has showed that it is a workable concept. The tests listed in the NIST SP 800-22 are substantially more then the one recommended for the smart card pseudorandom number generators in AIS20 [18] and AIS31 [13]. This research has demonstrated that even with limited resources and an entropy constrained environment like a smart card, good quality pseudorandom sequences can be generated that can satisfy all the requirements for a PRNG even the ones that are used for general purpose computers. ... --- end