Boffin: Dump hardware number generators for encryption and instead look within

Chip timing could be as effective and harder to hack

Hardware-based random number generators (HWRNGs) for encryption could be superseded after a Philippines-based researcher found that side-channel measurement of the timing of CPU operations provide enough entropy to seed crypto systems with the necessary randomness.

In a paper presented on Saturday at the International Conference on Innovative Research in Science, Technology and Management (ICIRSTM) in Singapore, JV Roig, consulting director and software developer at Asia Pacific College (APC) in the Philippines, says that HWRNGs represent a natural target for subversion by national intelligence agencies due to their black-box nature.

Were a HWRNG to be designed to produce predictable (non-random) numbers, the resulting cryptography would be weak – a situation that numerous law enforcement agencies have sought or demanded.

Whether or not these devices have actually been compromised isn't the issue, Roig said in an email to The Register. "HWRNGs are, by nature, black boxes, unauditable, and untrustworthy, so they're out," he said.

The solution within

Roig's paper, "Stronger Cryptography For Every Device, Everywhere: A Side-Channel-Based Approach to Collecting Virtually Unlimited Entropy In Any CPU," claims that because no CPU has identical performance characteristics, true randomness is readily available.

"CPU execution time variance is the way forward, for all types of devices, from servers to IOT/embedded/appliances: run a trivial benchmark, time it, repeat," said Roig. "The accumulated timing info becomes your entropy, the source of your randomness."

He likens these measurements as flipping a coin multiple times to get enough bits of entropy, where each benchmark run counts as a flip. He calls the technique SideRand, and provides sample code written in C:

#include <stdio.h> 
#include <time.h> 
int main() {
  int i=0;
  int j=0;
  int samples = 256;
  int scale = 5000000;
  int val1 = 2585566630; 
  int val2 = 576722363; 
  int total = 0;
  double times[samples];

  for(i=0; i<samples; i++)
      clock_t begin = clock();
      for(j=0; j<scale; j++)
          total = val1 + val2;
      clock_t end = clock();
      double time_spent = (double)(end - begin) / CLOCKS_PER_SEC;
      times[i] = time_spent;
      printf("%f\r\n", times[i]);
    return 0; 

This code, straightforward enough to be easily auditable, should be suitable for older systems with microsecond-level clock precision. It accesses the system clock() function and collects timing information in an array.

The result is 256 timing value samples, which represent enough collected entropy to seed a cryptographically secure pseudo-random number generator (CSPRNG). The paper includes a variant algorithm for more modern systems capable of nanosecond-level precision.

Digital fingerprints

CPUs, Roig's paper explains, contain millions or billions of transistors, which have enough variation that no two chips perform identically. Chip designers may try to minimize transistor variances through guardbanding, but the situation has been getting worse over time, as noted last year in a paper by researchers at Lawrence Livermore National Laboratory.

Faced with this differences, chipmakers may resort to CPU binning – designating chips from the same batch with different characteristics as a different product lines, so they don't have to toss units that fall short of the spec.

Roig argues that the persistence of chip imperfections means timing measurements will be viable for the foreseeable future.

"Until we reach this level of technology, which does not seem to be on the horizon, and CPUs somehow revert back to having non-dynamic performance scaling features, the proposed side channel-based heuristic is likely to remain a good candidate for ubiquitous secure random number generation across all our CPU-powered devices," his paper says.

Timing measurements, Roig contends, can close the boot time entropy hole identified by Nadia Heninger and colleagues in 2012 and is simple enough to deter government agencies from trying to backdoor OS RNG seeding.

"This is how we can make sure every device, everywhere, has stronger cryptography," said Roig. ®

Similar topics

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Apple gets lawsuit over Meltdown and Spectre dismissed
    Judge finds security is not a central feature of iDevices

    A California District Court judge has dismissed a proposed class action complaint against Apple for allegedly selling iPhones and iPads containing Arm-based chips with known flaws.

    The lawsuit was initially filed on January 8, 2018, six days after The Register revealed the Intel CPU architecture vulnerabilities that would later come to be known as Meltdown and Spectre and would affect Arm and AMD chips, among others, to varying degrees.

    Amended in June, 2018 the complaint [PDF] charges that the Arm-based Apple processors in Cupertino's devices at the time suffered from a design defect that exposed sensitive data and that customers "paid more for their iDevices than they were worth because Apple knowingly omitted the defect."

    Continue reading
  • Apple M1 chip contains hardware vulnerability that bypasses memory defense
    MIT CSAIL boffins devise PACMAN attack to let existing exploits avoid pointer authentication

    Apple's M1 chip has been found to contain a hardware vulnerability that can be abused to disable one of its defense mechanisms against memory corruption exploits, giving such attacks a greater chance of success.

    MIT CSAIL computer scientists on Friday said they have identified a way to bypass the M1 chip's pointer authentication, a security mechanism that tries to prevent an attacker from modifying memory references without being detected.

    In a paper titled "PACMAN: Attacking Arm Pointer Authentication with Speculative Execution," Joseph Ravichandran, ​​Weon Taek Na, Jay Lang, and Mengjia Yan describe how they were able to use speculative execution – the way in which modern processors perform calculations before they may or may not be needed, to accelerate execution – to discern the pointer authentication code that allows pointer modification on a protected system.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading

Biting the hand that feeds IT © 1998–2022