DEF CON 22 - Dan Kaminsky - Secure Random by Default

Author: DEFCONConference
15656 View
0m 0s Lenght
131 Rating

Secure Random By Default Dan Kaminsky Chief Scientist, White Ops As a general rule in security, we have learned that the best way to achieve security is to enable it by default. However, across operating systems and languages, random number generation is always exposed via two separate and most assuredly unequal APIs -- insecure and default, and secure but obscure. Why not fix this? Why not make JavaScript and PHP and Java and Python and even libc rand() return strong entropy? What are the issues stopping us? Should we just shell back to /dev/urandom, or is there merit to userspace entropy gathering? How does fork() and virtualization impact the question? What of performance, and memory consumption, and headless machines? Turns out the above questions are not actually rhetorical. Just because a change might be a good idea doesn't mean it's a simple one. This will be a deep dive, but one that I believe will actually yield a fix for the repeated *real world* failures of random number generation systems. Dan Kaminsky has been a noted security researcher for over a decade, and has spent his career advising Fortune 500 companies such as Cisco, Avaya, and Microsoft.Dan spent three years working with Microsoft on their Vista, Server 2008, and Windows 7 releases. Dan is best known for his work finding a critical flaw in the Internet’s Domain Name System (DNS), and for leading what became the largest synchronized fix to the Internet’s infrastructure of all time. Of the seven Recovery Key Shareholders who possess the ability to restore the DNS root keys, Dan is the American representative. Dan is presently developing systems to reduce the cost and complexity of securing critical infrastructure.

Comments

  1. 15:45
    Wow, I guess guy didn't know that youtube takes about 50% of revenues from people who monetize their videos on their platform. That is not even 30% (Apple). Yeah.
    I guess, if it is Google it is kosher even if it is 66% more...sigh.
    Completely illogical, but there you have it.
  2. This guy makes me reaaally want to go to Def Con.
  3. How about zeroing out free'd memory? I don't mean immediately. Just keep the memory allocated until there's low activity, then zero it out and then return it to the system. Can't really exploit a bunch of zeros.
  4. Here's how I test my C programs with random input:
    1. Read 4 bytes from /dev/urandom.
    2. Print those 4 bytes in a log.
    3. Seed glibc's LFSR with them.
    4. Run.
    5. If everything went OK, go back to step 1, else continue.
    6. Hardcode the seed which caused the crash into the program.
    7. Fix the problem.
    8. Go back to step 1.
    Fixed seeds are not for finding problems, they're for reproducing problems so that you can study them and fix them.
    Also when I'm testing an algorithm, I don't need a CSPRNG, I need a fast PRNG. In fact, in most cases (like when a game AI is doing a random decision) you don't need a CSPRNG. What you need is speed.
    I agree that CSPRNGs should be more readily available. Hell, I wouldn't even object to them being the default (better a slow game than an unsecure banking application) but things like LFSRs still do have their place.
  5. +DEF CON  At 13:11 "rapping stringle" is actually "a rat being strangled" and at 13:34 the artist's name that he is referring to is Lindsey Stirling. These are with the english transcript.
  6. wireless routers have a FUCKING RADIO    i mean  why are they not getting entrope from the radio   CBR is a wonderful source of entrope 
  7. wow Pewdiepie is a hacker?
  8. it was wesley mcgrew that hunts pineapples :-)