4

Another noob question, I know, but something I'm unsure about.

If I somehow magically knew the output of /dev/urandom at any given time, how much would that weaken a given encryption system? Or, perhaps, what kinds of encryption schemes would be most harmed by reducing this randomness?

user1209326
  • 295
  • 1
  • 4

3 Answers3

1

If you knew the output of /dev/urandom at all times and various keys were generated using /dev/urandom (say SSH/GPG private keys or an SSL certificates), you could in principle quickly (as in much quicker than brute-force) recreate a keypair by attempting using various states of /dev/urandom. This would effectively bypass all the security methods in place (file encryption; https; data integrity protections) that are based on those now broken keys (this attack is exactly identical to obtaining someone's private keys/certificates).

There are various other things that rely on /dev/urandom that could also break. For example, you could complete a TCP handshake from a IP address you do not control to a server with a cracked /dev/urandom as you could send a SYN, and then send an ACK and guess the server's sequence number.

Granted unless you have compromised a system to replace /dev/urandom with something else (or recorded the bits of /dev/random prior to using them), urandom is not entirely deterministic. /dev/urandom will default to using entropy collected from various hardware components and only fall back to a pseudo-random generator when more entropy is needed than has been collected.

dr jimbob
  • 38,936
  • 8
  • 92
  • 162
  • This answer seems to assume that it is feasible to enumerate the set of possible states of `/dev/urandom`. However, in practice that is not likely to be feasible (except possibly very soon after boot). `/dev/urandom`'s internal state is purposely derived from values with a large amount of entropy, exactly to defend against this sort of brute-force attack. See http://security.stackexchange.com/a/3939/971. Consequently this answer seems inaccurate or misleading. – D.W. Mar 19 '15 at 22:25
  • The correct answer is that if `/dev/urandom` has been properly seeded, knowing some outputs doesn't help predict other outputs. However, if an attacker knew the outputs of `/dev/urandom` that were used to create a keypair, then he would have everything you needed to re-derive that keypair himself and of course the crypto would become totally broken. (I assume the latter is not what the question is asking, but I mention it just for completeness.) – D.W. Mar 19 '15 at 22:26
  • Just a nitpick, but I think TCP sequence numbers are not generated using the nonblocking pool. I think it uses the `prandom_u32()` system which is based on an LFSR. – forest Apr 12 '18 at 01:02
0

Your question is funny, I'm curious to know how did you came to wonder that /dev/urandom could be predicted.

But more than that, this raise an interesting flaw, as Wikipedia mention it :

In 2004, Landon Curt Noll, Simon Cooper, and Mel Pleasant tested a variety of random number generators, including the /dev/random implementations in FreeBSD 5.2.1, Linux 2.4.21-20, Solaris 8 patch 108528-18, and Mac OS X 10.3.5.[7] They indicated that none of these /dev/random implementations were cryptographically secure because their outputs had uniformity flaws.

That said, I think it answers pretty well your question:

How much would that weaken a given encryption system?

I can't say how much, but I can say it would impact them significantly enough to not consider them as totally secure, because "none of these /dev/random implementations were cryptographically secure".

Cyril N.
  • 2,659
  • 2
  • 18
  • 28
0

Obvious answer: If your encryption is directly using the output of dev/urandom, then evaesdroppers will know yor key and then can decrypt your ciphertext as you do with your key. Of course they also need to know the initialization vector, which is also usually generated from the output of dev/urandom.

Well, there are lots of encryption schemes but if your key is relying on dev/urandom, then all of these schemes will be affected if the attacker knows the output of your dev/urandom but I don't know how to "measure the strength" of encryption schemes. I think a cryptalanyst can answer it.

About the randomness of Linux RNGs, there's a paper presented at an IEEE conference: http://eprint.iacr.org/2006/086.pdf The security holes and possible attacks are discussed here. According to their study, dev/random and dev/urandom are not "that much" secure.

On the other hand, dev/random and dev/urandom may pass randomness tests but the true randomness can only be obtained from quantum mechanics: http://www.idquantique.com/true-random-number-generator/products-overview.html

Rubi Sharmax
  • 93
  • 1
  • 5