[Cryptech Tech] SHA-2 security and RNG verification

[Joachim Strömbergson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aloha!

First, thanks for feedback, much appreciated.

Philipp Gühring wrote:
> The problem I see is the usage of SHA-512 (or SHA-256) as a random
> number mixer. SHA-512 has the property that it outputs it´s complete
> internal state, which causes Length-Extension-Attacks for other
> applications. For random number applications, I am worring about the 
> forward-and-backward-unguessability. Leaking the internal state can
> make it possible for attackers to guess previous or later random
> numbers from the output of random numbers, which is a property you
> definitely do not want for random number generators.

I agree that it is not a property we want. I'm trying to understand if
and how the length extension attack would work in this case.

In terms of extension. We only consume new message words when we need a
seed to the csprng. So ann attacker would have to force the mixer to
start (i.e. force a reseed) and at the same time control the entropy
sources to be able to push controlled/known/guessable state into the mixer.

In terms of state guessability, as far as I understand it, you need to
break the CSPRNG. That is, by observing generated values, be able to
calculate the initial state of the CSPRNG and thus the state of the
mixer at the time of seeding. we use the stream cipher ChaCha as our
CSPRNG with 24 rounds by default (that is 4 more rounds that what is
recommended by DJB for 256-bit security).

So, based on this I don't see length extension attacks are applicable in
this case. And that guessability would require breaking ChaCha. But lets
discuss further. This is interesting and we want to ensure that we
aren't vulnerable or that we have issues that we could fix to make our
TRNG better.


> The suggestion I have normally is to use SHA2-384 or SHA-3 instead,
> but I am not sure, whether that´s the optimal choice for this
> project. SHA2-384 reveals only a part of the internal state (even
> that might be too much, I am not sure there)

Yes, only extracting part of the mixer state as seed is probably good.
An easy change would be to use SHA-384. We are extracting two 512 bit
words from the mixer to seed the CSPRNG, but we actually ditch parts of
the latter word. In total we use 896 for a complete initial state of the
csprng. So two words would be to little, but three works. A minor change.

Moving to SHA-3 is also possible and might be what we do if we decide on
changing the mixer.


> PS: I haven´t noticed a submission of your generated random numbers
> on my RNG testsite yet, so I would like to invite you to use it: 
> http://www.cacert.at/random/

Thanks. I'm not through with testing yet and want to ensure that we are
comfortable that we know that it produces the values we expect (when
given test patterns). But then sure.

(We are using custom tools, ent and dieharder today to verify the
entropy sources and the TRNG output.)

- -- 
Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.
========================================================================
 Joachim Strömbergson          Secworks AB          joachim at secworks.se
========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJVcV1TAAoJEF3cfFQkIuyNmGIQAJO46+OfI8r6sa2wSt2lHwoo
2T+5U2L3fI6CfV3W6dC1bbZAEzhwWcTi3U4NqCuQXgVPPazOBvFhvOLe5bwrMlYY
q8ziURpBmVJ+DeeicKsoJIFioFqCYyvWB85lzO7ywyBGIoe8axWXsFOUhL7npsuR
LchKWuTDbk4MQLPgOjjftcoTuO3PI2YkYgxkpQ9N8GqJbEl3jWuueAlo90p5M7a1
dc/3suGvikUF5oqjQgpMrlZ/+V1yg8zw6EE3BWF9RYuoLdwM95WCOVL/sjAA8exe
nSIJcpfYAw2s/XT47IivqC4BQIMSUo7UtAx7/TkvsxkLVfG9GiuMFB13TNzwoe4X
HZ7XREcH/t3CrAW/F6YzE/+9cxDsfbQAaJ69NkEOJeFf75jHmz589vR8hyaHbv+C
5/jpKV3YjmRyUIkgEUHEnJt58tbY0Uu5NQJhhpfk16WSMw5bCO61QNbARSgHWmHr
XuCeXw59CgdxxqvYswtk7DAEsbeiv3V5Yi/m4owB447YVTw2zf35YMPjK4rCX/d/
6/3MvdXqI2oLkplRZVf16k5VnTIRsSIVgrwmIb7lZPZ7+638JEFvvDkHEuND+YG5
yDbdehYtu2lbCmzYPLCKxEoRtVvH/I+v8LyHFkR3zeVHG09PBgogOuW4SE2ZJ4LC
vfr9uY7ujbJkd7lxKfWp
=j2pp
-----END PGP SIGNATURE-----