1. Entropy熵的定义
随机数的主要用途有:
- To randomly select options from a pool or range of known options.
- To generate initialisation vectors for encryption.
- To generate unguessable tokens or nonces for authorisation purposes.
- To generate unique identifiers like Session IDs.
熵是指随机数生成器可输出的不同状态结果的最大数量,该数值越大,则熵值也越大。当随机数生成器没有足够多的状态可供切换时,则会重复结果输出存在。
Entropy will basically define the maximum number of different states you random number generator may have at a given moment. The higher the entropy is, the higher possibilities there are.
如下例php代码中,随机数生成器以用户ID作为种子来生成sessionID。对于相同的用户,总会生成相同的sessionID。攻击者可预测的用户的sessionID然后劫持相应的session。下例同时还存在Small Seed Space问题 (CWE-339)。
function generateSessionID($userID){
srand($userID);
return rand();
}
2. hash函数的Entropy attack熵攻击
hash函数表示为
H
H
H,通常会认为,无论
z
z
z为何值,
H
(
x
,
y
,
z
)
H(x,y,z)
H(x,y,z)应有不低于
H
(
x
,
y
)
H(x,y)
H(x,y)随机性。
但是,若
z
z
z值怀有恶意且可窥探
x
,
y
x,y
x,y的值,则会产生Entropy attack熵攻击。
简单的以
z
z
z值发起的熵攻击举例:
1) 生成随机数
r
r
r;
2)尝试计算
H
(
x
,
y
,
r
)
H(x,y,r)
H(x,y,r);
3)若
H
(
x
,
y
,
r
)
H(x,y,r)
H(x,y,r)的结果值不以
0000
0000
0000位开始,则重复步骤1);
4)输出
z
=
r
z=r
z=r。
无论 x , y x,y x,y取何值,以上攻击都强制 H ( x , y , z ) H(x,y,z) H(x,y,z)以 0000 0000 0000开始。而且该强制算法运行很快,通常平均仅需16次 H H H运算即可达到 H ( x , y , z ) H(x,y,z) H(x,y,z)以 0000 0000 0000开始。
It’s well known (see, e.g., http://www.isg.rhul.ac.uk/~sdg/igor-slides.pdf) that an attacker who can predict the first 4 bits of each nonce can quickly compute the user’s secret key after a rather small number of signatures. Evidently hashing an extra entropy source does hurt—in the worst possible way; the attacker has the user’s secret key!—contrary to the conventional wisdom stated above.
3. 预防熵攻击的手段
摘自:https://blog.cr.yp.to/20140205-entropy.html
- Read less-likely-to-be-malicious entropy sources after completing all reading of the more-likely-to-be-malicious entropy sources. Of course, this doesn’t help if the last source turns out to be malicious.
- Increase the amount of processing, memory, etc. involved in H—as in hashcash, proofs of work in general, password hashing, etc. The costs are negligible, since all of this is done only once.
Let me emphasize that what I’m advocating here, for security reasons, is a sharp transition between
- before crypto: the whole system collecting enough entropy;
- after: the system using purely deterministic cryptography, never adding any more entropy.
参考资料:
[1] https://blog.cr.yp.to/20140205-entropy.html
[2] https://books.google.co.jp/books?id=8njTBwAAQBAJ&pg=PA187&lpg=PA187&dq=bad-entropy+attack&source=bl&ots=kpp45BfaBl&sig=ACfU3U2u3m917zYTnuiz8n3id418b9Ewug&hl=zh-CN&sa=X&ved=2ahUKEwjf3tuSy8XkAhUMr6QKHaQQA7sQ6AEwBnoECAkQAQ#v=onepage&q=bad-entropy%20attack&f=false
[3] https://cwe.mitre.org/data/definitions/331.html
[4] https://security.stackexchange.com/questions/94684/attacks-on-keys-generated-with-low-entropy
[5] https://security.stackexchange.com/questions/94646/how-much-entropy-is-good-enough-for-seeding-a-csprng
[6] http://www.isg.rhul.ac.uk/~sdg/igor-slides.pdf
1345
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
