DEF CON 22 - Dan Kaminsky - Secure Random by Default

Рет қаралды 89,827

9 жыл бұрын

Secure Random By Default
Dan Kaminsky Chief Scientist, White Ops
As a general rule in security, we have learned that the best way to achieve security is to enable it by default. However, across operating systems and languages, random number generation is always exposed via two separate and most assuredly unequal APIs -- insecure and default, and secure but obscure.
Why not fix this? Why not make JavaScript and PHP and Java and Python and even libc rand() return strong entropy? What are the issues stopping us? Should we just shell back to /dev/urandom, or is there merit to userspace entropy gathering? How does fork() and virtualization impact the question? What of performance, and memory consumption, and headless machines?
Turns out the above questions are not actually rhetorical. Just because a change might be a good idea doesn't mean it's a simple one. This will be a deep dive, but one that I believe will actually yield a fix for the repeated real world failures of random number generation systems.
Dan Kaminsky has been a noted security researcher for over a decade, and has spent his career advising Fortune 500 companies such as Cisco, Avaya, and Microsoft.Dan spent three years working with Microsoft on their Vista, Server 2008, and Windows 7 releases.
Dan is best known for his work finding a critical flaw in the Internet’s Domain Name System (DNS), and for leading what became the largest synchronized fix to the Internet’s infrastructure of all time. Of the seven Recovery Key Shareholders who possess the ability to restore the DNS root keys, Dan is the American representative. Dan is presently developing systems to reduce the cost and complexity of securing critical infrastructure.

Пікірлер: 93

@lukeomatik 3 жыл бұрын

I didnt know who this guy was. I read about his death, I searched some video about him and found this talk. 8 minutes later, I already miss him. RIP

@thewu-flu1656 4 жыл бұрын

I WANT DOUBLE OF WHAT EVER HES ON!! this guy is positive attitude is legendary

@RSMCx1 3 жыл бұрын

RIP Dan, legend...

@Eedelia01 8 жыл бұрын

This guy makes me *reaaally* want to go to Def Con.

@iansullivan9738 5 жыл бұрын

There are many differences between bricks and hard drives. You can make a very structurally sound building from bricks. Bugs kill hard drives, bricks kill bugs. If you smack a brick with a sledge hammer, you get several pieces of brick, if you try that with a hard drive, you get a slightly scratched hard drive. Bricks can not act as a substitute for a hard drive, whereas Western Digital HDs are almost guaranteed to become a replacement brick as soon as the warranty expires. Data stored on a brick, via chiseling, is likely to last decades, if not generations. Data stored on most HDs is likely to be lost due to a fragged drive within five to ten years. TL;DR Anyone want to invest in a new Brick Data Drive? I think I'm on to something.

@autohmae 5 жыл бұрын

I'm afraid to use your product, I'm afraid I end up bricking the device.

@JamesChurchill3 Жыл бұрын

Any building made from hard drives will be prone to random structural failure.

@originaldk5436 4 жыл бұрын

Anyone else not know half of what he says but still enjoys it?

@jody5661 2 жыл бұрын

I'm gonna miss this guy and his crazy, awesome, crazy awesome talks

@liam5moriarty 7 ай бұрын

This man will forever be a legend. RIP Dan

@Soulflare3 9 жыл бұрын

DEF CON At 13:11 "rapping stringle" is actually "a rat being strangled" and at 13:34 the artist's name that he is referring to is Lindsey Stirling. These are with the english transcript.

@HOUSEWARMING Жыл бұрын

@19:20 "It overflows back to zero" was the nerdiest thing I heard all day and I love it.

@suntracker844 10 ай бұрын

RIP Dan miss you

@XX-wi3qj 4 жыл бұрын

When programming my game I liked being able to put the seed somewhere my playtesters could see it so if there was a problem with the map generations or something they could give me that seed and I could step through with the same data set they were using. This helped me see and solve issues many times so seeding a RNG isn't a bad thing all the time bad for security sure, but there are times when it is useful.

@hellterminator 8 жыл бұрын

Here's how I test my C programs with random input: 1. Read 4 bytes from /dev/urandom. 2. Print those 4 bytes in a log. 3. Seed glibc's LFSR with them. 4. Run. 5. If everything went OK, go back to step 1, else continue. 6. Hardcode the seed which caused the crash into the program. 7. Fix the problem. 8. Go back to step 1. Fixed seeds are not for finding problems, they're for reproducing problems so that you can study them and fix them. Also when I'm testing an algorithm, I don't need a CSPRNG, I need a fast PRNG. In fact, in most cases (like when a game AI is doing a random decision) you don't _need_ a CSPRNG. What you need is speed. I agree that CSPRNGs should be more readily available. Hell, I wouldn't even object to them being the default (better a slow game than an unsecure banking application) but things like LFSRs still do have their place.

@tonytshoot567 5 жыл бұрын

Also, security first in gaming approach, would assist in defending against cheaters(game hackers).

@moth.monster 5 жыл бұрын

@@tonytshoot567 That only really matters in an online multiplayer situation, where the hackers would bother with tweaking some other part instead of trying to manipulate RNG. RNG manipulation only really happens in tool-assisted speedruns, which are a singleplayer (or local multiplayer) only thing.

@jrvanwhy 5 жыл бұрын

Consider also that accidentally using a slow CSPRNG when you need a fast PRNG will generally get noticed ("why is my Monte Carlo method really slow") but using an insecure PRNG when you need a CSPRNG can go unnoticed for years.

@linuxguy1199 4 жыл бұрын

or have 2 random functions, cryptographicallySecureRandom() and fastRandom() instead of just random()

@jrvanwhy 4 жыл бұрын

@@linuxguy1199 Perhaps call them SecureRandom() and InsecureFastRandom(). You don't want someone seeing "fastRandom" and thinking "of course I want a fast random, why wouldn't I?". The key point is to prevent unaware programmers from choosing the insecure option.

@thorlancaster5641 4 жыл бұрын

26:00 "No keyboard, no mouse, no disk, no entropy". There are often a lot of other ways to generate entropy - repeatedly reading the LSB from any noisy ADC will do. Voltage and temperature sensors are prime examples, and lots of processors have them.

@user-gr5do8nk7e 6 жыл бұрын

i'm 3 minutes in and i already know i'm gonna love this talk

@njoubert 3 жыл бұрын

Rest in Peace Dan, we miss you! You left us too soon

@antfry256 5 жыл бұрын

This guy is hilarious, love the video! Thank you kind sir.

@WackoMcGoose 7 ай бұрын

You could make an entire DEF CON spinoff conference just from the *_Security Through Obscurity_* talks.

@ninoman123 6 жыл бұрын

Love this guy

@DrewWalton 2 жыл бұрын

This is a cat. In a shark costume. On a Roomba. Chasing a duck. FUCK YEAH!!!

@westonhecker4911 9 жыл бұрын

it was wesley mcgrew that hunts pineapples :-)

@DanHaiduc 5 жыл бұрын

About remembering passwords as stories (Storybits): you could use Word2Vec, so that similar words get corrected; i.e. if you remember France but it was actually Spain (same category, and related country)

@ProfessorSyndicateFranklai 5 жыл бұрын

@SaltyBrainsClose enough, it's only less a meter off, which in the grand scheme of 10^6m being the radius of the earth is pretty accurate.

@FreeFireFull 3 жыл бұрын

Rest in peace, Dan

@thisrocks 5 жыл бұрын

So worth watching

@user-yy2zz7wk1z 4 жыл бұрын

THIS GUY is my hero.

@olehermanse 5 жыл бұрын

47:30 him saying "a series" triggers the "Hey, Siri" functionality on iPhones.

@numnut1516 5 жыл бұрын

olehermanse you should really disable that. It’s not safe

@opiniondiscarded6650 5 жыл бұрын

That's severely triggering

@karlkoch9324 5 жыл бұрын

Great talk

@unfa00 5 жыл бұрын

Great talk! I ust wish the Mic has a highpass filter to remove ll the popping from the blowing air.

@ROTTERDXM 4 жыл бұрын

I think what it needs is a pop filter. :)

@wilwilson8146 2 жыл бұрын

I love/hate the way they interrupt new speakers mid word to force booze on them. Lol

@RTPTechTips 4 жыл бұрын

Great talk by a skilled presenter 😄

@zoenagy9458 Жыл бұрын

Ryan is still a MAN here!

@hellterminator 8 жыл бұрын

How about zeroing out free'd memory? I don't mean immediately. Just keep the memory allocated until there's low activity, then zero it out and _then_ return it to the system. Can't really exploit a bunch of zeros.

@richardvaughn2705 6 жыл бұрын

Memory is zeroed out by the system calls on windows and linux etc when you allocate a new page (handled transparently by libc when you call malloc or new to increase the size of the heap). To access things stored in the memory of another process you have to use extraordinary means to read physical memory directly without using system calls or escalate privileges to use built in system calls for peaking into another processes address space or use hardware to view memory using DMA or PCIE. If something exists in memory anywhere on the system then it can be viewed by malware. It doesnt have to wait on you to release it to the system.

@TristynRusselo 3 жыл бұрын

Apple hears your claim of "overly trusting devices within your computers" and raises you a "secure battery controller" "secure fingerprint sensor" "secure displays". Fuck reparability.

@namenloss730 5 жыл бұрын

I use random for graphics (eg: ray tracing). I really don't care about security, and I really don't care if it's truly random, I do care that I can get as many as possible as fast as possible

@moth.monster 5 жыл бұрын

That's why PRNG is good for some stuff. But not all stuff.

@ayyjayy5018 3 жыл бұрын

RIP Dan

@zoenagy9458 Жыл бұрын

????

@ayyjayy5018 Жыл бұрын

@@zoenagy9458 he died in 2021 unfortunately

@greencoder1594 4 жыл бұрын

[39:12] «If you integrate time, it turns out empirically, that it's a pain in the butt to get two things to happen at exactly the same CPU nanosecond. It's not that it can't… it's that it _won't_. That's a good thing!»

@andreassjoberg3145 5 жыл бұрын

How hard is it to make a TRUE RANDOM number generator hardware for our motherboards? What is the cost ? 1$ per motherboard? 10$ ? 10 cent?

@mrbanditoxyz 4 жыл бұрын

A current method is to use the physics of FPGAs - the physics of the base silicon cells introduces enough randomness. Folks have been doing this for a few years - mainly selling to the gaming industry. They would need, because they have the patents, to decide to get into the PC motherboard biz, develop/port the tech to a small FPGA, and work with PC motherboard manufacturers.

@johnfrancisdoe1563 4 жыл бұрын

Andreas Sjöberg There have been many successful projects building a TRNG out of a few spare transistors in a corner of a main chip with a really nice interface. But it often becomes discontinued or discredited after very few years with no official explanation. 20 years ago, Intel put theirs in the BIOS flash chip and VIA put theirs in the CPU. Then both were discontinued. Now Intel and AMD has put it in the CPU, if you trust it not to be backdoored.

@FennecTECH Жыл бұрын

THERE ARE SO MANY CREVASES

@iisthphir 5 жыл бұрын

Phew, good thing I use western digitals

@instagib783 3 жыл бұрын

I've been watching webinars for e-commerce entrepreneur gurus, and they all bother me for some unknown reason. At 14:56, Dan hits the nail on the head. It turns out that I believe internet millionaires are parasites.

@linuxguy1199 4 жыл бұрын

Noise source + RTL SDR + Custom kernel module = Hardware entropy generator

@johnfrancisdoe1563 4 жыл бұрын

linuxguy 11 Now how to get billions of uncompromised RTL SDRs and connect them in an uncompromisable way to the CPUs in 1 billion machines, many of them different ...

@makilgore06 5 жыл бұрын

What was he doing that he needed a five layer threshold security ACTUALLY IMPLEMENTED

@ped7g 5 жыл бұрын

do you really believe you can find out, and be still alive next day? :D

@Stierguy1 5 жыл бұрын

jemalloc -> jecalloc qed

@ShroudedWolf51 5 жыл бұрын

Apple bug reports....yeah, they aren't actually going to pay attention to those. Their app approval process confirmed that.

@jimjimx5418 4 жыл бұрын

He claims to use Unix, but if he does a fresh,cold boot,the Microsoft logo comes up.

@connorhorman 5 жыл бұрын

Non CS PRNGs are useful when you DONT need Secure Random Numbers. Especially java.util.Random which is basically my Go-to Generator, and I am writing a Game General Specification that depends on the algorithm specified by java.util.Random for consistency.

@connorhorman 5 жыл бұрын

Also the above generator is easy to write in any decent language and exactly how it works is explicitly detailed in the API Documentation.

@NatalieSpa888 9 жыл бұрын

Sex, drugs and rock & roll baby!!!!! I miss music:-(( *wah*

@autohmae 5 жыл бұрын

F-ing amazing: media.ccc.de/v/24c3-2393-en-dns_rebinding_packet_tricks :-)

@mishasawangwan6652 4 жыл бұрын

this dude will pwn u.. and pwn u persistently ... 1337 h@x0|2 ... re-zpek.. out

@NatalieSpa888 9 жыл бұрын

Warped Roadies \o/

@opiniondiscarded6650 5 жыл бұрын

1:20:56 I'm already tracer

@FennecTECH 9 жыл бұрын

wireless routers have a FUCKING RADIO i mean why are they not getting entrope from the radio CBR is a wonderful source of entrope

@FennecTECH 9 жыл бұрын

is there ONE good reason not to use the radio as an entrope source?

@vctrhtr 9 жыл бұрын

***** computationally inefficient & has low rand function output bandwidth. By analogy, you can flip a coin to get randomness and there are more coin-flippers out there than there are wireless routers. Most existing issues aren't there because of bandwidth trade-offs though, crappy generators like LFSRs are used for applications that could do with simple and more secure dev/rand or such.. It's sloth, it's irresponsible, it's crappy engineering, and that's basically what Dan is trying to get people to notice.

@FennecTECH 9 жыл бұрын

Ahh that makes alot of sense *satisfied* seemed like a good idea in my head

@FennecTECH 8 жыл бұрын

We could at least use the radio in the process of generating to pull our inital values

@FennecTECH 7 жыл бұрын

Its still better than the horrid PRNGs we use today

@ShubhamBhushanCC 5 жыл бұрын

Gilfoyle?

@rockrid3r 9 ай бұрын

Neshi?

@Luxter77 6 жыл бұрын

This guy is PewDiePie but hacker!

@eurosat7 5 жыл бұрын

50:10 I think it is an intersting idea. // Been to github at ryancdotorg/storybits -- looks sad :(

@Nodws 9 жыл бұрын

wow Pewdiepie is a hacker?

@thekornreeper 5 жыл бұрын

nodws , he hacked our hearts :3

@InvalidPersistentName 5 жыл бұрын

RIse 9 year olds! @@thekornreeper

@Marienkarpfen 5 жыл бұрын

1:22:00

@thechosenone729 5 жыл бұрын

1. Very good presentation i enjoy it. 2. He need to put down dat fake hair and go shave his whole head completely, grow little bit of beard and he will look just cool enough.