About Random Number Security

About Random Number Security 0x00

I talked to my friends about an interesting phenomenon. during the school recruitment interview in the last two years, most of my students did not have any basic cryptographic knowledge, even those with some penetration skills.

Therefore, I would like to share with you some basic cryptography knowledge that does not involve algorithm implementation. it is more related to common vulnerability scenarios to make the problem easier to understand.

This article mainly talks about random numbers. Random numbers are actually very extensive and can be said to be the basis of cryptographic technology.

Improper use of random numbers may lead to some serious security problems, and these security problems are usually hidden.

0x01 random number overview

Random numbers are widely used in computer applications, and the most well-known is their application in cryptography. This article mainly describes some Web security risks caused by random number usage.

Let's take a look at the random number.

Category

Random numbers are divided into real and pseudo-random numbers. our program uses pseudo-random numbers. pseudo-random numbers are divided into strong pseudo-random numbers and weak pseudo-random numbers.

1. Real random numberThrough physical experiments, such as coin throwing, dice, runner, noise using electronic components, nuclear fission, etc.

2. Pseudo-random numberThrough some algorithms and seeds. The software implements pseudo-random numbers.

1. Strong Pseudo-random number, Unpredictable random number

2. Weak pseudo-random number, A random number that is easy to predict

Features

A random number has three features:

1. Randomness: There is no statistical deviation, it is a completely messy series

2. Unpredictability: The next occurrence number cannot be inferred from the past series.

3. Non-reproducible: The same sequence cannot be reproduced unless the sequence itself is saved.

The random number feature has a certain relationship with the random number classification. for example, weak pseudo-random numbers only need to satisfy randomness, while strong random numbers must satisfy randomness and unpredictability, real random numbers must satisfy three features at the same time.

The key cause of security problems is unpredictability.

Generation of pseudo-random numbers

Our common software and applications implement pseudo-random numbers, so the focus of this article is pseudo-random numbers.

The implementation of pseudo-random number generation is generallyAlgorithm + seed.

The specific pseudo-random number generator PRNG generally includes:

1. Linear same-remainder method

2. One-way hash function method

3. Password method

4. ANSI X9.17

The commonly used linear same-remainder method is used. for example, the rand library of C language and Java java. util. Random class all use linear same-remainder method to generate Random numbers.

Application scenarios

Random numbers are widely used. The following are common scenarios for random numbers:

• Verification code generation

• Lottery activity

• UUID generation

• SessionID generation

• Token Generation

• CSRF Token

• Retrieve password Token

• Game (generation of random elements)

• Shuffling

• Sequence of specific shapes in Tetris

• Game explosive equipment

• Password application scenarios

• Generate Key: symmetric password, message authentication

• Generate key pairs: public key and password, Digital signature

• Generate IV: CBC, CFB, and OFB modes used for group passwords

• Generation of nonce: used to defend against replay attacks; CTR mode of group passwords

• Generate salt: used for password-based PBE and so on

Security of random numbers 0x02

Compared with other cryptographic technologies, random numbers are rarely noticed. However, random numbers are very important in cryptographic technologies and computer applications. incorrect use of random numbers can lead to a series of security problems.

Security risks of random numbers

There are two security problems caused by random numbers.

1. The random number should be used.No random number is used;

2. Strong Pseudo-random numbers should be used for developersWeak pseudo-random number used.

First, in simple terms, we need a random number, but the developer does not use a random number, but specifies a constant. Of course, many people will say angrily that sb will not use random numbers. However, please do not ignore the fact that there are still many. There are two main scenarios:

Developers lack basic knowledge and do not know how to use random numbers;

Some application scenarios and frameworks, interface documents are incomplete, or developers have not carefully read these documents.

For example, to retrieve the token of a password, a pseudo-random number is required. many services generate a token based on the user name;

For example, in OAuth2.0, a third party needs to pass a state parameter as the CSRF Token to prevent CSRF attacks. many developers do not use this parameter or input a fixed value. The authenticator cannot verify the service-level validity of this value, resulting in OAuth CSRF attacks.

In the second case, the main difference lies in the strength of pseudo-random numbers. most of them (all ?) The random library in the basic library (common Library) in the language's API documentation is weak and pseudo-random, and many developers naturally use it directly. However, the most important and critical thing is that,Weak pseudo-random numbers cannot be used in password technology..

In the first scenario, password retrieval. for token generation, many developers use timestamps as random numbers (md5 (timestamp), md5 (timestamp + username )), however, since the timestamp is predictable, it is easy to guess.Unpredictability is a key indicator for distinguishing weak pseudo-random numbers and strong pseudo-random numbers..

Of course, in addition to the above two cases, there are some special cases, which are usually rare, but they are not excluded:

1. The seed leakage is often made public by algorithms. if the seed is leaked, the random number is already leaked;

2. The random number pool is insufficient. Strictly speaking, this is also a weak pseudo-random number, because the random number pool is insufficient, which actually makes the random number predictable. attackers can directly crack the random number.

Vulnerability instance

Wooyun has many vulnerabilities, which are quite interesting. they are related to random numbers.

PS: My personal strength is limited. the following instances are basically from wooyun vulnerability instances. thank you for your attention. if there is any infringement, please contact us to delete it.

1. random numbers should be used instead of random numbers.

This problem of Oauth2.0 is particularly classic. many vendors have this problem, except for those listed by wooyun instances.

The state parameter in Oauth2.0 requires third-party application developers to pass in a CSRF Token (random number). if it is not passed in or is not a random number, it will cause CSRF to log on to any account:

1. Vipshop account vulnerabilities can be exploited to log on to any account through csrf

2. Renren-Baidu OAuth 2.0 redirect_uir CSRF vulnerability

2. use weak pseudo-random number 1) password retrieval

Many password retrieval scenarios will send a url to the user's email containing a token. if this token is guessed, the password of other users can be retrieved.

1. Shopex 4.8.5 new password prediction vulnerability at password retrieval

The time function microtime () is used as a random number and the first six digits of MD5 are obtained.

#!phpsubstr(md5(print_r(microtime(),true)),0,6);

In PHP, the microtime () value includes the number of seconds of the current server and the number of microseconds. the variation range of the number of microseconds is between 0.000000 and 0.999999. generally, the server time can be obtained through the DATE field in the HTTP return header. Therefore, we only need to traverse the 1000000 values. However, if we use brute-force cracking to initiate 1000000 network requests, the number of network requests will also be very large. However, shopex output the microtime () again before the password is generated:

#!php$messenger = &$this->system->loadModel('system/messenger');echo microtime()."";

2. Qihoo any user password change

MD5 (unix timestamp)

3. arbitrary user hijacking caused by weak random numbers in the Graffiti Kingdom. Appendix test POC

We strongly recommend that you refer to the article "using the system time to predict and crack java random numbers | the soul of an empty prodigal soul" in the 11-year article of Togo.

2) other random number verification scenarios

• CmsEasy latest version of brute force injection (encryption and decryption defects/bypass anti-injection)

Weak pseudo-random number bypassed

• Espcms v5.6 brute force injection

An SQL injection vulnerability in Espcms is exploited to discover that espcms encrypts the passed value and has a random key. However, this is a weak pseudo-random number fixed in the random number pool and can be traversed and bypassed by attackers.

• Destoon B2B the latest version bypasses global defense against brute force injection (official Demo can be reproduced)

Using microtime () as a random number, attackers can predict brute-force cracking.

Apache Harmony 6.0M3 and SecureRandom implementations used in Java encryption architecture (JCA) earlier than Android 4.4 have security vulnerabilities, specifically, classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java

In the engineNextBytes function of the class, when the user does not provide a seed to generate a random number, the program cannot adjust the offset correctly, resulting in the process of generating a random sequence by PRNG being predictable.

• Android SecureRandom vulnerability details

Security suggestions

The random number base and vulnerability instances mentioned above are more focused on providing some ideas for attackers. here, we provide more defense and prevention suggestions.

1. Random numbers must be used in business scenarios, such as Token generation;

2. The random number must be long enough to avoid brute force cracking;

3. Ensure that random numbers of different uses use different seeds

4. Random numbers with high security requirements (such as password technology-related) do not use weak pseudo-random numbers:

1. Do not use time functions as random numbers (many programmers prefer timestamps) Java: system. currenttimemillis () php: microtime ()

2. Do not use the weak pseudo-Random number generator Java: java. util. Random PHP: rand () with a small range. 32767 PHP: mt_rand () has a defect.

5. Strong Pseudo-Random Number CSPRNG (Secure and reliable Pseudo-Random Number Generator (Cryptographically Secure Pseudo-Random Number Generator) for various references

Platform	CSPRNG
PHP	Mcrypt_create_iv, openssl_random_pseudo _ bytes
Java	Java. security. SecureRandom
Dot NET (C #, VB)	System. Security. Cryptography. RNGCryptoServiceProvider
Ruby	SecureRandom
Python	OS. urandom
Perl	Math: Random: Secure
C/C ++ (Windows API)	CryptGenRandom
Any language on GNU/Linux or Unix	Read from/dev/random or/dev/urandom

6. Generate Strong Pseudo-random numbers (not recommended by developers)

There are two important factors for generating high-intensity random numbers: Seeds and algorithms. There are many algorithms. generally, it is critical to choose seeds. For example, Random has the seed System. currentTimeMillis (), so its Random numbers are predictable and weak pseudo-Random numbers.

Idea for generating strong pseudo-random numbers: collect various computer information, keyboard input time, memory usage status, hard disk free space, IO latency, number of processes, number of threads, and other information, CPU clock, to obtain an approximate random seed, mainly to achieve unpredictability.

The above is a chat about random number Security. For more information, see PHP Chinese network (www.php1.cn )!