How to generate cryptographically strong sequences of pseudo-random bits
SIAM Journal on Computing
A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
Lattice Attacks on Digital Signature Schemes
Designs, Codes and Cryptography
Cryptanalysis of RSA Signatures with Fixed-Pattern Padding
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
Cryptographic Randomness from Air Turbulence in Disk Drives
CRYPTO '94 Proceedings of the 14th Annual International Cryptology Conference on Advances in Cryptology
"Pseudo-Random" Number Generation Within Cryptographic Algorithms: The DDS Case
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
Lessons Learned in Implementing and Deploying Crypto Software
Proceedings of the 11th USENIX Security Symposium
Analysis of the Linux Random Number Generator
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Software generation of practically strong random numbers
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
SSH: secure login connections over the internet
SSYM'96 Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6
Cryptanalysis of the windows random number generator
Proceedings of the 14th ACM conference on Computer and communications security
Unbiased bits from sources of weak randomness and probabilistic communication complexity
SFCS '85 Proceedings of the 26th Annual Symposium on Foundations of Computer Science
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
When private keys are public: results from the 2008 Debian OpenSSL vulnerability
Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
Hedged Public-Key Encryption: How to Protect against Bad Randomness
ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Factorization of a 768-bit RSA modulus
CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
Randomly failed! the state of randomness in current java implementations
CT-RSA'13 Proceedings of the 13th international conference on Topics in Cryptology
Entropy harvesting from physical sensors
Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks
Analysis of the HTTPS certificate ecosystem
Proceedings of the 2013 conference on Internet measurement conference
DEMO: Inherent PUFs and secure PRNGs on commercial off-the-shelf microcontrollers
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Security analysis of pseudo-random number generators with input: /dev/random is not robust
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Ensuring high-quality randomness in cryptographic key generation
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Predictability of Android OpenSSL's pseudo random number generator
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
An analysis of the EMV channel establishment protocol
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Secure PRNG seeding on commercial off-the-shelf microcontrollers
Proceedings of the 3rd international workshop on Trustworthy embedded devices
No attack necessary: the surprising dynamics of SSL trust relationships
Proceedings of the 29th Annual Computer Security Applications Conference
ZMap: fast internet-wide scanning and its security applications
SEC'13 Proceedings of the 22nd USENIX conference on Security
Randomness in Virtual Machines
UCC '13 Proceedings of the 2013 IEEE/ACM 6th International Conference on Utility and Cloud Computing
Hi-index | 0.00 |
RSA and DSA can fail catastrophically when used with malfunctioning random number generators, but the extent to which these problems arise in practice has never been comprehensively studied at Internet scale. We perform the largest ever network survey of TLS and SSH servers and present evidence that vulnerable keys are surprisingly widespread. We find that 0.75% of TLS certificates share keys due to insufficient entropy during key generation, and we suspect that another 1.70% come from the same faulty implementations and may be susceptible to compromise. Even more alarmingly, we are able to obtain RSA private keys for 0.50% of TLS hosts and 0.03% of SSH hosts, because their public keys shared nontrivial common factors due to entropy problems, and DSA private keys for 1.03% of SSH hosts, because of insufficient signature randomness. We cluster and investigate the vulnerable hosts, finding that the vast majority appear to be headless or embedded devices. In experiments with three software components commonly used by these devices, we are able to reproduce the vulnerabilities and identify specific software behaviors that induce them, including a boot-time entropy hole in the Linux random number generator. Finally, we suggest defenses and draw lessons for developers, users, and the security community.