Scribd
Upload
320 views

Hacking Pseudo Random Number Generator

Uploaded by

api-234621586
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
320 views

Hacking Pseudo Random Number Generator

Uploaded by

api-234621586
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

Hacking Pseudo Random Number Generators in PHP

Conference Talk Blackhat 2012 in Las Vegas

Johannes Fenzl David Hughes

Calvin Flegal Katie McNabb

Introduction
Web applications rely on randomness for security. Pseudo-random number generators (PRNG) No such thing as a random number generator Deterministic seed

Why is this Important?


Apache web server running a PHP module Most widely used server Attacks apply to any seeded PRNG: Not just PHP, Apache Reusing PRNG functions Predicting a system defined random object Extensible to many computing environments We focus on password reset implementations

Who is Affected?
Joomla Content management, build web sites, applications Patched March 27, 2012 MediaWiki Server-based wiki for data processing, storage and display Patched March 22, 2012 Gallery 2 & 3 Open source web based photo album organizer Patched April 3, 2012 ZenCart Free, user-friendly, open source shopping cart software Patched September 17, 2012

Our Goal Today


Main Attack ATS - Reduce Entropy Attack Second Attack Request Twins - Reduce Entropy Attack Exercise Main Attack - ATS

Adversarial Time Synchronization (ATS)


The Basics
What? Why? mt_rand() In some cases, complete security compromise ex. ZenCart

Otherwise, entropy reduction Cases of concatenation This technique is built for Apache Not dependent on this VM

Adversarial Time Synchronization (ATS)


The How (part 1):
Local T1
Request M issing File

Server

Naive assumption Could have happened anytime between

Time: 12:

06:54
Server Time: 12:06:55.000000 Microseconds: 000000

T2

Request Mis sing File

Time: 12:

06:55

Adversarial Time Synchronization (ATS)


The How (part 2):
Local Server
Request M issing File

1. (T2 - T1)/2 = Length of blue arrow 2. Add this to T1 to find blue dot 3. Off by one-way time to server, so add 1/2 RTT(red arrow) to find calculated time 4. 12:06:55 - calculated time = offset

T1

Time: 12:06:5

T2

Request Mis s

ing File

06:55 Time: 12:

Adversarial Time Synchronization (ATS)


Our Testing:
1. Server is also running /time. php 2. Request this page, use last calculations to predict 3. Measure error
Local
Request /t ime.php

Server

ponse Predict this res

Adversarial Time Synchronization (ATS)


The Attack
Request a password reset (sent to victim's email) Use previous calculations to estimate the seed time
Try Login

Local
Reset Victi m Passwo rd

Server

Use ZenCart code to generate reset tokens around estimated seed time Request logins with these estimates until user account compromised

Wrong Password
Try Nearby Token

Welcome User

Adversarial Time Synchronization (ATS)


The Attack - one caveat
Thought seed of mt_rand() would be near HTTP reset request arrival Actually happens a bit later Solution: Use 1/2 RTT of ZenCart index.php in calculation This is usually a late estimate, but better than arrival time
firmed Reset con

Local
Reset Pass word

Server
Seeded in this range

Adversarial Time Synchronization (ATS)


The Error
Back-end seeding time Code overhead, CPU speed Biggest limitation for synchronization: Speed that attacker can send requests Our implementation waits for response RTT deviation

Adversarial Time Synchronization (ATS)


Our Results
Configuration CPU 2 x 2.66 GHz RTT ~0.5 ms min ~2 us ATS max ~1600 us avg ~300 us

Request Twins (RT)


Attacker's new password is sent via mail

Attacker

1st request: reset attacker's password 2nd request: reset target user's password

Webserver

Generate a new password


<?php [...] mt_srand(microtime()); [...] ?>
Source: George Argyros and Aggelos Kiayias. 2012. I forgot your password: randomness attacks against PHP applications. In Proceedings of the 21st USENIX conference on Security symposium(Security'12). USENIX Association, Berkeley, CA, USA, 6-6.

Request Twins (RT)


How to obtain the seed for a password?
Rainbow Table Create a rainbow table for all 1,000,000 possible seeds For example, ZenCart:

Microtime Value 0 ... 999,999

Generated Password rlLzdV9 ... JFYV3zu

BlackHat Results
Configuration CPU (GHz) 1 x 3.2 4 x 2.3 1 x 0.3 2 x 2.6 RTT (ms) 1.1 8.2 9 135 ATS avg error (us) 410 4135 2724 83573 Request Twins avg error (us) 47 1153 4849 299

Source: George Argyros and Aggelos Kiayias. 2012. I forgot your password: randomness attacks against PHP applications. In Proceedings of the 21st USENIX conference on Security symposium(Security'12). USENIX Association, Berkeley, CA, USA, 66.

Preparation for Exercise


Our Attack
Synchronize clock using ATS technique Request new password of victim, record local time Use calculated offset and RTT to predict seed of mt_rand() Try to login with passwords generated near the seed

The Exercise

Adversarial Time Synchronization (ATS) Groups of 1-3 Worksheet & Files in /ad/eng/courses/ec/ec521/students/

Successful Attack

You might also like