Software Psuedo Random Number Generators to Hardware True Random Number Generators: a transition in Data-Security
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
International Journal of Scientific Research in Computer Science, Engineering and Information Technology
© 2019 IJSRCSEIT | Volume 5 | Issue 2 | ISSN : 2456-3307
DOI : https://doi.org/10.32628/IJSRCSEIT
Software Psuedo Random Number Generators to Hardware True Random
Number Generators: a transition in Data-Security
Shreenabh Agrawal
Class X A, The Chanda Devi Saraf School, Nagpur, Maharashtra, India
ABSTRACT
Objective of research: To understand the basic issues in data security during vital transactions related to money
or critical data in e-business and to statistically test the efficiency of PRNG –Pseudo Random Number
Generators versus TRNG- True Random Number Generators used for Cryptography.
Experimental set up: A prototype of TRNG was designed. The Schematic component architecture of the
prototype, the number generation code and the C Inspired Algorithm have been presented. 5000 numbers were
generated using it. Another set of 5000 numbers was generated using an online PRNG.
Statistical testing: The numbers thus generated were tested by Kolmogorov Smirnov Z test for uniformity and
Runs Test for Median and Mean for randomness. The results were displayed in tabular format.
Results: The statistical analysis showed that the performance of TRNG was better than PRNG for both
uniformity and randomness.
Keywords : Randomness, PRNG, TRNG, Cryptography, Kolmogorov Smirnov Z test, Runs Test
I. INTRODUCTION environmental phenomena for generating their
output. This was termed as ‘Entropy Source’. As the
With a major shift of traditional industry to the e- seed based pseudo random numbers had a high risk of
industry and major industry giants shifting online for getting compromised, true random number
business, the concern for data security is a major one generation became the need of the hour.
(Buchanan, 2017). The entire business loop from the
industry to the customer and back is at risk of data II. METHODS AND MATERIAL
leakage and manipulation due to cyber attacks. To be
able to survive such cyber attacks, the random PRNG (Pseudo Random Number Generator) vs
numbers used for cryptographic functions have to be TRNG (True Random Number Generator):
truly random such that they cannot be deciphered
either by forward or backward tracking. There has Random numbers used in Cryptography can be
been a lot of research in this area of random number generated by two common methods: by using a
generation since last few decades. Researchers have Pseudo Random Number Generator (PRNG) or by a
come a long way from mathematical sequence True Random Number Generator (TRNG). PRNGs
numbers to quantum random numbers. Earlier, most are algorithm based random number generators and
of the requirements were handled using software are software based while TRNGs are generally
generated random numbers but due to their security hardware based. PRNGs are useful for their speed
concerns hardware random number generators came while TRNGs are useful for their randomness. As
into being. They used either physical, chemical or discussed, PRNGs use an algorithm to generate
CSEIT1952132 | Received : 08 March 2019 | Accepted : 20 March 2019 | March-April -2019 [ 5 (2) : 558-563]
558
Shreenabh Agrawal et al Int J Sci Res CSE & IT. March-April-2019 ; 5(2) : 558-563
random numbers based on a seed. A seed is the first Reverse-biased
TrueRNG Pro 2015 semiconductor junction
input given to an algorithm which the algorithm uses
Reverse biased
to generate random numbers which can be given
ChaosKey 1.0 2016 semiconductor junction
manually or decided by the computer. Due to this, in
PQ4000KS 2016 Shot noise
a PRNG, after some numbers, the sequence starts
Reverse-biased
repeating. Another drawback of PRNGs is that for a TrueRNG v3 2016 semiconductor junction
particular seed and particular algorithm, only certain Reverse biased Zener
numbers are generated while many numbers are SwiftRNG Pro 2018 diodes
never generated .
Source:
To overcome such discrepancies, another method of https://en.wikipedia.org/wiki/Comparison_of_hardwa
generating random numbers is by using TRNGs. They re_random_number_generators
analyse some physical phenomenon or artificial
disturbances called 'noise' and generate numbers The following basic differences are reported related
accordingly. They are capable of generating high to PRNGs and TRNGs:
quality random numbers. A simple example of TRNG Table 2: PRNG vs TRNG
can be a dice rolling machine or a shuffled card Description PRNG TRNG
reader machine. At times, it can be very difficult to True Randomness No Yes
construct a highly efficient TRNG and statisticians Equal Probability of All Numbers No Yes
often resort to complex phenomena like radioactive Non-degradable Randomness Yes No
decay to generate such numbers. Some commonly Cost-effective Yes No
available TRNG’s and their operating principles are Portable Yes No
Decentralized Yes No
mentioned in Table 1 below:
Easy to use Yes No
Randomness on demand service Yes Yes
Table 1: True Random Number Generators
Problem of artificial whitening Yes No
Model Year Operating principle
Insecure delivery of numbers Yes No
QRBG121 2005 Photoelectric effect Risk of breach of secrecy Yes No
Quantis-USB 2006 Beam splitter
Entropy Key 2009 Avalanche noise
Data security issues related to PRNGs:
Quantis-PCIe-16M 2010 Beam splitter
PQ32MU 2013 Shot noise
The Guardian reports," 'Computer whiz' rigged Vegas
Ivy Bridge-EP 2013 Johnson–Nyquist noise
lottery number generator to produce predictable
Reverse biased
Alea II 2014 semiconductor junction numbers a couple of times a year thus earning 16.5
TrueRNG v2 2014 Zener noise million USD!" The root cause of incidents like these is
Infinite Noise 2014 Johnson–Nyquist noise the inability of PRNGs to produce Truly Random
Electromagnetic Numbers. Another such incident as reported by Dr.
BitBabbler White 2015 interference Dobb's Journal dates back to 1996 when two
Registerless linear- researchers, broke Netscape's SSL Encryption keys
TRNG 2015 feedback shift registers thus giving a major setback to millions of users who
Optional atmospheric relied on Netscape and RSA Security (a major agency
OneRNG 2015 noise which used this service) for encryption. This
Volume 5, Issue 2, March-April -2019 | http://ijsrcseit.com
559Shreenabh Agrawal et al Int J Sci Res CSE & IT. March-April-2019 ; 5(2) : 558-563
loophole was discovered by them after discovering Experimental Method to empirically test PRNG vs
that the time of the day and the process IDs were TRNG:
used to generate the random keys. In November 2007,
Dorrendorf et al. from the Hebrew University of To test the propositions of researchers in support of
Jerusalem and University of Haifa published a paper TRNG, a prototype of a TRNG was designed. The
which presented serious weaknesses in Microsoft's prototype comprised of 3 components -an entropy
approach at the time. The paper's conclusions were source that produces random inputs from a non
based on disassembly of the code in Windows 2000, deterministic hardware process at around three 3-
but according to Microsoft applied to Windows XP as digit inputs per second , an Arduino board that uses a
well. A discrepancy was observed in the safety C inspired program to distil the triplet of 3 digit
feature of the random numbers by Allen (2008) in his random inputs into a triplet of two digit high quality
study. The picture (1) below is a bitmap image of the random inputs combining them algebraically into a 6
random numbers which are produced by the PHP digit high quality nondeterministic random number
rand () function in Microsoft Windows. It shows a and a serial monitor that displays the output for the
clear connection and repetition of the numbers end user.
generated by the PRNG.
Figure 1: Schematic Component Architecture and
Process
Picture 1: Bitmap image of Random Numbers
A similar flaw was also discovered in Play Station 3. Entropy source provides a serial stream of entropic
In December 2010, a group calling itself 'fail0verflow' data in the form of 0 - 1024 voltage level sequences.
announced recovery of the private key used by Sony The entropy source runs on an independent circuit
to sign software for the PlayStation 3 game console. and uses artificial noise generated by random
The attack was made possible because Sony failed to interruption in light intensity due to moving soft
generate a new random nonce for each signature balls. The entropy source is powered by an external
(Borza, 2011). A more recent setback was uncovered power supply to run on to ensure there is no
involving Bitcoins- the e-currency. In August 2013, it electronic connection between it and other core logic.
was revealed that bugs in the Java class Random inputs are passed to the Arduino board for
SecureRandom had flaws in implementations of further processing. The C inspired program housed in
Bitcoin on Android. When this occurred the private an Arduino Nano board deletes the first digit of the
key could be recovered, in turn allowing stealing three digit random input from entropy source and
Bitcoins from the containing wallet (Chirgwin,2013). converts them into high quality two digits by
removing the digit which was susceptible to
Volume 5, Issue 2, March-April -2019 | http://ijsrcseit.com
560Shreenabh Agrawal et al Int J Sci Res CSE & IT. March-April-2019 ; 5(2) : 558-563
prediction due to its narrow range of possible values. void DigitfromOTP1() {// Deletes
hundred’s digit from LDR1 input
The triplets of two digit raw entropy samples
generated by the entropy source are thus reduced to a if(LDR1Value100 && LDR1Value200 && LDR1Value300 && LDR1Value400 && LDR1Value500 && LDR1Value600 && LDR1Value700 && LDR1Value800 && LDR1Value900 && LDR1Value1000 &&
pinMode(LDR3, INPUT); LDR1ValueShreenabh Agrawal et al Int J Sci Res CSE & IT. March-April-2019 ; 5(2) : 558-563
else if(LDR2Value>300 && LDR2Value700 && LDR3Value400 && LDR2Value800 && LDR3Value500 && LDR2Value900 && LDR3Value600 && LDR2Value1000 &&
} LDR3Value700 && LDR2Value800 && LDR2Value900 && LDR2Value1000 &&
LDR2ValueShreenabh Agrawal et al Int J Sci Res CSE & IT. March-April-2019 ; 5(2) : 558-563
Table 3 : Kolmogorov-Smirnov Z Test for testing (online exams/ evaluation), fundamental research,
Uniform Distribution infrastructure (simulation), etc, the industry needs to
shift from PRNGs to TRNGs as they provide a
PRNG TRNG
reliable solution to the issues related to randomness
Kolmogorov-Smirnov Z 0.709 0.516
of numbers for data security.
Asymp. Sig. (2-tailed) 0.696 0.953
V. REFERENCES
Interpretation: From the table above it is seen that
random numbers generated using the TRNG are [1]. Allen B, “Are the numbers really random?”,
highly significant (asymptotic significance =0.953) https://www.random.org/analysis/ (2008)
thus proving that they follow a uniform distribution [2]. Borza M, “The Sony PlayStation 3 hack
with equal probability of presence of every number. deciphered: what consumer-electronics
designers can learn from the failure to protect a
a) Runs Test based on Median billion-dollar product ecosystem”,
Table 4: Runs Test based on Median https://www.edn.com/
PRNG TRNG Home/PrintView?contentItemId=4368066
Z 1.698 0.255 (2011)
Asymp. Sig. (2-tailed) 0.090 0.799 [3]. Buchanan W.J., Woodward A & Helme S.,
“Cryptography across Industry sectors”, pg 145-
Interpretation: From the table above it is seen that on 162,
testing with Runs Test based on median, random https://doi.org/10.1080/23742917.2017.1327221
numbers generated using the TRNG are highly (2017)
significant (asymptotic significance =0.799) thus [4]. Chirgwin R, “Android bug batters Bitcoin
proving that they are statistically significant. wallets”,
https://www.theregister.co.uk/2013/08/12/
a) Runs Test based on Mean android_bug_batters_bitcoin_wallets/ (2013)
[5]. Dorrendorf L, Gutterman Z, Pinkas D.,
Table 5: Runs Test based on Mean “Cryptanalysis of the Random Number
PRNG TRNG Generator of the Windows Operating System”,
Z 1.641 0.368 https://eprint.iacr.org/2007/419.pdf (2007)
Asymp. Sig. (2-tailed) 0.101 0.713 [6]. Goldberg I and Wagner D, “Randomness and the
Netscape Browser”, Dr. Dobb's Journal,
Interpretation: From the table above it is seen that on http://www.ddj.com/windows/184409807 (1996)
testing with Runs Test based on mean, random
numbers generated using the TRNG are highly Cite this article as : Shreenabh Agrawal, "Software
significant (asymptotic significance =0.713) thus Psuedo Random Number Generators to Hardware True
Random Number Generators : a transition in Data-
proving that they are statistically significant.
Security ", International Journal of Scientific Research
in Computer Science, Engineering and Information
IV.CONCLUSION Technology (IJSRCSEIT), ISSN : 2456-3307, Volume 5
Issue 2, pp. 558-564, March-April 2019.
To prevent cyber attacks and keep data safe in crucial Journal URL : http://ijsrcseit.com/CSEIT1952132
industries such as banking, defence, education
Volume 5, Issue 2, March-April -2019 | http://ijsrcseit.com
563You can also read
